Documente Academic
Documente Profesional
Documente Cultură
Revenue Amount
Last Complete year Current Year
Geography Next Year (Estimate)
(Actual) (Estimate)
UK / Europe 709.812.340 711.585.028 780.000.000
1 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Please state the number of data records currently processed/stored in the following categories:
Sensitive
Personal none
none none
Information none
Payment Card
none none none
Information none
Financial
Account none none none none
Information none
Employee
Personal none none none
none
Information
Please confirm which of the following definitions is closer to your organization (please flag all answers
which apply)
General
(All business that does not fit in a category below, including Construction and Agriculture)
Financial
Pharma and Food ✔
Manufacturing Automotive
Transport & Logistics ✔
Airlines
Wholesales ✔
Retail
Hospitality
Media
Professional Services
IT & Telco
Healthcare
Energy & Utilities
2 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Construction
Software & IT Products
Education
Public Administration
Mining
Please describe your Cyber Exposure and IT structure risk answering to the following questions:
3 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Executive Support
1 Reporting Lines
Cyber security staff has no ability to raise topics directly to the top management.
At board level, at least one responsible person for cyber security has been identified. ✔
2 Reporting Schedule
Cyber security topics are never reported to the top-management.
Metrics and KPIs are adjusted and improved frequently to fully capture all dependencies to
the business operation.
3 Top Level Support
Cyber security is not a top-level management topic.
4 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
The Top-Management sees cyber security as a purely IT topic.
The picture gained during the risk dialogue suggests, that senior management need to get
further education to understand cyber risk and best management practices in this regard.
Clearly identified cyber security roles are assigned to IT personnel, while not having any
dedicated personnel, yet.
✔
A single cyber security professional has been appointed within the IT organization. The
executed tasks focus mainly on establishing a good "cyber hygiene" across the enterprise.
No formal policies and/or procedures that address cyber security have been implemented.
A simple policy that outlines the approach toward cyber security is in place. Procedures are
mostly ad-hoc.
5 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
✔
A policy / procedure framework, focusing on user awareness and cyber hygiene is in place.
A good policy / procedure framework, addressing all security domains, aligned to well-
known standards (ISO, NIST) is in place.
Areas like BCM/DRP and Crisis Management are sufficiently addressed as well.
3 Continuous Improvement Process
An initial security program has been established and it is currently being executed.
The initial security program was executed and successfully implemented. A follow-on
program is currently being developed.
Good governance for the core of the enterprise, including the internal IT, as well as the
business side, is in place.
Governance, addressing internal, as well as outsourced and supply-chain security, has been
established.
6 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Cyber security is addressed in an ad-hoc way. No standards are being followed.
1 Vulnerability Management
No vulnerability management capability is present.
The vulnerability management capability is well defined. Strong, pro-active processes are
in place.
Processes are measured and controlled.
Processes are measured and controlled, with strong focus on continuous improvement.
Pen test are conducted as a regular part of the Software Development Life Cycle (SDLC).
3 Patch Management
Patches / Updates are not being installed.
Patches are rolled out within 4 weeks across the whole enterprise.
Patches are rolled out within 1 week across the whole enterprise.
4 Change Management
Change management is not present. ✔
Changes are implemented as-hoc.
8 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Identities and access rights are provided within an informal process via email.
Infosec Technology
9 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Detailed and granular network segmentation is in place.
NAC is in place.
A basic Web Application Firewall functionality is provided by the firewall. However, more
sophisticated attacks will most properly not be detected.
4 Endpoints
No Endpoint protection present.
A next-generation AV is in place.
5 Remote Access
No dedicated remote access security controls in place.
10 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Dual Factor Authentication is implemented for all remote access users.
7 DDoS Protection
No DDoS Protection is in Place.
The risk from DDoS attacks has been evaluated as not relevant.
A CDN is used.
11 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
No Cyber Threat Intelligence feeds are being consumed. ✔
Cyber Threat Intelligence is consumed in an ad-hoc, unstructured manner
Cyber Threat Intelligence feeds, both Open Source Intelligence and paid, are in use in an
unstructured manner.
Cyber Threat Intelligence feeds, both Open Source Intelligence and paid, are in use in a
structured manner.
Cyber Threat Intelligence is being fed into the security operations capability
automatically.
