cri - crime

© Statewide Mutual 2021

CRI - CRIME

CRI 1. DO YOU REQUIRE COVER FOR CRIME?

☐ Yes ☐ No

COVERAGE A - Commercial Crime Protection

CRI 2. DO YOU REQUIRE CHANGES TO YOUR EXISTING LIMITS OF COVER OR ADDITIONAL CRIME COVER?

☐ No ☐ Yes

CRI 2A. IF YES, PLEASE ADVISE NEW LIMITS

CRI 3. DO YOU REQUIRE ANY AMENDMENTS TO YOUR EXISTING DEDUCTIBLE?

☐ No ☐ Yes

CRI 3A. IF YES, PLEASE ADVISE CHANGES.

CRI 4. NUMBER OF EXECUTIVES, OFFICERS AND EMPLOYEES PRIMARILY ENGAGED IN DUTIES AS CASHIERS,TREASURERS, PAYMASTERS OR ACCOUNTANTS HANDLING MONEY OR NEGOTIABLE INSTRUMENTS

CRI 5. NUMBER OF OUTDOORS EMPLOYEES ENGAGED HANDLING MONEY OR NEGOTIABLE INSTRUMENTS OREMPLOYEES PRIMARILY ENGAGED IN THE DELIVERY OF GOODS

CRI - CRIME

IMPORTANT: Please use this document as a checklist only and ensure the data is uploaded to the online questionnaire


CRI 6. ARE DUTIES SEGREGATED SO THAT NO INDIVIDUAL CAN CONTROL ANY OF THE FOLLOWING ACTIVITIES FROM COMMENCEMENT TO COMPLETION WITHOUT REFERRAL TO OTHERS?*

Yes NoIs issuing 'funds transfer instructions' a segregated activity?Is 'amending funds transfer procedures' a segregated activity?Is 'opening new accounts' a segregated activity?Is 'refunding monies of return goods above $10,000' a segregated activity? Is 'awarding contracts following a tender' a segregated activity?Is 'authorising purchases above $10,000' a segregated activity?Is 'adding new hires to payroll' a segregated activity?

CRI 7. ARE USER IDS AUTOMATICALLY REVOKED ON SEPARATION OF EMPLOYMENT?

☐ Yes

☐ No

CRI 8. ARE LEVELS OF PURCHASING AUTHORITY ESTABLISHED IN WRITING?

☐ Yes☐ No

CRI 9. HAS A NUMBERED PURCHASE ORDER SYSTEM BEEN IMPLEMENTED AND IS IT BEING FOLLOWED?

☐ Yes☐ No

CRI 10. HAS AN APPROVED MASTER VENDOR LIST BEEN ESTABLISHED?

☐ Yes☐ No

CRI 11. ARE PROCEDURES IN PLACE TO VERIFY THE EXISTENCE AND OWNERSHIP OF ALL NEW VENDORS PRIOR TO ADDING THEM TO THE AUTHORISED MASTER VENDOR LIST?

☐ Yes ☐ No

☐ Yes☐ No

CRI 15. DOES THE COUNCIL HAVE A PROCESS IN PLACE AT ALL LOCATIONS WHERE REQUESTS FOR AUTHENTICATIONOF BANK ACCOUNT DETAILS OR FOR INFORMATION ON BANK ACCOUNT DETAILS PURPORTING TO COME FROM BANKOFFICIALS ARE RAISED WITH THE COUNCIL’S SENIOR MANAGEMENT AND FOLLOWED UP WITH PREVIOUSLY KNOWNBANK CONTACTS TO CONFIRM AUTHENTICITY OF SUCH REQUESTS?

☐ Yes☐ No

CRI 11A. IF YES, IS DUE DILIGENCE CONDUCTED BY SOMEONE OTHER THAN THE PERSON REQUESTING SUCHADDITION OR WITH AUTHORITY AND/OR ABILITY TO ADD THE VENDOR TO THE MASTER LIST?

