HomeMy WebLinkAbout20230248.tiffTOKIO MARI N E
HCC
Cyber & Professional Lines Group
16501 Ventura Blvd. Suite 200, Encino, CA 91436
main (818) 382-2030
NetGuard® Plus Cyber Liability Insurance Application
THIS IS AN APPLICATION FOR A CLAIMS MADE AND REPORTED POLICY. THIS APPLICATION IS NOT A BINDER.
This application for NetGuard® Plus Cyber Liability Insurance is intended to be used for the preliminary evaluation of a submission. When
completed in its entirety, this application will enable the Underwriter to decide whether or not to authorize the binding of insurance. Please
type or print clearly and answer all questions. If space is insufficient to answer any question fully, attach a separate sheet. Complete all
required supplemental forms/applications. "You" and "Your", as used in this application, means the Applicant unless noted otherwise
below.
"I:, t31NtiRA! INFORMATION
Name of Applicant:
Weld County
Street Address:
1150 O Street
City, State, Zip:
Greeley CO 80631 Phone: 970-400-4234
Website:
https://www.weld.gov Fax: 970-400-4024
2 . FOR'S OF BUSINESS
a. Applicant is a(an): ❑ Individual ❑ Corporation ❑ Partnership m Other: Local Government
b. Date established:
11/3/1861
c. Description of operations:
Local County Government
d. Total number of employees:
1,787
e. Please attach a list of all subsidiaries, affiliated companies or entities owned by the Applicant. Please describe (1) the nature of
operations of each such subsidiary, affiliated company or entity, (2) its relationship to the Applicant and (3) the percentage of
ownership by the Applicant.
S« R NUES
Current Fiscal Year
ending 12 123
(current projected)
Last Fiscal Year
ending 12 / 22
Two Fiscal Years ago
ending 12 /21
Total gross revenues:
$ 1,033,791,603
$ 811,775,768
$ 672,881,857
a. Do you collect,
or electronic form?
If "Yes", please
Paper records:
*Private or sensitive
person, including,
payment card information,
numbers (PINs),
store, host, process, control, use or share any private or sensitive information" in either paper
provide the approximate number of unique records:
Electronic records:
® Yes ❑ No
information includes any information or data that can be used to uniquely identify a
but not limited to, social security numbers or other government identification numbers,
drivers' license numbers, financial account numbers, personal identification
usernames, passwords, healthcare records and email addresses.
b. Do you collect, store, host, process, control, use or share any biometric information or data, such as
fingerprints, voiceprints, facial, hand, iris or retinal scans, DNA, or any other biological, physical or behavioral
characteristics that can be used to uniquely identify a person?
If "Yes", have you reviewed your policies relating to the collection, storage and destruction of such
information or data with a qualified attorney and confirmed compliance with applicable federal, state,
local and foreign laws?
❑ Yes ® No
❑ Yes ❑ No
c. Do you process, store or handle credit card transactions?
If "Yes", are you PCI-DSS Compliant?
VI Yes ❑ No
VI Yes ❑ No
B. IT 13 !'ARTMPIT
This section must be completed by the individual responsible for the Applicant's network security. As used in this section
only, "you" refers to the individual responsible for the Applicant's network security.
a. Who is responsible for the Applicant's network security?
Name:
Eric Lund
Title:
IT Security Analyst
Phone:
970-400-2513 I Email address: I elund@weld.gov
IT Security Designation(s):
CISSP
GP -NBA (1.2021
I7, mil/Z3
ad: Tslici A
/020 9102,5
Z6Z3 -OZq
b The Applicant's network security is O Outsourced Z Managed internallylin-house
c How many IT personnel are on your teams 63
d How many dedicated IT security personnel are on your team'? 3
By signing below, you confirm that you have reviewed all questions in Sections 6 through 8 of this application
Applicant's security controls, and, to the best of your knowledge, all answers are complete and accurate Additionally,
consent to receiving direct communications from the Insurer and/or its representatives regarding potentially
issues identified in relation to the Applicant's organization
Print/Type Name Eric Lund
regarding the
you
urgent security
Signature / �i—
°6',. ;,`EMAIL SECURITY CONTROLS: _x_ - 5..` `,: , '« _ - '` i_ , , :'-- q - ` '"` ' __
If the answer to any question in this section is "No", please provide additional details in the "Additional Comments" section
a Do you tag external emails to alert employees that the message anginatea from outside the organization'?
Z Yes ❑ No
b Do you pm -screen emails for potentially malicious attachments and links'?
If "Yes", do you have the capability to automatically detonate and evaluate attachments in a
sandbox to determine if they are malicious prior to delivery to the end -user,
® Yes O No
® Yes O No
c Have you implemented any of the following to protect against phishing messages'? (Please check all that apply)
E Sender Policy Framework (SPF)
1 DomainKeys Identified Mail (DKIM)
❑✓ Domain -based Message Authentication, Reporting & Conformance (DMARC)
❑ None of the above
d Can your users access email through a web application or a non -corporate device'?
If "Yes", do you enforce Multi -Factor Authentication (MFA)'
® Yes ❑ No
®Yes ❑ No
e Do you use Office 365 in your organization'?
If "Yes", do you use the Office 365 Advanced Threat Protection add-on,
®Yes ❑ No
❑ Yes ® No
ADDITIONAL COMMENTS (Use this space to explain any "Nn" answers in the ahnve section and/or to list other relevant
IT security
measures you are utilizing that are not listed here )
3rd -party products are used to supplement Office 365 in place of the Advanced Threat Protection
add-on which provide the same features and funtlonallty
,7 INTERNAL SECURITY,CONTROLS 1, j F w - _ , '_ , ,< _
If the answer to any question in this section is "No", please provide additional details in the "Additional Comments" section
a Do you use a cloud provider to store data or host apolications'
If "Yes", please provide the Paine of the cloud prodder Microsoft Azure/Office 365
® Yes ❑ No
If you use more than one cloud provider to store data, please specify the (-loud provider slur ing the largest
quantity of sensitive customer and/or employee records (e g , including medical records, personal health
information, social security numbers, bank account details and credit card numbers) for you
b Do you use MFA to secure all cloud provider services that you utilize (e g Amazon Web Services (AWS),
Microsoft Azure, Google Cloud)'?
