INSURANCE CYBER RISK ASSESSMENT CHECKLIST Created by ChecklistGuro (https://checklistguro.com) --- DATA INVENTORY & CLASSIFICATION --- [ ] Description of Data Type (e.g., PII, Financial, Medical) [ ] Data Sensitivity Level (Confidential, Internal, Public) (Confidential, Internal, Public) [ ] Approximate Record Count [ ] Data Retention Policy Applied (Yes, No) [ ] Data Location (Specific System or Database) [ ] Data Categories (Select all that apply) (Name, Address, Financial Information, Health Information, Policy Details) [ ] Last Data Classification Review Date --- NETWORK SECURITY CONTROLS --- [ ] Firewall Rule Count [ ] Firewall Vendor (Cisco, Palo Alto, Fortinet, SonicWall, Other) [ ] Enabled Security Features (IDS/IPS) (Signature-Based Detection, Anomaly Detection, Protocol Filtering, Application Control) [ ] Last Intrusion Detection System (IDS) Signature Update [ ] VPN Type (IPsec, SSL VPN, Other) [ ] Number of VPN Connections --- ENDPOINT SECURITY --- [ ] Antivirus Software Installed? (Yes, No, N/A) [ ] Last Antivirus Scan Date (Days) [ ] Endpoint Detection & Response (EDR) Deployed? (Yes, No, N/A) [ ] Last Patch Management Date [ ] Full Disk Encryption Enabled? (Yes, No, N/A) [ ] Endpoint Security Controls Implemented (Select all that apply) (Firewall, Intrusion Prevention, Data Loss Prevention, Application Whitelisting) --- APPLICATION SECURITY --- [ ] Secure Coding Practices Implemented? (Yes, No, Partially Implemented) [ ] Last Vulnerability Scan Score (0-100, 100 being best) [ ] Which Vulnerability Scanning Tools are Used? (OWASP ZAP, Nessus, Qualys, Burp Suite, None) [ ] Date of Last Penetration Test [ ] Is a Web Application Firewall (WAF) in Place? (Yes, No, Planned) [ ] Describe any identified vulnerabilities and remediation efforts. --- THIRD-PARTY RISK MANAGEMENT --- [ ] Vendor Risk Tier Assessment (High, Medium, Low) [ ] Last Vendor Risk Assessment Date [ ] Security Standards/Frameworks Used by Vendor (SOC 2, ISO 27001, PCI DSS, NIST CSF) [ ] Number of Active Users (Vendor) [ ] Vendor Security Questionnaire Responses [ ] Vendor Audit Frequency (Annual, Bi-Annual, Upon Request) --- INCIDENT RESPONSE PLANNING --- [ ] Incident Response Plan Document Location [ ] Primary Contact Role (Incident Commander) (IT Security Manager, Claims Director, Legal Counsel, Designated Incident Commander) [ ] Secondary Contact Role (Communications) (Public Relations, Legal Counsel, Marketing Manager, Designated Communications Officer) [ ] Last Incident Response Plan Review Date [ ] Estimated Time to Contain Incident (Hours) [ ] Stakeholders to Notify (Check all that apply) (Executive Management, Legal Counsel, Regulatory Agencies, Law Enforcement, Cybersecurity Insurance Provider) [ ] Briefly Describe Initial Containment Steps --- EMPLOYEE TRAINING & AWARENESS --- [ ] Most Recent Training Completion Date (Within Last 3 Months, 3-6 Months Ago, 6-12 Months Ago, Over 12 Months Ago) [ ] Training Topics Covered (Select All That Apply) (Phishing Awareness, Data Privacy, Secure Password Practices, Social Engineering, Incident Reporting Procedures) [ ] Average Score on Cybersecurity Quiz [ ] Feedback on Training Program [ ] Date of Next Scheduled Training Session --- DATA BACKUP & RECOVERY --- [ ] Frequency of Full Backups (Days) [ ] Frequency of Incremental/Differential Backups (Hours) [ ] Backup Storage Location (Onsite/Offsite/Cloud) (Onsite, Offsite, Cloud) [ ] Last Successful Full Backup Date [ ] Description of Backup Software Used [ ] Retention Policy (How long backups are kept) (30 Days, 60 Days, 90 Days, Custom (Specify in Long Text)) [ ] Last Backup Verification Report --- CLOUD SECURITY --- [ ] Cloud Provider Security Certifications (SOC 2 Type II, ISO 27001, PCI DSS, HIPAA, None) [ ] Encryption at Rest Strength (bits) [ ] Multi-Factor Authentication (MFA) Status (Enabled for all users, Enabled for privileged accounts only, Disabled) [ ] Cloud Security Group Configuration Details [ ] Last Cloud Security Audit Date [ ] Cloud Security Tools Deployed (Vulnerability Scanning, Intrusion Detection/Prevention, Data Loss Prevention (DLP), Security Information and Event Management (SIEM)) --- COMPLIANCE & LEGAL REQUIREMENTS --- [ ] Applicable Regulations (e.g., GDPR, CCPA, State Laws) (GDPR, CCPA, HIPAA, State Data Breach Laws (Specify), Other (Specify in Long Text)) [ ] Specific Legal Requirements Addressed [ ] Last Compliance Assessment Date [ ] Number of Data Subject Access Requests (DSARs) Received in Last Year [ ] Data Breach Notification Threshold (Specify Legal Requirement) (State Specific, Federal Requirement, Company Policy) [ ] Documentation of Compliance Efforts --- END OF TEMPLATE --- Transform this text into a digital, automated, and trackable mobile app! Visit: https://checklistguro.com/templates/insurance/insurance-cyber-risk-assessment-checklist (Click "Install Template" to launch your digital inspection tool immediately)