☐ Yes ☐ No


CRI 12. DOES THE PURCHASING SYSTEM AUTOMATICALLY PRODUCE EXCEPTION REPORTS TO NOTIFY MANAGEMENT OF POTENTIAL FRAUDULENT TRANSACTIONS OR TRENDS?

☐ Yes ☐ No

CRI 13. DOES A SOCIAL ENGINEERING FRAUD RISK MANAGEMENT STRATEGY EXIST AND HAS THE COUNCIL INFORMED AND ALERTED RELEVANT STAFF AT ALL LOCATIONS OF SOCIAL ENGINEERING FRAUD?

☐ Yes ☐ No

—NOTE: Social Engineering Fraud includes fake person fraud, payment diversion fraud and customer/management impersonation Fraud.

CRI 14. DOES THE COUNCIL HAVE A PROCESS IN PLACE AT ALL LOCATIONS WHERE ALL UNUSUAL PAYMENT INSTRUCTIONS PURPORTING TO COME FROM THE COUNCIL’S SENIOR MANAGEMENT ARE FOLLOWED UP BY CALL BACKS TO SENIOR MANAGEMENT AT A PREVIOUSLY KNOWN AND PRE-DESIGNATED PHONE NUMBER TO CONFIRM PAYMENT INSTRUCTIONS AND CHECK AUTHENTICITY?

☐ Yes ☐ No

CRI 15. DOES THE COUNCIL HAVE A PROCESS IN PLACE AT ALL LOCATIONS WHERE REQUESTS FOR AUTHENTICATIONOF BANK ACCOUNT DETAILS OR FOR INFORMATION ON BANK ACCOUNT DETAILS PURPORTING TO COME FROM BANKOFFICIALS ARE RAISED WITH THE COUNCIL’S SENIOR MANAGEMENT AND FOLLOWED UP WITH PREVIOUSLY KNOWNBANK CONTACTS TO CONFIRM AUTHENTICITY OF SUCH REQUESTS?

☐ Yes☐ No

CRI 16. DOES THE COUNCIL HAVE A PROCESS IN PLACE AT ALL LOCATIONS WHERE INSTRUCTIONS TO CHANGEBANK ACCOUNT DETAILS PURPORTING TO COME FROM VENDORS AND SUPPLIERS ARE FOLLOWED UP BY CALLBACKS TO VENDORS AND SUPPLIERS AT A PREVIOUSLY KNOWN AND PRE-DESIGNATED PHONE NUMBER TOCONFIRM INSTRUCTIONS TO CHANGE BANK ACCOUNT DETAILS AND CHECK AUTHENTICITY

☐ Yes

☐ No


CRI 17. DOES THE COUNCIL HAVE A PROCESS IN PLACE AT ALL LOCATIONS WHERE SENIOR MANAGEMENT APPROVAL IS ALWAYS REQUIRED BEFORE CHANGES TO VENDOR AND SUPPLIER BANK ACCOUNT DETAILS ARE PROCESSED, SUCH APPROVAL BEING GIVEN AFTER REVIEW OF THE UNDERLYING REQUEST AND THE RECORD OF ITS VERIFICATION?

☐ Yes ☐ No

CRI 18. DOES THE COUNCIL HAVE A PROCESS IN PLACE AT ALL LOCATIONS WHERE ALL BANK STATEMENTS ARE INDEPENDENTLY RECONCILED BY PERSONS NOT AUTHORISED TO DEPOSIT OR WITHDRAW FUNDS, ISSUE FUNDS TRANSFER INSTRUCTIONS OR DISPATCH FUNDS TO CUSTOMERS?

☐ Yes ☐ No

CRI 19. DOES THE COUNCIL’S EMAIL SERVER AND/OR INTERNET SERVICE PROVIDER (ISP) USE ANY AUTHENTICATION METHODS AT ALL LOCATIONS?

☐ Yes ☐ No

CRI 19A. IF YES, PLEASE LIST

CRI 20. DOES THE COUNCIL USE A THIRD PARTY SOFTWARE PRODUCT TO ENHANCE EMAIL AUTHENTICATIONPROCEDURES AT ALL LOCATIONS?