® Yes El No
c Do you encrypt all sensitive and confidential information stored on your organization's systems and networks'?
If "No", are the following compensating controls in place
(7) Segregation of servers mat store sensitive and confidential informations %
(2) Access control with role -based assignments,
❑ Yes ® No
V_, Yes ❑ No
® Yes ❑ No
d Do you allow remote access to your network'?
If "Yes"
(1) Do you use MFA to secure all remote access to your network, including any remote desktop
protocol (RDP) connections,
If MFA .s used, please select your MFA provider Other
If "Other", please provide the name of your MFA provider Microsoft Authenticator, RSA
® Yes El No
® Yes ❑ No
e Do you use a next -generation antivirus (NGAV) product to protect all endpoints across your enterprise?
If "Yes", please select your NGAV provider CrowdStrike Falcon Prevent
If "Other", please provide the name of your NGAV provider
® Yes ❑ No
NGP-NBA (1 2021)
Page 2af5
f Do you use an endpoint detection and response (EDR) tool that includes centralized monitoring and logging
of all endpoint activity across your enterprise?
If "Yes", please select your EDR provider CrowdStnke Falcon Insight
If "Other", please provide the name of your EDR provider
Z1 Yes ❑ No
g Do you use MFA to protect access to privileged user accounts?
0 Yes ❑ No
h Do you manage privileged accounts using privileged account management software (e g , CyberArk,
BeyondTrust, etc )?
If "Yes", please provide the name of your provider
❑ Yes ® No
i Do you actively monitor all administrator access for unusual behavior patterns?
If "Yes", please provide the name of your monitoring tool
❑ Yes ® No
/ Do you roll out a hardened baseline configuration across servers, laptops, desktops and managed mobile
devices?
® Yes ❑ No
k Do you record and track all software and hardware assets deployed across your organization?
If "Yes", please provide the name of the tool used for this purpose (if any) Track -It
0 Yes ❑ No
I Do non -IT users have local administration rights on their laptop / desktop?
❑ Yes ® No
m How frequently do you install critical and high severity patches across your enterprise?
❑ 1-3 days ❑ 4-7 days ® 8-30 days ❑ One month or longer
n Do you have any end of life or end of support software'?
If "Yes", is it segregated from the rest of your network,
® Yes ❑ No
® Yes ❑ No
o Do you use a protective DNS service (e g ZScaler, Quad9, OpenDNS or the public sector PDNS) to block
access to known malicious websites?
If "Yes", please provide the name of your DNS provider InfoBlox
® Yes ❑ No
p Do you use endpoint application isolation and containment technology on all endpoints'?
If "Yes", please select your provider
If "Other", please provide the name of your provider
❑ Yes ® No
q Can users run Microsoft Office Macro enabled documents on their system by default?
❑ Yes VI No
r Do you implement PowerShell best practices as outlined in the Environment Recommendations by
® Yes ❑ No
Microsoft?
s Do you utilize a Secunty Information and Event Management (SIEM) system'?
IZI Yes ❑ No
t Do you utilize a Security Operations Center (SOC)?
If "Yes", is it monitored 24 hours a day, 7 days a week,
❑ Yes 0 No
❑ Yes ® No
u Do you use a vulnerability management tool?
If "Yes", please select your provider Nessus/Tenable
If "Other", please provide the name of your provider
® Yes ❑ No
ADDITIONAL COMMENTS (Use this space to explain any "No" answers in the above section and/or to list other relevant
IT security
manager, IT
Endpoint
to
for after-hours
measures you are utilizing that are not listed here )
IT employs encryption where feasible on for data in transit and in rest within the county network Privileged Account Management
software is not currently used Privileged access is granted on an as -needed basis and requires the approval of a user's
Security, and the director of IT Technical Operations Unusual behavior patterns are in the process of being implemented
application isolation is not currently in place, the county relies on DNS, web filtering, and endpoint behavioral detection software
protect workstations In place of SOC, IT relies on alerts generated from various tools as well as a formal on -call rotation
events
8 `BACKUP, AND RECOVERY, POLICIES ' ' . _, x . - °
If the answer to the question in this section is "No"; please provide additional details in the "Additional Comments" section
Do you use a data backup solution'?
If "Yes"
a How frequently does it run, ® Daily ❑ Weekly ❑ Monthly
b Estimated amount of time it will take to restore essential functions in the event of a widespread
malware or ransomware attack within your network,
0-24 hours ❑ 1-3 days ❑ 4-6 days ❑ 1 week or longer
® Yes ❑ No
NGP-NBA (1 2021)
Page 3 of 5
c Please check all that apply
® Backups are encrypted
0 Backups are kept separate from your network (offline/air-gapped), or in a cloud service designed
for this purpose
0 Backups are secured with different access credentials from other administrator credentials
® You utilize MFA to restrict access to your backups
❑ You use a cloud -syncing service (e g Dropbox, OneDrlve, SharePoint, Google Drive) for backups
❑ Your cloud -syncing service is protected by MFA
® You have tested the successful restoration and recovery of key server configurations and data
from backups in the last 6 months
® You are able to test the integrity of backups prior to restoration to ensure that they are free of
malware
ADDITIONAL COMMENTS (Ilse this spare to explain any "Na" answers in the above section and/or to Est other relevant
IT security
measures you are utilizing that are not listed here )
' 9 7PHISHING CONTROLS : ^ _ .: -
a Do any of the following employees at your company complete social engineering training
(1) Employees with financial or accounting responsibilities?
(2) Employees without financial or accounting responsibilities'?
