2.
1.1 This section provides comprehensive first and third-party coverage with an expert incident response process and is designed for small to medium enterprises.
1.2 It covers the resultant costs and damages from a privacy breach or a network security breach.
1.3 Broader than the name cyber would imply, a cyber policy extends to cover numerous incidents including but not limited to:
• Cyber extortion and malware (viruses, ransomware, or publishing of stolen data);
• Denial of service (disruption to operations) attacks;
• Downstream attacks (a compromise of client environments resulting in damages to others);
• Hacking;
• Insider and privilege misuse (unauthorised access and use of systems and data by employees and service providers);
• Physical theft and loss (both devices and physical hard copy data);
• Threats posed by third party access into a client environment.
1.4 All claims are handled by the iTOO Specialist Liability claims handler who must be immediately notified upon receipt of a claim. The Incident response process document can be found on the HI Binder Portal.
UNDERSTAND THE RISK
2.1
Who do we cover?
2.1.1 2.1.2 2.1.3
2.1.4
Companies with an annual turnover below R250 000 000 (two hundred and fifty million rand). The company must not trade outside RSA.
The company must not store or process more than 100 000 (one hundred thousand) payment cards (debit and credit cards) per year.
The company must comply with the following minimum-security controls:
• • •
•
• •
• • •
Next generation anti-virus/anti-malware;
processes to apply security related patches/updates within 3 (three) months of release;
outdated software which is no longer supported by the software provider is not accessible from external networks;
password controls including:
͵ length of at least 10 (ten) characters;
͵ use of passwords not reasonably deemed easily guessable;
͵ account lockout because of at most 10 (ten) failed authentication attempts;
͵ passwords prevented from being used for at least 5 (five) password changes;
default installation/administration account passwords changed from the default password and where possible accounts are disabled, deleted or renamed;
administrative/remote access interfaces such as remote desktop protocol (RDP) are accessible exclusively over secured channels, e.g. virtual private network (VPN);
physical access to server rooms/sensitive processing facilities is restricted;
sensitive System activity logs are stored for at least 6 (six) months;
backup and recovery procedures for Sensitive Systems and Sensitive Data including:
͵
͵
͵
weekly backup generation;
monitoring for successful backup generation; and
testing the ability to restore from backups at least every 6 (six) months.
Cyber Liability
  1.
GENERAL
CYBER LIABILITY
 100
Commercial Underwriting Mandates and Guidelines – Binder – Version 4 2022