☐ Yes☐ No

CRI 20A. IF YES, PLEASE LIST

CRI 21. HOW FREQUENTLY ARE AUDITS MADE OF CASH AND ACCOUNTS?

CRI 22. BY WHOM?

CRI 23. HOW FREQUENTLY ARE AUDITS MADE OF INVENTORY AND STOCK/MERCHANDISE?

CRI 24. BY WHOM?


CRI 25. DO YOU REQUIRE COVER FOR CYBER LIABILITY?

☐ Yes ☐ No

CRI 26. DO YOU REQUIRE ANY AMENDMENTS TO YOUR EXISTING DEDUCTIBLE?

☐ Yes☐ No

CRI 26A. IF YES, PLEASE ADVISE CHANGES.

CRI 27. DO YOU REQUIRE ANY CHANGES TO YOUR EXISTING LIMITS OR ADDITIONAL CYBER COVER?

☐ Yes☐ No

CRI 27A. IF YES, PLEASE ADVISE NEW LIMITS.

CRI 28. DOES THE MEMBER ANTICIPATE THAT IN THE NEXT TWELVE (12) MONTHS ESTABLISHING OR ENTERING INTOANY RELATED OR UNRELATED VENTURES WHICH ARE A MATERIAL CHANGE IN OPERATIONS?

☐ Yes☐ No

CRI 28A. PLEASE PROVIDE FULL DETAILS.

CRI 29. Please complete the following information:

CRI 29a. Total Number of Employees:

PRIOR YEAR

CURRENT YEAR

PROJECTED YEAR

COVERAGE B - Council Security and Privacy Protection

Governance, Network Security and Data Management


CRI 29b. Total Assets:

PRIOR YEAR

CURRENT YEAR

PROJECTED YEAR

CRI 29c. Total Gross Revenue:

PRIOR YEAR

CURRENT YEAR

PROJECTED YEAR

CRI 29d. Total Gross Revenues from online sales or service:

PRIOR YEAR

CURRENT YEAR

PROJECTED YEAR

CRI 30. HOW MANY SERVERS DOES THE MEMBER EITHER OWN OR OTHERWISE HAVE DEDICATED TO THEIR USE?

CRI 31. WHAT IS THE MEMBER'S TOTAL NUMBER OF IP ADDRESSES?


CRI 32. DOES THE MEMBER COLLECT, STORE OR PROCESS PERSONALLY IDENTIFIABLE OR OTHER CONFIDENTIALINFORMATION?

☐ Yes☐ No

CRI 32A. IF YES, HOW MANY RECORDS ARE HELD, INCLUDING THE MEMBER'S PROSPECTIVE, CURRENT AND FORMERCONSTITUENTS / CUSTOMERS AND EMPLOYEES?

CRI 33. DOES THE MEMBER COMPLY WITH PRIVACY AND DATA PROTECTION LEGISLATION APPLICABLE TO ALLJURISDICTIONS AND INDUSTRY STANDARDS IN WHICH IT OPERATES? (E.G. AUSTRALIAN PRIVACY PRINCIPALS, HIPAAPRIVACY RULES, EU DATA PROTECTION REGULATIONS).

☐ Yes☐ No

CRI 34. DOES THE COUNCIL PROCESS OR STORE PERSONALLY IDENTIFIABLE OR OTHER CONFIDENTIALINFORMATION FOR THIRD PARTIES?

☐ Yes☐ No

CRI 34A. PLEASE PROVIDE AN EXPLANATION

CRI 35. DOES THE MEMBER SHRED ALL WRITTEN OR PRINTED PERSONALLY IDENTIFIABLE OR OTHER CONFIDENTIALINFORMATION WHEN IT IS BEING DISCARDED?

☐ Yes☐ No

PCI Compliance

CRI 36. IS THE MEMBER SUBJECT TO PAYMENT CARD INDUSTRY (PCI) SECURITY STANDARDS?

