ACE INA Insurance
1400 – 25 YORK STREET
TORONTO, ONTARIO,
CANADA
M5J 2V5
ACE Privacy and Network Security Liability
Supplemental Application
For ACE Express Private Company
Renewal Application
COMPLETE THIS APPLICATION ONLY IF REQUESTING COVERAGE FOR PRIVACY LIABILITY, NETWORK
SECURITY LIABILITY, OR DATA BREACH FUND COVERAGE. Please submit with a completed Policy Application.
Please complete in ink. A principal must sign both the supplement and the Policy Application.
THIS APPLICATION IS FOR A CLAIMS-MADE INSURANCE POLICY
INSTRUCTIONS
Completion of this application may require input from your organization’s risk management, legal, finance, information
technology, or privacy departments. This supplemental application should be completed with the assistance of the Chief
Security Officer and the Chief Information Officer or Chief Privacy Officer. Additional space may be needed to provide
complete answers.







I.
Please type or print answers clearly.
Answer ALL questions completely, leaving no blanks. If any questions do not apply, print “N/A” in the space.
Provide any supporting information on a separate sheet using your letterhead with reference to the application.
Check Yes or No to answers prompting such a reply.
Please submit a copy of the privacy policy currently in use.
This form must be completed, dated and signed by an authorized officer of your company.
Underwriters will rely on all statements made in this application. This information is required to make an
underwriting and pricing evaluation. Your answers hereunder are considered material to that evaluation.
General Information
Name of Applicant
Address:
Applicants Website:
Gross Revenues:
II. Privacy and Network Security Liability Coverage Section
1. Has Applicant ever been declined for Privacy, Network Risk, or Media Liability insurance, or had
an existing policy cancelled?
Yes
No
2. Has Applicant ever sustained a systems intrusion, tampering, virus or malicious code attack, loss
of data, hacking incident, data theft or similar?
Please describe:
Yes
No
3. In the last five years has your company experienced any claims that would have been tendered
for coverage under the Privacy and Network Security Policy that is the subject of this application
had it been in effect at the time of the claim? If yes, please attach a complete summary.
Yes
No
Yes
No
5. Has Applicant notified customers that their information was or may have been compromised as a
result of its activities?
Yes
No
6. Has an employee ever been disciplined for mishandling data or otherwise tampering with
Applicant’s computer network?
Yes
No
During the last five years:
4. Has anyone associated with Applicant (customer, client, vendor, contractor, business associate,
employee, director or officer, etc.) alleged that their personal information was compromised by
the Applicant or its vendor?
PEO-37102 (12/14)
© 2014
Page 1 of 5
RECORDS AND INFORMATION MANAGEMENT
1.
What sensitive information does Applicant handle, manage, store, destroy or otherwise control?
(please check all that apply and provide approximate number of records)
Social Insurance Numbers:
Medical Records:
Credit/Debit Card Numbers:
Healthcare Records:
Drivers License Numbers:
Credit History and Ratings:
Government ID Numbers:
Intellectual Property of Others:
Financial Account Numbers:
Other:
TOTAL NUMBER OF RECORDS:
2. Has Applicant’s senior executive or Board of Directors established enterprise-wide
responsibility for records and information management compliance with an individual manager?
Yes
No
3. Does an enterprise-wide policy covering records and information management compliance
exist within Applicant?
Yes
No
4. Does Applicant have a formal Incident Response Plan for determining the severity of a
potential data security breach and providing prompt notification to all individuals who may be
adversely affected by such exposures?
Yes
No
5. Does Applicant have a formal Written Information Security Program for the implementation,
maintenance and monitoring of sensitive personal information in your care, custody or control?
Yes
No
6. Does Applicant’s information asset classification program include a data classification standard
(e.g., public, internal use only, confidential)?
Yes
No
7. Does Applicant post a privacy policy on its Internet website that has been reviewed by a
qualified attorney?
Yes
No
8. Does Applicant sell or share individual subscriber or user identifiable information with other
internal or external entities?
If yes, please describe:
Yes
No
9. Has Applicant identified all relevant regulatory and industry-supported compliance frameworks
that are applicable to it?
