Required Risk Controls

To qualify for complete coverage, including third-party and network security coverages, insureds must implement, at a minimum, the risk controls listed on this page. If you would like to see if your company qualifies for coverage, please contact us.

Risk Controls

•   Employee anti-virus software on all computing devices
• Automatically update anti-virus software at least daily
• automatically scan and filter e-mail attachments and downloads before opening files
• Automatically receive virus and threat notifications from the United States Computer Emergency Readiness Team (US-CERT), SANS Institute or a similiar provider
• Securely Configure firewalls other than a default configuration
• Configure networks using multiple firewalls (or equivalent) to separate back-office operations form Internet-facing operations
• Promulgate a security policy to all employees and contractors
• Have a tested disaster recovery plan that includes recovery from data center disasters
• Have a tested security incident response plan that addresses both direct (e.g., hacking) and indirect (e.g., virus) attacks upon network
• Back up network data and configuration files daily
• Store back-up files in a protected location
• Allow remote access to network only if it isvia a VPN or equivalent system
• Monitor network platform vendors at least daily for availability, preferably within seven days
• Always lock server room or otherwise limit access to authorized personnel