☐ Yes☐ No

CRI 36A. IF YES, HOW MANY CREDIT OR DEBIT CARD TRANSACTIONS DOES THE MEMBER PROCESS ANNUALLY?


Information Security Policies

CRI 37. HAS THE MEMBER IMPLEMENTED A FORMAL INFORMATION SECURITY POLICY WHICH IS APPLICABLE TO ALLOF MEMBER’S BUSINESS UNITS?

☐ Yes☐ No

CRI 37A. DOES THE MEMBER:

Please tick all that apply—☐ a) Test the security required by the security policy at least once annually?☐ b) Regularly identify and assess new threats and adjust the security policy to address new threats?☐ c) Have an information security policy that includes policies for the use and storage of personally identifiable or otherconfidential information on laptops?

Web Server Security

CRI 38. DOES THE MEMBER STORE PERSONALLY IDENTIFIABLE OR OTHER CONFIDENTIAL INFORMATION ON THEIRWEB SERVERS?

CRI 36B. DOES THE MEMBER:

Please tick all that apply—☐ a) Mask all but the last four digits of a card number when displaying or printing cardholder data?☐ b) Ensure that card-validation codes are not stored in any of Member’s databases,log files or anywhere else withintheir network?☐ c) Encrypt all account information on the Member’s databases?☐ d) Encrypt or use tokenisation for all account information at the point of sale?

☐ Yes☐ No

CRI 39. DO THE MEMBER'S WEB SERVERS HAVE DIRECT ACCESS TO PERSONALLY IDENTIFIABLE OR OTHERCONFIDENTIAL INFORMATION?

☐ Yes☐ No

CRI 40. DOES THE MEMBER HAVE FIREWALLS THAT FILTER BOTH INBOUND AND OUTBOUND TRAFFIC?

☐ Yes☐ No


Virus Protection, Intrusion Detection & Penetration Testing

CRI 41. ARE ANTI-VIRUS PROGRAMS INSTALLED ON ALL OF THE MEMBER'S PC'S NETWORK SYSTEMS?

☐ Yes☐ No

CRI 41A. HOW FREQUENTLY ARE THE VIRUS DETECTION SIGNATURES UPDATED?

CRI 42. DOES THE MEMBER EMPLOY INTRUSION DETECTION OR INTRUSION PROTECTION DEVICES ON THEIRNETWORK, OR IDS OR IPS SOFTWARE ON THE MEMBER'S HOSTS?

☐ Yes☐ No

CRI 42A. HOW FREQUENTLY ARE THE LOGS REVIEWED?

CRI 43. DOES THE MEMBER RUN PENETRATION TESTS AGAINST ALL PARTS OF THEIR NETWORK?

☐ Yes☐ No

CRI 43A. HOW OFTEN ARE THE TESTS RUN?

CRI 44. HAS THE MEMBER BEEN THE TARGET OF ANY COMPUTER OR NETWORK ATTACKS (INCLUDING VIRUSATTACKS) IN THE PAST TWO (2) YEARS?

☐ Yes☐ No

CRI 44A. IF YES, DID THE NUMBER OF ATTACKS INCREASE?

☐ Yes☐ No

Mobile Device Security

CRI 45. DOES THE MEMBER STORE PERSONALLY IDENTIFIABLE OR OTHER CONFIDENTIAL INFORMATION ON MOBILEDEVICES?

☐ Yes☐ No

CRI 45A. IF YES, DOES THE MEMBER ENCRYPT SUCH INFORMATION?

☐ Yes☐ No


Business Continuity

CRI 46. DOES THE MEMBER HAVE A BUSINESS CONTINUITY PLAN (BCP) SPECIFICALLY DESIGNED TO ADDRESS ANETWORK RELATED DENIAL-OF-SERVICE ATTACK?

☐ Yes☐ No

CRI 46A. IS THE BCP REVIEWED AND UPDATED AT LEAST BI-ANNUALLY?

☐ Yes☐ No

CRI 46B. IF YES, IS THE BCP TESTED AT LEAST ONCE ANNUALLY?