® Yes ❑ Nn
0 Yes ❑ No
❑ Yes ® No
If "Yes" to question 9 a (1) or 9 a (2) above, does your social engineering training include phishing
simulation?
b Does your organization send and/or receive wire transfers'?
If "Yes", does your wire transfer authorization process include the following
(1) A wire request documentation form?
(2) A protocol for obtaining proper written authorization for wire transfers?
(3) A separation of authority protocol?
(4) A protocol for confirming all payment or funds transfer instructions/requests from a new vendor,
client or customer via direct call to that vendor, client or customer using only the telephone
number provided by the vendor, client or customer before the payment or funds transfer
instruction/request was received?
(5) A protocol for confirming any vendor, client or customer account information change requests
(including requests to change bank account nambus, contact information or mailing addresses)
via direct call to that vendor, client or customer using only the telephone number provided by the
vendor, client or customer before the change request was received?
Z Yes ❑ No
® Yes ❑ No
0 Yes ❑ No
0 Yes ❑ No
0 Yes ❑ No
® Yes ❑ No
10 rFL'OSS'HISTORY,S,L` . ,' k> _ 4• ',"'',•':,',1', ,,,r -24,-.-g-,,
, w =;a1 ,", s ,
If the answer to any question in 10 a through 10 c below is "Yes", please complete a Claim Supplemental
claim, ahegauon or incident
Form for each
a In the past 3 years, has the Applicant or any other person or organization proposed for this insurance
(1) Received any complaints or wntten demands or been a subject in litigation involving matters of privacy
injury, breach of private information, network security, defamation, content infringement, identity theft,
denial of service attacks, computer virus infections, theft of information, damage to third party networks
or the ability of third parties to rely on the Applicant's network'?
(2) Been the subject of any government action, investigation or other proceedings regarding any alleged
violation of privacy law or regulation?
(3) Notified customers, clients or any third party of any security breach or privacy breach'?
(4) Received any cyber extortion demand or threat?
(5) Sustained any unscheduled network outage or interruption for any reason'?
(6) Sustained any property damage or business interruption losses as a result of a cyber-attack?
(7) Sustained any losses due to wire transfer fraud, telecommunications fraud or phishing fraud'?
❑ Yes ® No
❑ Yes ® No
❑ Yes 0 No
❑ Yes ® No
❑ Yes No
❑ Yes VI No
❑ Yes 171 No
b Do you or any other person or organization proposed for this insurance have knowledge of any secunty
breach, privacy breach, privacy -related event or incident or allegations of breach of privacy that may give rise
to a claim'?
❑ Yes ® No
NGP-NBA (1 2021)
Page 4of5
c.
In
sustained
If
interruption?
the
"Yes",
past
3
an
did
years,
unscheduled
the
Applicant
has
any
network
service
experience
outage
provider
with
or interruption
an interruption
access
lasting
to
the
in
longer
business
Applicant's
than
network
4
as
hours?
a
result
or computer
of
such
system(s)
outage
or
Yes
Yes
No
No
111
NOTICE
TO
APPLICANT
that
I
any
The
knowledge
have
NOTICE
COMPANY
CONCEALS
FRAUDULENT
The
exhausted,
HEREBY
insurance
exceed
material
been
Applicant
TO
identified
DECLARE
prior
by
the
NEW
OR
FOR
fact,
claim
for
INSURANCE
hereby
limit
to
OTHER
THE
YORK
which
the
in
expenses
of
that,
that
PURPOSE
acknowledges
effective
questions
liability.
you
APPLICANTS:
PERSON
I
after
ACT,
agree
are
and,
inquiry,
date
OF
10.a.
WHICH
that
applying
FILES
in
of
MISLEADING,
such
that
this
the
through
ANY
the
AN
IS
policy
he/she/it
event,
application
will
A
above
PERSON
APPLICATION
CRIME.
10.c
not
the
nor
INFORMATION
statements
respond
is
of
Insurer
will
this
aware
shall
WHO
coverage
application.
that
shall
be
to
KNOWINGLY
FOR
and
the
incidents
the
not
INSURANCE
CONCERNING
particulars
basis
apply
limit
be
liable
of
to
about
AND
of
the
any
liability
for
are
contract
which
claim
WITH
CONTAINING
ANY
claim
true
INTENT
shall
or
FACT
and
any
expenses
with
circumstance
person
be
I
have
the
ANY
MATERIAL
reduced,
TO
Underwriters.
or
not
proposed
DEFRAUD
FALSE
any
suppressed
identified
and
judgment
THERETO,
INFORMATION,
ANY
for
coverage
or
be
INSURANCE
or
that
COMMITS
or
completely
settlement
misstated
should
had
OR
A
may
and
CERTIFICATION
AND
SIGNATURE
to
The
provide
and
revealed.
It
be
date
This
Must
is
understood
satisfied
any
Applicant
that
for
question
application
be
coverage.
all
coverage
signed
particulars
with
has
that
the
of
to
shall
by
read
It
this
this
is
Underwriter'squotation.
be
an
application,
be
agreed,
effective,
officer
the
which
application
deemed
foregoing
however,
may
of
the
attached
the
such
have
shall
Applicant
and
company.
information
that
form
understands
a
to
bearing
It
this
and
the
is
becomes
basis
further
application
form
shall
upon
a
that
of
agreed
the
aware
be
part
acceptability
completion
is
revealed
of
contract
complete
that,
of
the
any
if
in
Policy
should
information
immediately
the
of
as
this
and
should
a
time
the
correct
NetGuard®
application
Underwriter
between
which
in
coverage
to
writing
the
would
does
Plus
submission
best
approve
to
be
change
the
bound.
not
of
Cyber
Underwriter.
bind
the
coverage
of
Liability
the
the
Applicant's
this
answers
application
Underwriter
Insurance
and
knowledge
should
furnished
and
or
risk
the
the
the
in
Broker
and
have
Applicant
requested
response
belief,
been
to
Print
Mike
or
Freeman
Type
Applicant's
Name
Title
Chair,
of
Applicant
Board
of
County
Commissioners
Signature
r
of
Applicant
Date
I
Signed
I — 30
—
by Applicant
020°23
NGP-NBA (1.2021)
Page 5 of 5
r
TOKIOMARINE
HCC
Cyber & Professional Lines Group
Cyber Glossary
".r4i.pr • •
',Rik,. "rill• k
, e ' a - t - , • +. 1
•
. ' a ' : • . ♦ , _
a r ait*
1 Si. t Si:,41$
•
•
I
a •
1 At p IT 3 , awta jet 01� a a,s 11
y - + - •
t _".,I I *4 •�
Q 4. 11�•t'•
V1
•N v Sir
•*'• 'fr
The following Cyber Glossary is provided to assist you in completing your application
correctly and completely.