Yes
No
Yes
Yes
Yes
No
No
No
Yes
No
Yes
No
Yes
No
Yes
No
10. Has Applicant ensured that all sensitive business/consumer information that:
a. Is transmitted is encrypted using industry-grade mechanisms?
b. Resides within Applicant’s systems is encrypted while “at-rest”?
c. Is physically transmitted – via tape or any other medium – is encrypted?
11. For computer equipment that leaves Applicant’s physical facilities (e.g., mobile laptops, PDAs,
BlackBerrys, and home-based desktops), has Applicant implemented strong access control
requirements and/or hard drive encryption to prevent unauthorized exposure of company data
in the event these devices are stolen, lost or otherwise unaccounted for?
Please describe:
12. Does Applicant follow established procedures for:
a. Carrying out and confirming the destruction of data residing on systems or devices prior to
their recycling, refurbishing, resale, or physical disposal?
b. Carrying out and confirming the destruction of sensitive information in electronic and paper
form prior to recycling or physical disposal?
c. Both “friendly” and “adverse” employee departures that include an inventoried recovery of
all information assets, user accounts, and systems previously assigned to each individual
during their full period of employment?
PEO-37102 (12/14)
© 2014
Page 2 of 5
13. Does Applicant’s security awareness program include mandatory classes with measured
testing for all employees that may be expected to access, handle or process sensitive customer
data as part of their assigned job responsibilities?
Yes
No
14. Does Applicant conduct regular reviews of your third-party service providers and partners to
ensure that they adhere to your contractual and/or regulatory requirements for the protection of
sensitive business/customer data that you entrust to their care for processing, handling, and
marketing purposes?
Yes
NA
No
15. Do contracts with third-party service providers include indemnity provisions that protect
Applicant from any liability arising out of their loss of Applicant’s sensitive information?
Yes
No
16. Has Applicant configured its Internet-facing Web sites and related systems so that no sensitive
customer data resides directly on these systems?
Yes
No
17. Has Applicant configured its network to ensure that access to sensitive customer data is limited
to properly authorized requests to internal databases/systems that are otherwise fully protected
against Internet access?
Yes
No
Yes
No
Periodic intrusion detection, penetration or vulnerability testing
Firewall technology used at all Internet points-of-presence
Antivirus software on all desktops, portable computers and mission critical servers.
Antivirus applications updated in accordance with the software provider’s requirements
Patches implemented on network appliances (routers, bridges, firewalls, etc.) to mitigate
current vulnerabilities
f. Systems backed up on a daily (or more regular) basis
g. Testing of data recover and restoration procedures
Yes
Yes
Yes
Yes
Yes
No
No
No
No
No
Yes
Yes
No
No
3. Does Applicant actively maintain system logs on all mission-critical servers and appliances?
Yes
No
Yes
No
4. Are documented procedures in place for user and password management?
Yes
No
5. Does Applicant have a written disaster recovery and business continuity plan for your network?
When was the plan last tested? ____________________________________
Yes
No
6. Does Applicant’s hiring process require a full background check (Criminal, Educational, Drug,
and Work History)?
Yes
No
7. Are formal processes in place to ensure that network privileges are revoked in a timely manner
following an employee’s termination or resignation?
Yes
No
8. Does Applicant run any software or hardware that is no longer supported or has been identified
as end-of-life support by the software or hardware vendor?
Yes
No
NETWORK OPERATIONS
A. Security Management
1. Has a network security assessment or audit been conducted within the past 12 months?
If yes, when was the last audit completed?
(Please attach copy of audit.)
2. Does Applicant deploy the following technologies/processes in your environment?
a.
b.
c.
d.
e.
Are logs regularly checked for irregularities, intrusions or violations?
PEO-37102 (12/14)
© 2014
Page 3 of 5
B. Third Party Service Providers
Please identify third party vendor(s) providing any of the following services, including the number of records in
their care, custody or control.