☐ Yes☐ No

CRI 46C. HAVE ANY PROBLEMS BEEN IDENTIFIED DURING TESTED AND RECTIFIED?

☐ Yes☐ No

CRI 46D. DOES YOUR BCP ADDRESS THE DESTRUCTION OF OR CORRUPTION OF YOUR APPLICATIONS AND DATA?

☐ Yes☐ No

CRI 46.I). WHAT IS THE ESTIMATED COST OF RESTORING APPLICATIONS OR DATA AND THE COST OF THE RECOVERY?

CRI 46D.II). HOW LONG DO YOU THINK IT WOULD TAKE TO RESTORE APPLICATIONS AND/OR DATA?

Security Assessments

CRI 47. HAS AN EXTERNAL SYSTEM SECURITY ASSESSMENT, OTHER THAN VULNERABILITY SCANS OR PENETRATIONTESTS BEEN CONDUCTED WITHIN THE PAST TWELVE (12) MONTHS?

☐ Yes ☐ No


INDICATE WHETHER ALL CRITICAL RECOMMENDATIONS HAVE BEEN CORRECTED OR COMPLIED WITH.

CRI 47B. ATTACH COPIES OF THE RESULT

CRI 47C. IF NO, PLEASE PROVIDE AN EXPLANATION

Backup & Archiving

CRI 48. HOW FREQUENTLY DOES THE MEMBER BACK UP ELECTRONIC DATA?

CRI 49. WHERE DOES THE MEMBER STORE BACK UP ELECTRONIC DATA?

CRI 50. DOES THE MEMBER STORE BACK UP ELECTRONIC DATA WITH A THIRD PARTY SERVICE PROVIDER?

☐ Yes☐ No

Service Providers

CRI 51. DOES THE MEMBER USE VENDORS THAT PROVIDE YOU WITH INFRASTRUCTURE, PLATFORM, SOFTWARE ORSTORAGE SERVICES?

☐ Yes☐ No

CRI 51A. FOR ALL VENDORS THAT PROVIDE THE MEMBER WITH INFRASTRUCTURE, PLATFORM, SOFTWARE ORSTORAGE SERVICES, DO YOU:

Please tick all that apply—☐ a) Require that they comply with specific security requirements?☐ b) Assess and confirm that they meet your required levels of security?☐ c) Have the requisite security procedures and requirements written into the contract with them?☐ d) Require that they indemnify you for damages you sustain because they failed to implement or maintain yourrequired level of security?☐ e) Require that they provide insurance for damages that you sustain?

CRI 47A. IF YES, PLEASE INDICATE WHO CONDUCTED THE ASSESSMENT, ATTACH COPIES OF THE RESULT, AND


Security Incident and Loss History

CRI 53. HAS THE MEMBER EVER HAD ANY COMPUTER OR NETWORK SECURITY INCIDENTS?

☐ Yes☐ No

—“Incident” includes any unauthorised access to any computer, system, database or data, intrusion or attack, the denial ofuse of any computer or system, intentional disruption, corruption or destruction of electronic data, programs orapplications or any other incidents similar to the foregoing?

CRI 53A. PLEASE DESCRIBE THE MAGNITUDE OF THE ATTACK(S) INCLUDING HOW LONG EACH ATTACH LASTED ANDTHE AVERAGE PPS RATE.

CRI 53B. PLEASE DESCRIBE WHAT ACTIONS YOU TOOK TO MITIGATE OR RECOVER FROM IT AND THE COST OFCARRYING OUT THOSE MITIGATION/RECOVERY ACTIONS.

CRI 54. HAVE ANY LOSS PAYMENTS BEEN MADE ON BEHALF OF COUNCIL OR ANY PERSON PROPOSED FORCOVERAGE UNDER ANY CYBER SECURITY POLICY OR SIMILAR INSURANCE?

☐ Yes☐ No

CRI 55. IN THE PAST FIVE (5) YEARS HAS ANYONE INTENTIONALLY DAMAGED OR CORRUPTED, OR ATTEMPTED TODAMAGE OR CORRUPT YOUR APPLICATIONS OR DATA?

