Cyber Liability
   2.4 Excluded risks
Merchants with a turnover more than R25 000 000 per annum Micro lenders
Online retailers
Payroll processor
Recruitment agencies with a turnover more than R25 000 000 per annum
Technology Service Providers with a turnover more than R25 000 000 per annum Telecommunications provider
Tertiary educational institution
Companies trading outside RSA
Companies that store or process more than 100 000 payment cards (debit and credit cards) per year Companies with an annual turnover above R250 000 000
Companies that do not meet the minimum-security requirements
USA and Canada
2.5 Basic information required to issue cover
2.5.1 Full name of the business entity, partnership, Ltd or (Pty) Ltd
2.5.2 Physical address
2.5.3 Contact details
2.5.4 Nature of the business, full description of activities
2.5.5 Annual turnover/gross revenue
2.5.6 Company registration number
2.5.7 VAT number
2.5.8 Inception date of cover
2.5.9 Broker
2.5.10 Is the company domiciled in South Africa and does it have any operations outside of South Africa to be covered under the policy?
2.5.11 Does the company trade in any of the excluded risks?
2.5.12 Does the company store/process less than 100 000 payment cards (debit and credit cards) per year?
2.5.13 Is the company aware of any circumstances within the past 3 years that would have, may give or has given risk to a claim under the coverage to be provided?
              2.5.14 Has the
• • •
• •
• • •
company implemented the following security controls?
Firewalls, anti-virus/anti-malware.
Processes to apply security related patches/updates within 3 months of release.
Password controls including: length of at least 8 characters; use of passwords not reasonably deemed easily guessable and account lockout because of at most 20 failed authentication attempts.
Default installation/administration account passwords changed from the default password and where possible accounts are disabled, deleted or renamed.
Administrative/remote access interfaces such as remote desktop protocol (RDP) are accessible exclusively over secured channels, e.g. virtual private network (VPN)
Physical access to server rooms/sensitive processing facilities is restricted
Sensitive System activity logs are stored for at least 6 months
Backup and recovery procedures for Sensitive Systems and Sensitive Data including: weekly backup generation, monitoring for successful backup generation and testing the ability to restore from backups at least every 6 months.
 Commercial Underwriting Mandates and Guidelines – Binder – Version 2 2020 105