DomainKeys Identified Mail (DKIM) is an email authentication
method that allows senders to associate a domain name i ffh an
email message, thus vouching for its authenticity. A sender
creates the UKIIVI by "signing" the email with a digital signature.
This "signature is located in the message's header.
Domain -based Message Authentication, Reporting &
Conformance (DMARC) :s an email authentication protocol that
uses Sender Policy Framework (SPF) and DKIM to determine the
authenticity of an email message.
Endpoint application isolation and containment technology
is a form of zero -trust endpoint security. Instead of detecting or
reacting to threats, it enforces cuintiuls that block and restrain
harmful actions to prevent compromise. Application
containment is used to block harmful file and memory actions to
other apps and the endpoint. Application isolation is used w
---prevent other endpoint--processes-from--altering-or stealing -from ---
an isolated app or resources.
Common Providers: Authentic8 Silo; BrtDefender'M
Browser isolation, CyldriuePROTECT, Menlo Secui ity
Isolation Platform; Symantec Web Security Service
Endpoint Detection -and -Response----(EDR) -also known as --
endpoint threat detection and response,- centrally collects and
manly:oo comprehensive endpoint data acro68 your entire
organization to provide a full picture of potential threats.
Common Providers: Carbon Black Cloud; Crowdstrike
Falcon Insight; SentinelOne; Windows Defender
Endpoint
•
•
•
a
•
•
,
P
3
Multi -Factor Authentication (MFA) is an electronic
-�autfiei�tication method -in wh`rcl a- computer user 1--grariteed- -.
access to a website or application only after successfully
presenting two or more pieces of evidence to an authentication
mechanism: knowledge (e.g., password), posuession (e.g., phone
or key), and inherence (e.g., FacelD or hand print). MFA for remote
email access can be enabled through most email providers.
Common MFA providers for remote network access:
Okta; Duo; LastPass; OneLogin; and Autho.
----Nexte eneration Anti-Virus-{-NGAV}-is ,sofmarc that uses
predictive analytics- driven by..machine. learning and artificial
intelligence and combines with threat intelligence to detect and
prevent malware and fileless non-malware attacks. identify
malicious behavior, and respond to new and emerging threats
that previou&y went undetected. For_ purpos.es_of completing
this application, NGAV refers to anti -virus protection that focuses
on detecting and preventing maiwarc ,on each individual
endpoint. If your organization has a NGAV solution AND you are
centrally monitoring and analyzing all endpoint activity, please
_ indicate. that you have NGAV & FDA on the application.
Common Prnviders7 Ritf pfender s M; Carbon Mack:
CiuvvdSI i iki-; Ealuo i
Symantec
Pi evei il, Sei itii ielOi•ie, Suphos,
Offline/Air-gapped backup solution refers to a backup and
recovery solution in which one copy of your organization's data is
offline (i.e., disconnected) and cannot be accessed. • If a file or
system of files has no connection to the Internet or a LAN, it can't
be remotely hacked or corrupted.
ale
Cyber Glossary
Powershell is a cross -platform task automation and configuration
management framework from Microsoft, consisting of a
command -line shell and scripting language. It is used by IT
departments to run tasks on multiple computers in an efficient
manner. For example, Powershell can be used to install a new
application across your organization.
Privileged Account Management Software (PAM) is software
that allows you to secure your privileged credentials in a
centralized, secure vault (i.e. a password safe). To qualify as PAM,
a product must allow admiristrators to create privileged access
accounts; offer a secure vault to store privileged credentials; and
monitor and log user actions while using privileged accounts.
Common Providers: CyberArk and BeyondTrust.
Protective DNS Service (PDNS) refers to a service that provides
Doman Name Service (DNS) protection (also known as DNS
filtering) by blacklisting dangerous sites and filtering out
unwanted content. It can also help to detect & prevent malware
that uses DNS tunneling to communicate with a command and
control server.
Common Providers: Zscaler, Quad9; OpenDNS; and
public sector PDNS_
Remote Desktop Protocol (RDP) connections is a proprietary
protocol developed by Microsoft which provides a user with a
graphical interface to connect to another computer over a
network connection. The Microsoft RDP provides remote display
and input capabilities over network connections for
Windows -based applications rinning on a server.
Security Information and Event Management system (SIEM)
is a subsection within the field of computer security, wherein
software products and services combine security information
management and security event management. SIEM provides
real-time analysis of security alerts generated by applications and
network hardware.
w , �
•
•
•
..01„-••••-•
:• ,sr • . *.r
A a
' +N •• ` • • 4 +• r ',•0S..+ 4.
• �► !
r. •, a
•
y
M .
1
11y ++i • • •
3 a t ,„44 ye,
• * ▪ •
•
• at ! 811S. 5 .'/.d ♦�•P4 {••• ••
• a + • P
•
•
,
atto
Security Operations Center (SOC) is a centralized unit that deals
with security issues on an organizational and technical level.
Sender Policy Framework (SPF) is an email authentication
technique used to prevent spammers from sending messages on
behalf of your domain. With SPF your organization can publish
authorized mail servers.
