Cyber Liability Assessment

Assessment Introduction

    Page 1

    Welcome to the Cyber Liability IQRM!

    As is evident from the daily news reports, cyber-related incidents are rapidly increasing, leaving businesses vulnerable to attack. And, the cyber risk has increased significantly with people working remotely.  The IQRM for Cyber Liability is focused on assisting organizations in identifying privacy and security exposures, and recommended best practices to avoid potential breaches and mitigate the impact of a cyber incident.

    Please click below to take a 20 statement survey to gain your organization’s IQRM Effectiveness Risk Audit Score for Cyber Liability.

    Question 1

    We have implemented Multi-Factor Authentication (MFA) on all email and remote access, including privileged accounts.

    Question 2

    We use Next Generation Anti-Virus (NGAV) and/or Endpoint Detection and Response (EDR) software to secure all system endpoints.

    Question 3

    We have disabled Remote Desktop Protocol (RDP) and/or Remote Desktop Gateway (RDG) on all system endpoints or servers.  Alternatively, access is only granted after proper Multi-Factor authentication via our VPN.

    Question 4

    A dedicated individual or team is responsible for overall privacy and network security protection.

    Question 5

    A cyber incident response plan is in place to determine in advance which breach services firm, PR firm, forensics investigator, etc. we would utilize. 

    Question 6

    All valuable/sensitive data is backed-up daily, stored outside the network and tested/validated periodically.

    Question 7

    Regular software updates and patching procedures are performed, including applicable Microsoft vulnerability updates, post their 2021 incident.

    Question 8

    Encryption is in place for sensitive data, especially on portable devices.

    Question 9

    We regularly conduct cyber security audits of our own systems.  We are committed to remedying all significant deficiencies.

    Question 10

    We train and test our employees on recognizing and avoiding phishing, social engineering, and email scams.

    Question 11

    We have established the number of unique personal information records (PII) that we have stored on our network or that are stored by others on our behalf (i.e. 3rd party cloud providers).

    Question 12

    We limit employee access to sensitive data based upon their role in the company and their business need to access such data.

    Question 13

    We require training for employees on appropriate business use of social media.

    Question 14

    We have procedures in place to obtain any data/information assets back from vendors or existing employees and/or contractors upon termination of the relationship. 

    Question 15

    We are compliant with regulations regarding sensitive data that apply to our business including but not limited to HIPAA/HiTECH.  

    Question 16

    If we accept payment cards, we are in compliance with applicable Payment Card Industry Data Security Standards (PCI/DSS).

    Question 17

    For contracts with third parties to manage, host and/or access our data, we ensure such contracts have strong hold harmless agreements.  For contracts with third parties that grant us access to their data, we carefully review the hold harmless agreements and insurance requirements to ensure that they are balanced to both parties.

    Question 18

    For contracts with third parties to manage, host and access our data, we require these organizations to have comprehensive professional liability (if applicable) and cyber liability insurance.

    Question 19

    We have a data destruction policy to remove PII from our systems when no longer needed.

    Question 20

    When acting upon a new or changed request to wire transfer funds to a third party, whether the request is from someone internally or externally, we verify that the request is valid (either in person or by calling a known valid number).

    Tell Us More About You