☐ Yes☐ No

CRI 55A. PLEASE DESCRIBE WHETHER THE PERPETRATOR WAS EMPLOYED BY YOU AND, IF SO, WHETHER THEY WEREAN EMPLOYEE OR CONTRACTOR

CRI 55B. PLEASE DESCIBRE HOW THE PERPETRATOR GOT ACCESS TO THE APPLICATIONS OR DATA

CRI 55C. PLEASE DESCRIBE WHAT ACTIONS YOU TOOK TO RECOVER THE APPLICATIONS OR DATA AND THE COST OFRECOVERY

Incident Response Plans

CRI 52. DOES THE MEMBER HAVE A FORMAL INCIDENT RESPONSE PLAN THAT ADDRESSES NETWORK SECURITYINCIDENTS OR THREATS?

☐ Yes☐ No


☐ No—

For further information https://www.solarwinds.com/securityadvisory

CRI 57A. PLEASE EXPLAIN WHAT STEPS YOU’VE TAKEN TO ISOLATE SOLARWINDS ORION BACKDOOR RISKS?

CRI 57B. HAVE YOU AT ANY TIME RUN A VERSION OF SOLARWINDS ORION VULNERABLE TO THE SUNBURST ORSUPERNOVA BACKDOORS?

☐ Yes☐ No

CRI 58. PLEASE DESCRIBE THE MEASURES THE MEMBER HAS TAKEN TO INVESTIGATE POTENTIAL MALICIOUSACTIVITY IN YOUR SYSTEM?

—For further information https://cyber.dhs.gov/ed/21-01/

CRI 59. DO YOU CURRENTLY HAVE ANY EVIDENCE OF MALICIOUS ACTIVITY AS A RESULT OF THIS VULNERABILITY INYOUR SYSTEM?

☐ Yes☐ No

—

For further information https://cyber.dhs.gov/ed/21-01/

CRI 59A. IF YES, PLEASE PROVIDE DETAILS

SolarWinds

CRI 56. DO YOU HAVE OR HAVE YOU HAD, SOLARWINDS ORION PRODUCTS IN THE LAST 365 DAYS

☐ Yes☐ No

CRI 57. IF YES DO YOU CURRENTLY RUN A VERSION OF SOLARWINDS ORION VULNERABLE TO THE SUNBURSTSUPERNOVA BACKDOORS?

☐ Yes


signed by the Members’ Chief Executive Officer or delegated authorised officer.

AUTHORISED OFFICER

Authorised Officer for Cyber Liability—

AUTHORISED OFFICER'S JOB TITLE

AUTHORISED OFFICER'S EMAIL

If you would like to obtain the Approver's Signature please send them the unique link generated from the 'Save andcontinue later' button below. Once they have signed you can return to the same link and submit.

AUTHORISED OFFICER'S

APPROVAL PRIOR TO SUBMISSION

DECLARATION

☐ The undersigned authorised officers of the Member declare that to the best of their knowledge and belief thestatements set forth herein and all attachments and schedules hereto are true and immediate notice will be given shouldany of the above information alter between the date of this completed questionnaire and the proposed date of inceptionof the Cyber Liability Protection. Although the signing of the completed questionnaire does not bind the undersigned, onbehalf of the Member, to effect Cyber Liability Protection, the undersigned agrees that this completed questionnaire andall attachments and schedules hereto and the said statements herein shall be the basis of and will be incorporated intothe Cyber Liability Protection should one be issued. The undersigned, on behalf of the Member, acknowledge that theImportant Information Notice contained herein has been read and understood. The completed questionnaire must be

CRI 60. DO YOU HAVE ANY ADDITIONAL COMMENTS OR QUESTIONS FOR YOUR ACCOUNT MANAGER REGARDINGCYBER LIABILITY COVER?

CRI 61. DO YOU HAVE ANY ADDITIONAL COMMENTS OR QUESTIONS FOR YOUR ACCOUNT MANAGER REGARDINGCRIME COVER?

cri - crime

Documents