Vulnerability management tool is a cloud service that gives you
instantaneous, global visibility into where your IT systems might
be vulnerable to the latest Internet threats and how to protect
against them. The tool is an ongoing process that includes
proactive asset discovery, continuous monitoring, mitigation,
remediation and defense tactics to protect your organization's
modern IT attack surface from cyber threats.
Common Providers: Qualys; InsightVM by Rapid7; and
Nessus by Tenable"
kip TOKIO MARINE
• HCC
Cyber & Professional Lines Group
TOKIO MART N E
HCC
Cyber & Professional Lines Group
16501 Ventura Blvd. Suite 200. Encino, CA 91436
main (818) 382-2030
NetGuard® Plus Cyber Liability Insurance Application
THIS IS AN APPLICATION FOR A CLAIMS MADE AND REPORTED POLICY. THIS APPLICATION IS NOT A BINDER.
This application for NetGuard® Plus Cyber Liability Insurance is intended to be used for the preliminary evaluation of a submission. When
completed in its entirety, this application will enable the Underwriter to decide whether or not to authorize the binding of insurance. Please
type or print clearly and answer all questions. If space is insufficient to answer any question fully, attach a separate sheet. Complete all
required supplemental forms/applications. "You" and "Your", as used in this application, means the Applicant unless noted otherwise
below.
1.
GENERAL
INFORMATION
Weld
County
Name
of
Applicant:
Street
Address:
1150
O
Street
City,
State,
Zip:
Greeley
CO 80631
Phone:
970-400-4234
Website:
https://www.weld.gov
Fax:
970-400-4024
2. FORM
OF BUSINESS
a.
Applicant
is
a(an):
❑
Individual
❑
Corporation
❑
Partnership
,/
Other:
Local
Government
b.
Date
established:
11/3/1861
c.
Description
of
operations:
Local
County
Government
d.
Total
number
of
employees:
1787
e. Please
operations
ownership
attach
of
by
each
the
a
list
Applicant.
of
such
all
subsidiaries,
subsidiary,
affiliated
affiliated
company
companies
or
or
entity.
entities
(2)
its
owned
relationship
by
the
to
Applicant.
the
Applicant
Please
describe
and
(3)
the
(1)
percentage
the
nature
of
of
3.
REVENUES
Current
(current
ending
Fiscal
projected)
12
/
Year
23
Last
ending
Fiscal
12
Year
/ 22
Two
Fiscal
ending
Years
12
ago
/ 21
Total
gross
revenues:
$ 1,
033,
791,
603
$ 811,
775, 768
$ 672, 881,
857
4.
RECORDS
a.
Do
or
you
electronic
"Yes",
collect,
form?
store,
host,
process,
control,
use
or share
any private
or sensitive
information*
in either
paper
V
Yes
No
If
Paper
please
records:
provide
the
approximate
number
of
Electronic
unique
records.
records:
*Private
person,
or
including,
sensitive
information
but
not
limited
includes
to,
social
any information
security
numbers
or data
or
that
other
government
can
be
used
identification
to
uniquely
identify
numbers,
a
payment
numbers
card
(PINs),
information,
usernames,
drivers'
license
passwords,
numbers,
healthcare
records
financial
and
account
email
addresses.
numbers,
personal
identification
b.
Do
fingerprints.
characteristics
If
information
local
you
"Yes",
and
collect,
have
foreign
voiceprints,
that
or
store,
you
data
can
reviewed
laws?
with
host,
facial,
be used
a
qualified
process,
your
hand,
to
uniquely
iris
policies
attorney
control,
or
retinal
identify
relating
use
and
scans.
or
a person?
to
confirmed
share
DNA,
the
collection,
any
or
compliance
any
biometric
other
storage
information
biological,
with
and
applicable
physical
destruction
or
data,
federal,
or
such
behavioral
of
such
state,
as
Yes
VI
No
Yes
❑
No
c.
If
Do
you
"Yes",
process;
are
store
you
PCI-DSS
or
handle
Compliant?
credit
card transactions?
/1 Yes
❑
No
V Yes
No
5. IT
DEPARTMENT
This
only,
section
"you"
must
refers
to
be
the
completed
individual
by the
responsible
individual
responsible
for the
Applicant's
for the
network
Applicant's network security.
security.
As used in this section
a.
Who
is responsible
for
the Applicants
network
security?
Name:
Kyle
Drumm
Title:
Chief
Information
Security
Officer
Phone:
970-400-2519
Email
address:
kdrumm@weld.gov
IT
Security
Designation(s):
CISSP
NGP-NBA 1.2021)
Un,enef-
7/5/26
c3&
4cckj � f/fr)
•07151,93
P(5
10L3- 674`�
r�oo35
b. The Applicant's network security is: El Outsourced 0 Managed internally/in-house
c. How many IT personnel are on your team? 65
d. How many dedicated IT security personnel are on your team? 3
By signing below, you confirm that you have reviewed all questions in Sections 6 through 8 of this application
Applicant's security controls, and, to the best of your knowledge, all answers are complete and accurate. Additionally,
consent to receiving direct communications from the Insurer and/or its representatives regarding potentially
issues identified in relation to the Applicant's organization.
Print/Type Name: Kyle Drumm
regarding the
you
urgent security
Signature:
If the answer to any question in this section is "No", please provide additional details in the "Additional Comments" section.
a. Do you tag external emails to alert employees that the message originated from outside the organization?
® Yes ❑ No
b. Do you pre-screen emails for potentially malicious attachments and links?
If "Yes", do you have the capability to automatically detonate and evaluate attachments in a
sandbox to determine if they are malicious prior to delivery to the end -user?
® Yes O No
® Yes El No
c. Have you implemented any of the following to protect against phishing messages? (Please check all that apply):
lJ Sender Policy Framework (SPF)
l7J DomainKeys Identified Mail (DKIM)
El Domain -based Message Authentication, Reporting & Conformance (DMARC)
El None of the above
d. Can your users access email through a web application or a non -corporate device?
If "Yes", do you enforce Multi -Factor Authentication (MFA)?