Cyber Threat Intelligence feeds, both Open Source Intelligence and paid, are in use in a
structured manner.
Intelligence is being integrated into the security operations capability automatically, and
defenses are updates in a dynamic manner.
2 Monitoring
No security monitoring capability is present.
Changes are incorporated into the monitoring as part of the configuration management
process.
All systems & services, across the enterprise, including OSPs, are monitored.
12 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Security operations are part of IT operations. No dedicated resources are present.
A Security Operation Center (or Threat Hunting) capability is available during working ✔
hours.
A Security Operation Center (or Threat Hunting) capability is available 24/7.
Threat Huntinge Security Operation Center (or Threat Hunting) capability covers OSP's
Threat Huntinge Security Operation Center (or Threat Hunting) capability covers
boThreat Hunting for IT and OT.
A strong backup plan, using clear RPOs and covering all aspects of the enterprise, is being
executed.
Restore/Recovery has never been tested.
Security incidents are handled in an ad-hoc basis by the available (not security specific) ✔
staff.
A simple IR process is present, and incidents are handled with dedicated IR staff.
A strong IR process is present, covering all incident scenarios across the enterprise.
13 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Additionally, an Incident Response Orchestration capability is present.
3 IT Emergency Planning
No IT emergency plan present.
Cyber crisis are exercised regularly with other partners (e.g. industry peers, government,
IT providers, etc.).
5 Cyber Resilience of Business Processes / BCM
No cyber resilience capability present. ✔
The cyber resilience capability is very limited, resulting in basic backup and restore
capabilities.
The cyber resilience capability is modeled around business requirements via business
impact analysis.
14 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
RTOs and RPOs are well defined.
1 User Awareness
No user awareness program present.
Cyber risks are part of the enterprise staff training program at least once a year. ✔
A dedicated cyber user awareness program, spanning several modules, is in place.
Additionally, micro trainings on specific topics are offered in a very timely manner.
2 Admin/Dev Awareness
No special group user awareness program present.
Admins and/or developers are subject to tailored awareness programs, focusing on their
privileged access to IT systems.
Training success feedback (e.g. exercises, capture the flag, etc.) is provided routinely.
3 External Personnel
15 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
No dedicated external personnel training framework in place.
5 Personnel selection
No personnel selection framework present. ✔
OT Security
1 Patching
No OT patching process established. ✔
The OT environment is patch infrequently.
2 Segmentation / Isolation
No OT segmentation / isolation present. ✔
The OT environment is in a flat network.
The OT environment is separated from the rest of the enterprise (IT) network by a
switch.
16 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
The OT environment is separated from the rest of the enterprise (IT) network by a
firewall.
The OT environment is separated into several domains / networks.
3 Remote Maintenance
No OT remote maintenance security controls present. ✔
Dial-up connections, with non-default usernames / passwords are present.
Log files are being stored and are available for analysis.
OT Log information and OT security event information are fed into a SIEM solution.
5 Malware Protection
No OT malware protection in place. ✔
A Traditional AV solution is deployed onto the OT endpoints.
17 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
USB ports are blocked / monitored.
1 Developer training
No dedicated developer training present. ✔
Developers are trained in securing the artefacts of their work appropriately.
The development tools actively guide the developers in coding more securely.
2 Environment Protection
No dedicated development environment security controls present.
Test cases are developed and defined against the requirements and tests are executed as
part of the release cycle.
18 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Comprehensive (and tailored) Security Requirements are defined as part of the SDLC.
Code reviews / code scans are conducted continuously and instant feedback is provided
to the developer.
5 Integration in Business
The topic of business integration was not discussed in detail.
1 Privacy by Design
The concept of privacy by design is not implemented.
Privacy by design is being addressed from a forward-looking perspective for all new ✔
systems.
Existing systems are being left unchanged.
Existing systems are being looked at as part of a major refresh / renewal process.
19 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Privacy by design has been implemented through all systems, and is being maintained
proactively.
2 Procedure Log
No procedure log has been implemented.
A procedure log has been implemented but does not completely cover all processes. ✔
A procedure log has been implemented in the past but was not maintained and is thus
outdated.
Data subject information requests are dealt with in a structured manner, based on a
predefined process.
The process is covering most areas of the enterprise / most business units.
The process is covering all areas of the enterprise / all business units.
Data deletion requests are dealt with in a structured manner, based on a predefined
process.
