Cyber Liability
  1. GENERAL
CYBER LIABILITY
1.1 This section is designed for small to medium enterprises.
1.2 It provides cover for the resultant costs and damages from a privacy breach or a network security breach. Cyber insurance provides comprehensive first and third-party coverages with an expert incident response process.
1.3 Broader than the name cyber would imply, a cyber policy extends to cover numerous incidents including but not limited to:
1.3.1 Cyber extortion and malware (viruses, ransomware, or publishing of stolen data).
1.3.2 Denial of service (disruption to operations) attacks.
1.3.3 Downstream attacks (a compromise of client environments resulting in damages to others).
1.3.4 Hacking.
1.3.5 Insider and privilege misuse (unauthorised access and use of systems and data by employees and service providers).
1.3.6 Physical theft and loss (both devices and physical hard copy data).
1.3.7 Threats posed by third party access into a client environment.
1.4 All claims are handled by the ITOO Specialist Liability claims handler who must be immediately notified upon receipt of a claim.
2. UNDERSTAND THE RISK
2.1 Who do we cover?
2.1.1 Companies with an annual turnover below R250 000 000.
2.1.2 The company must not trade outside RSA.
2.1.3 The company must not store or process more than 100 000 payment cards (debit and credit cards) per year.
2.1.4 The company must comply with the following minimum-security controls:
• Firewalls, anti-virus/anti-malware.
• Processes to apply security related patches/updates within 3 months of release.
• Password controls including: length of at least 8 characters; use of passwords not reasonably deemed easily guessable and account lockout because of at most 20 failed authentication attempts.
• Default installation/administration account passwords changed from the default password and where possible accounts are disabled, deleted or renamed.
• Administrative/remote access interfaces such as remote desktop protocol (RDP) are accessible exclusively over secured channels, e.g. virtual private network (VPN).
• Physical access to server rooms/sensitive processing facilities is restricted.
• Sensitive System activity logs are stored for at least 6 months.
• Backup and recovery procedures for Sensitive Systems and Sensitive Data including: weekly backup generation, monitoring for successful backup generation and testing the ability to restore from backups at least every 6 months.
2.2 Scope of cover
This section can be triggered by an incident occurring from anywhere in the world. Cover is provided on a global territory but South African jurisdiction basis. Should there be any operations outside of South Africa, please refer the risk to ITOO for a quote. Operations in the USA and Canada are explicitly excluded.
 Commercial Underwriting Mandates and Guidelines – Binder – Version 2 2020 103