® Yes O No
®Yes ❑ No
e. Do you use Office 365 in your organization'?
If "Yes", do you use the Office 365 Advanced Threat Protection add-on?
® Yes ❑ No
El Yes ® No
ADDITIONAL COMMENTS (Use this space to explain any "No" answers in the above section and/or to list other relevant
IT security
measures you are utilizing that are not listed here.)
3rd -party products are used to supplement Office 365 in place of the Advanced Threat Protection
add-on which provide the same features and functionality.
� � ,�s� �`5'- .', � h :Es.j_ i �ar�4 4'.a �.� �. } s � � i ry�Aiu �` rt �� ✓^'`' a ;
If the answer to any question in this section is "No", please provide additional details in the "Additional Comments" section.
a. Do you use a cloud provider to store data or host applications'?
If "Yes", please provide the name of the cloud provider: Microsoft Azure/Office 365
® Yes ❑ No
If you use more than one cloud provider to store data, please specify the cloud provider storing the largest
quantity of sensitive customer and/or employee records (e.g., including medical records, personal health
information, social security numbers, bank account details and credit card numbers) for you.
b Do you use MFA to secure all cloud provider services that you utilize (e.g. Amazon Web Services (AWS),
Microsoft Azure, Google Cloud)?
® Yes El No
c. Do you encrypt all sensitive and confidential information stored on your organization's systems and networks'?
If "No", are the following compensating controls in place:
(1) Segregation of servers that store sensitive and confidential information?
(2) Access control with role -based assignments?
El Yes ® No
® Yes ❑ No
® Yes ❑ No
d. Do you allow remote access to your network?
If "Yes":
(1) Do you use MFA to secure all remote access to your network, including any remote desktop
protocol (RDP) connections?
If MFA is used, please select your MFA provider: Other LI
If "Other", please provide the name of your MFA provider: Microsoft Authenticator, RSA
® Yes ❑ No
la Yes ❑ No
e. Do you use a next -generation antivirus (NGAV) product to protect all endpoints across your enterprise?
If "Yes", please select your NGAV provider: CrowdStrike Falcon Prevent II
If "Other", please provide the name of your NGAV provider:
® Yes ❑ No
NGP-NBA (1.2021)
Page 2of5
f. Do you use an endpoint detection and response (EDR) tool that includes centralized monitoring and logging
of all endpoint activity across your enterprise'?
If "Yes", please select your EDR provider: CrowdStrike Falcon Insight 0
If "Other", please provide the name of your EDR provider:
0 Yes 0 No
g. Do you use MFA to protect access to privileged user accounts?
® Yes ❑ No
h. Do you manage privileged accounts using privileged account management software (e.g., CyberArk,
BeyondTrust, etc.)?
If "Yes", please provide the name of your provider:
❑ Yes ® No
i. Do you actively monitor all administrator access for unusual behavior patterns'?
If "Yes", please provide the name of your monitoring tool:
❑ Yes ® No
j. Do you roll out a hardened baseline configuration across servers, laptops, desktops and managed mobile
devices'?
0 Yes 0 No
k. Do you record and track all software and hardware assets deployed across your organization?
If "Yes", please provide the name of the tool used for this purpose (if any): Track -It
0 Yes ❑ No
I. Do non -IT users have local administration rights on their laptop / desktop?
® Yes ❑ No
m. How frequently do you install critical and high severity patches across your enterprise?
❑ 1-3 days ❑ 4-7 days ® 8-30 days ❑ One month or longer
n. Do you have any end of life or end of support software?
If "Yes", is it segregated from the rest of your network?
® Yes ❑ No
® Yes ❑ No
o. Do you use a protective DNS service (e.g. ZScaler, Quad9, OpenDNS or the public sector PDNS) to block
access to known malicious websites?
If "Yes", please provide the name of your DNS provider: Infoblox
® Yes ❑ No
p. Do you use endpoint application isolation and containment technology on all endpoints'?
If "Yes", please select your provider:
If "Other", please provide the name of your provider:
❑ Yes ® No
q. Can users run Microsoft Office Macro enabled documents on their system by default?
❑ Yes VI No
r. Do you implement PowerShell best practices as outlined in the Environment Recommendations by
® Yes ❑ No
Microsoft?
s. Do you utilize a Security Information and Event Management (SIEM) system?
0 Yes ❑ No
t. Do you utilize a Security Operations Center (soc)?
If "Yes", is it monitored 24 hours a day, 7 days a week?
❑ Yes ® No
❑ Yes ❑ No
u. Do you use a vulnerability management tool?
If "Yes", please select your provider: Nessus/Tenable 3
If "Other", please provide the name of your provider:
( Yes ❑ No
ADDITIONAL COMMENTS (Use this space to explain any "No" answers in the above section and/or to list other relevant
IT security
of a users
to protect
measures you are utilizing that are not listed here.)
IT employs encryption where feasible on for data in transit and in rest within the wunty network.
Privileged Account Management software is not currently used. Privileged access is granted on an as -needed basis and requires the approval
manager, IT Security, and the director of IT Technical Operations.
Unusual behavior patterns are not actively monitored currently, but this is in the process of being implemented.
Endpoint application isolation is not currently in place; the county relies on DNS, web filtering, and endpoint behavioral detection software
workstations.
In place of a SOC, IT relies on alerts generated from various tools as well as a formal on -call rotation for after-hours events.
'3.G1i�RY;.FbLt�tEa ru. ''
If the answer to the question in this section is "No"; please provide additional details in the "Additional Comments" section.
Do you use a data backup solution'?
If "Yes":
a. How frequently does it run? ® Daily ❑ Weekly ❑ Monthly
b. Estimated amount of time it will take to restore essential functions in the event of a widespread
malware or ransomware attack within your network?
0 0-24 hours ❑ 1-3 days ❑ 4-6 days El 1 week or longer
® Yes ❑ No
NGP-NBA (1.2021)
Page 3 of 5
c. Please check all that apply:
® Backups are encrypted.