This process is covering most areas of the enterprise / most business units.
This process is covering all areas of the enterprise / all business units.
20 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
OSP Management
There is a complete inventory of all OSPs with a description of their services, dependency
with internal processes and the data flow is identified.
Risks coming from OSPs are identified and red flags are reported to general risk
management.
Mitigation plans are established and executed for high risks.
Relevant security requirements are covered in some Agreements with third parties
involving accessing, processing or managing the organization’s information or services.
A specific clause is included for the right to audit the provider and verity security
controls.
Security awareness training is done by all OSP‘s intervening personnel.
Third parties may only obtain access to data or systems where agreed by the application
owner.
Intrusion detection and prevention systems deployed on network interfaces to third
party networks.
21 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
Service definitions and delivery levels are in line with business requirements.
Reporting is provided and service performance levels are monitored regularly to check
adherence to the agreements.
Changes to third party provided services are reviewed to ensure changes do not
compromise the security of company data.
Contingency processes are in place to ensure continuity in the event of a third party
failing to provide a service.
Also, a liability clause is included for all critical OSPs.
If ‘Yes’:
a. Are you fully compliant with EMV card processing standards ...................... ………… Yes No
b. Do your POS systems have anti-tampering features? .................................. ………… Yes No
c. Please describe the encryption and/or tokenisation process of
data flowing through your POS network, please include whether
point-to-point encryption is used:
d. Do changes on individual files on the POS system create alerts
in real-time? .................................................................................................. ……….. Yes No
e. Do changes to the POS systems require formal approval prior
to implementation? ...................................................................................... ……….. Yes No
f. Are your POS devices regularly scanned for malware or
skimming devices? ........................................................................................ ……….. Yes No
g. How often is your POS network assessed by a 3rd party?
h. Did your last POS network assessment highlight any critical
or high level vulnerabilities? .......................................................................... ……….. Yes No
If Yes, Have these been remediated? ........................................................... ……….. Yes No
i. Is your POS system developed and maintained by a PA-DSS
compliant vendor? ........................................................................................ ……….. Yes No
j. Have all vendor-provided default passwords been changed? ...................... ……….. Yes No
22 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
k. Please describe how you segregate your POS
and corporate network?
l. Is all user activity on the network monitored? ............................................. ………… Yes No
m. Is payment transaction log data collected and reviews
on a regular basis? ........................................................................................ ………… Yes No
If ‘Yes’, has this been tested within the last 12 months? ................................... ……..….. Yes No
3. During the last 5 years, have you suffered from any of the following?
The unauthorised disclosure or transmission of any confidential
information for which you are responsible......................................................... ……..…. Yes No
Any intrusion of, unauthorised access to, or unauthorised use of
your computer system ....................................................................................... …..……. Yes No
Any accidental, negligent or unintentional act or failure to act by an
employee or an employee of any third party service provider whilst
operating, maintaining or upgrading your computer system ............................ …..……. Yes No
The suspension or degradation of your computer system ................................. ………… Yes No
Your inability to access data due to such data being deleted,
damaged, corrupted, altered or lost ................................................................... ………… Yes No
Receipt of an extortion demand or security threat ............................................ ………… Yes No
Receipt of a claim in respect of any of the above ............................................... ………… Yes No
Any formal or official action, investigation, inquiry or audit by a regulator
arising out of your use, control, collection, storing, processing or
suspected misuse of personal information ........................................................ ………… Yes No
23 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved
If ‘Yes’ to any of the above, please provide full details:
Declaration
It is declared that to the best of the knowledge and belief of the insured, after enquiry, that the statements
and responses set out herein are true and accurate. The insured understands that it is under a duty to
make a fair presentation of the risk to the insurer, and that all material circumstances that the insured is
aware of or ought to be aware of have been disclosed to the insurer, or failing that, sufficient information
to put a prudent insurer on notice that further enquiries are needed.
The insured understands that non-disclosure or misrepresentation of a material fact or matter may impact
the terms of the policy or impact whether the policy responds in whole or in part to a claim.
The insured undertakes to inform the Insurers of any material alteration to the information provided herein
or any new fact or matter that arises which may be relevant to the consideration of the proposal for
insurance.
Signed
Title
Organisation
Date
24 of 24
Copyright © 2019 AIG Europe Limited - All rights reserved