Name of Provider
Number of Records
Internet Service/Access:
Website Hosting:
Collocation Services:
Managed Security Services:
Hosted Electronic Health
Records:
Outsourcing Services:
Credit Card Processors:
Other (e.g. HR, POS):
C. Payment Card Industry Data Security Standard (PCI DSS)
1.
Is Applicant subject to the Payment Card Industry Data Security Standard?
If yes, what level requirement?
1
2
3
4
Please complete the Point of Sale Retail Supplemental Application
Yes
No
D. Cloud Service Providers
1. Does Applicant utilize a third party cloud service provider?
Yes
No
If yes, please complete the Cloud Service Providers Supplemental Application
III. Warranty Section
None of the Insureds has knowledge of any Wrongful Act or fact, circumstance or situation which (s)he has reason to
suppose might give rise to any future Claim, except as follows: Details Attached
If “NONE”, Please check this box:
Without prejudice to any other rights and remedies of the Insurer, it is agreed by all concerned that if any such Wrongful
Act, fact, circumstance, or situation exists, whether or not disclosed above, any such Claim arising from such Wrongful
Act, fact, circumstance, or situation shall be excluded from coverage under the proposed Policy.
This Supplemental Application shall be maintained on file by the Insurer, shall be deemed attached as if physically
attached to the proposed Policy and shall be considered as incorporated into and constituting a part of the Application and
the proposed Policy.
The undersigned agrees that if after the date of this Application and prior to the effective date of any Policy based on this
Application, any occurrence, event or other circumstance should render any of the information contained in this
Application inaccurate or incomplete, then the undersigned shall notify the Insurer of such occurrence, event or
circumstance and shall provide the Insurer with information that would complete, update or correct such information. Any
outstanding quotations may be modified or withdrawn at the sole discretion of the Insurer.
PEO-37102 (12/14)
© 2014
Page 4 of 5
FALSE INFORMATION/FRAUD WARNING STATEMENT
NOTICE TO ALL APPLICANTS:
ANY PERSON WHO KNOWINGLY AND WITH INTENT TO DEFRAUD ANY INSURANCE COMPANY OR ANOTHER
PERSON, FILES AN APPLICATION FOR INSURANCE OR STATEMENT OF CLAIM CONTAINING ANY MATERIALLY
FALSE INFORMATION, OR CONCEALS INFORMATION FOR THE PURPOSE OF MISLEADING, COMMITS A
FRAUDULENT INSURANCE ACT, WHICH IS A CRIME AND MAY SUBJECT SUCH PERSON TO CRIMINAL AND
CIVIL PENALTIES.
Other Information
1. The undersigned declares that to the best of his/her knowledge the statements herein are true. Signing of this
Application does not bind the undersigned to complete the insurance, but it is agreed that this Application shall be the
basis of the contract should a Policy be issued, and this application will be attached to and become a part of such
Policy, if issued. Insurer hereby is authorized to make any investigation and inquiry in connection with this Application
as they may deem necessary.
2. It is warranted that the particulars and statements contained in the Application for the proposed Policy and any materials
submitted herewith (which shall be retained on files by Insurer and which shall be deemed attached hereto, as if
physically attached hereto), are the basis for the proposed Policy and are to be considered as incorporated into and
constituting a part of the proposed Policy.
3. It is agreed that in the event there is any material change in the answers to the questions contained herein prior to the
effective date of the Policy, the applicant will notify Insurer and, at the sole discretion of Insurer, any outstanding
quotations may be modified or withdrawn.
4. It is agreed that in the event there is any misstatement or untruth in the answers to the questions contained herein,
Insurer have the right to exclude from coverage any claim based upon, arising out of or in connection with such
misstatement or untruth.
Name:
Title:
Signature:
Date:
(Principal, Partner, or Officer)
Note:
This application must be reviewed, signed and dated by a principal, partner or officer of the applicant entity
For purposes of creating a binding contract of insurance by this application or in determining the rights and
obligations under such contract in any court of law, the parties acknowledge that a signature reproduced by
either facsimile or photocopy shall be the same force and effect as an original signature and that the original and
any such copies shall be deemed on and the same document.
PEO-37102 (12/14)
© 2014
Page 5 of 5