0 Backups are kept separate from your network (offline/air-gapped), or in a cloud service designed
for this purpose.
0 Backups are secured with different access credentials from other administrator credentials.
® You utilize MFA to restrict access to your backups.
❑ You use a cloud -syncing service (e.g. Dropbox, OneDrive, SharePoint, Google Drive) for backups.
❑ Your cloud -syncing service is protected by MFA.
j You have tested the successful restoration and recovery of key server configurations and data
from backups in the last 6 months.
0 You are able to test the integrity of backups prior to restoration to ensure that they are free of
malware.
ADDITIONAL COMMENTS (Use this space to explain any "No" answers in the above section and/or to list other relevant
IT security
measures you are utilizing that are not listed here.)
a. Do any of the following employees at your company complete social engineering training:
(1) Employees with financial or accounting responsibilities?
(2) Employees without financial or accounting responsibilities?
14 Yes ❑ No
VI Yes ❑ No
❑ Yes 0 No
If "Yes" to question 9.a.(1) or 9.a.(2) above, does your social engineering training include phishing
simulation?
b. Does your organization send and/or receive wire transfers?
If "Yes", does your wire transfer authorization process include the following:
(1) A wire request documentation form?
(2) A protocol for obtaining proper written authorization for wire transfers?
(3) A separation of authority protocol?
(4) A protocol for confirming all payment or funds transfer instructions/requests from a new vendor,
client or customer via direct call to that vendor, client or customer using only the telephone
number provided by the vendor, client or customer before the payment or funds transfer
instruction/request was received?
(5) A protocol for confirming any vendor, client or customer account information change requests
(including requests to change bank account numbers, contact information or mailing addresses)
via direct call to that vendor, client or customer using only the telephone number provided by the
vendor, client or customer before the change request was received?
m Yes ❑ No
Q] Yes ❑ No
0 Yes ❑ No
0 Yes ❑ No
m Yes ❑ No
IZ1 Yes ❑ No
If the answer to any question in 10.a. through 10.c. below is "Yes", please complete a Claim Supplemental Form for each
claim, allegation or incident
a. In the past 3 years, has the Applicant or any other person or organization proposed for this insurance:
(1) Received any complaints or written demands or been a subject in litigation involving matters of privacy
injury, breach of private information, network security, defamation, content infringement, identity theft,
denial of service attacks, computer virus infections, theft of information, damage to third party networks
or the ability of third parties to rely on the Applicant's network?
(2) Been the subject of any government action, investigation or other proceedings regarding any alleged
violation of privacy law or regulation?
(3) Notified customers, clients or any third party of any security breach or privacy breach?
(4) Received any cyber extortion demand or threat?
(5) Sustained any unscheduled network outage or interruption for any reason?
(6) Sustained any property damage or business interruption losses as a result of a cyber-attack?
(7) Sustained any losses due to wire transfer fraud, telecommunications fraud or phishing fraud?
❑ Yes ® No
❑ Yes ® No
❑ Yes ® No
❑ Yes ® No
❑ Yes 0 No
❑ Yes 1,3 No
❑ Yes cli No
b. Do you or any other person or organization proposed for this insurance have knowledge of any security
breach, privacy breach, privacy -related event or incident or allegations of breach of privacy that may give rise
to a claim?
❑ Yes ® No
NGP-NBA (1.2021)
Page 4of5
c.
In
sustained
If
interruption?
the
"Yes",
past
an
3
did
years,
unscheduled
the
Applicant
has
any
network
service
experience
provider
outage
with
or interruption
an interruption
access
lasting
to
the
in
longer
business
Applicant's
than
network
4
as
hours?
a
result
or computer
of such
system(s)
outage
or
Yes
Yes
No
No
❑
P/
❑
NOTICE
TO APPLICANT
The
insurance for which you are applying
will
not
respond
to incidents
about
which any
person proposed
for coverage
had
knowledge
prior
to
the effective
date
of
the
policy
nor will
coverage
apply
to any claim
or circumstance
identified
or that
should
have been identified
in questions
10.a. through
10.c
of
this application.
NOTICE
TO NEW
YORK
APPLICANTS:
ANY
PERSON
WHO
KNOWINGLY
AND
WITH
INTENT
TO
DEFRAUD
ANY
INSURANCE
COMPANY
OR OTHER
PERSON
FILES
AN
APPLICATION
FOR
INSURANCE
CONTAINING
ANY
FALSE
INFORMATION,
OR
CONCEALS
FOR
THE PURPOSE
OF
MISLEADING,
INFORMATION
CONCERNING
ANY
FACT
MATERIAL
THERETO,
COMMITS
A
FRAUDULENT
INSURANCE
ACT,
WHICH
IS A CRIME.
The Applicant
hereby
acknowledges
that
he/she/it
is aware
that
the
limit
of
liability
shall
be reduced, and
be completely
may
exhausted,
by claim
expenses and,
in such event,
the Insurer
shall
not
be
liable
for claim
expenses
or any judgment
or settlement
that exceed
the
limit
of
liability.
I
HEREBY
DECLARE
that,
after inquiry, the
above statements
and
particulars
are
true and
I
have not
suppressed
or misstated
any
fact,
and
that
I agree
that
this
application
shall
be
the basis of
the
contract
with
the Underwriters.
material
CERTIFICATION
AND
SIGNATURE
The
Applicant
has read
the
foregoing and
understands
that
completion
of
this
application
does
not
bind
the
Underwriter
or the
Broker
to
provide
coverage. It
is agreed,
however;
that
this
application
is complete
and
correct
to
the
best
of
the
Applicants
knowledge
and
belief,
and
that
all
particulars
which
may
have a
bearing upon acceptability
as a
NetGuard®
Plus
Cyber
Liability
Insurance risk
have
been
revealed.
It is understood
that
this
application
shall
form
the
basis of
the
contract
should
the
Underwriter
approve
coverage, and
should
the Applicant
be satisfied
with
the
Underwriter's
quotation.
It
is further
agreed
that,
if in the
time
between
submission
of
this
application
and
the
requested
date
for coverage
to
be effective,
the Applicant
becomes aware of
any information
which
would
change
the
answers furnished
in response
to any question
of
this
application,
such
information
shall
be revealed
immediately
in writing
to the
Underwriter.
This
application
shall
be deemed
attached
to and
form a part of
the
Policy
should
coverage
be
bound.
Must
be signed
by an officer
of
the company.
Print or
Type
Applicant's
Name
Title
of
Applicant
Perry L.
Buck
BOCC Pro-Tem
Signature
plicant
Date
Signed
by Applicant
.-"A/217-6a-e-de
JUL
0 5 2323
NGP-NBA (1.2021)
Page 5 of 5
o2Dog 3 - p a2 z/g
TOKIO MARINE
Cyber • ProfessionalLines • •
Cyber Glossary
0
ii
•
-1 te ":%., 41 coil t. A tr.
4 at + r all IA 45 i
04
•
IP
•
The following Cyber Glossary assist application
correctly and completely.
DomainKeysIdentified Mail (DKIM) an email authentication
method that allows senders to associate a domain name with an
email message, thus vouching for its authenticity. A sender
creates DKIM by • • the email. digital si• . `
This "signature" is located in the message's header.
Domain -based • •Reporting
Conformance (DMARC) is an email authentication protocol that
uses Sender Policy Framework (SPF) and DKIM to determine the
authenticityof an emailmessage.
Endpoint • • •isolation1containment• • •
is a form of zero -trust endpoint security. Instead of detecting or
reacting tothreats,enforces • lolock • • restrain
harmful actions to prevent compromise. Application
containment is used to block harmful file and memory actions to
other apps and the endpoint. Application isolation is used to
prevent other endpoint processes from altering or stealing from
an isolated app or resources.
Common Providers: Authentic8 Silo; BitDefenderTm
Browser Isolation; CylancePROTECT; Menlo Security
Isolation Platform; Symantec VVeb Security Service
Endpoint Detection and Response (EDR), also known as
endpoint threat detection and response, centrally collects and
analyzes comprehensive endpomt data across your entire
organization to provide a full picture of potential threats.
Common Providers: Carbon Black Cloud; Crowdstrike
Falcon Insight; SentinelOne; VVindows Defender
Endpoint
q
4
•
•
•
•
•
•
•
Multi-FactorAuthenticationan electronic
authentication method in which a computer user is granted
access to a website or application only after successfully
presenting two or more pieces of evidence to an authentication
mechanism: knowledge (e.g., password), possession (e.g., phone
or key), and inherence (e.g., FacelD or hand print). MFA for remote
email access can be enabled through most email providers.
Common MFA providers f• •network
• LastPass; • . •
Next -Generation software
.. that uses
predictive analytics driven by machine learning and artificial
intelligence and combines with threat intelligence to detect and
prevent malware and fileless non-malwareattacks,•`
malicious behavior, and respond to new and emerging threats
that previously went undetected. For purposes of completing
this application, NGAV refers to anti -virus protection that focuses
on detecting and preventing malware on each individual
endpoint. If your organization has a NGAV solution AND you are
centrally monitoring and analyzing all endpoint activity, please
indicate that youi EDR on application.
Common Providers: BitDefenderTm; Carbon Black;
Symantec
Offline/Air-gapped backup solution refers to a backup and
recovery solution in which one copy of your organization's data is
offline (i.e., disconnected) and cannot be accessed. If a file or
system of . • connection to the internet •
•
Cyber Glossary
Powershell is a cross -platform task automation and configuration
management framework from Microsoft, consisting of a
command -line shell and scripting language. It is used by IT
departments to run tasks on multiple computers in an efficient
manner. For example, Powershell can be used to install a new
application across your organization.
Privileged Account Management Software (PAM) is software
that allows you to secure your privileged credentials in a
centralized, secure vault (i.e., a password safe). To qualify as PAM,
a product must allow administrators to create privileged access
accounts; offer a secure vault to store privileged credentials; and
monitor and log user actions while using privileged accounts.
Common Providers: CyberArk and BeyondTrust.
Protective DNS Service (PDNS) refers to a service that provides
Doman Name Service (DNS) protection (also known as DNS
filtering) by blacklisting dangerous sites and filtering out
unwanted content. It can also help to detect & prevent malware
that uses DNS tunneling to communicate with a command and
control server.
Common Providers: Zscaler; Quad9; OpenDNS; and
public sector PDNS.
Remote Desktop Protocol (RDP) connections is a proprietary
protocol developed by Microsoft which provides a user with a
graphical interface to connect to another computer over a
network connection. The Microsoft RDP provides remote display
and input capabilities over network connections for
Windows -based applications running on a server.
Security Information and Event Management system (SIEM)
is a subsection within the field of computer security, wherein
software products and services combine security information
management and security event management. SIEM provides
real-time analysis of security alerts generated by applications and
network hardware.
c . •
• ~ w • r � 4a • y • • 1 t a`
a r r . •• : • •r�
IF
I..
4, tee g•r♦t
t a,.
I ""ar to •%S.ioti % • t• #
11 ii
• • :::itkit:::::
•t"4�t!1,' • Fr •
• s • a ', rs. �a
•
• • drf a r
• a s 2 w 5, II :3f
f, 4
.' M
a •
•
♦ •
•
r.
•
• $ •
U• 6 t 4 ▪ qeA ..
• • 1
•
•
• s•
SOS •• S;• 1
a r
c
%
• `
• •
a
!it •
•
• a
,4•;• •• `
'y••• ••• • • 4• •
tit•••* •♦ • •
Alta;,.,a• •
a
,. r
Security Operations Center (SOC) is a centralized unit that deals
with security issues on an organizational and technical level.
Sender Policy Framework (SPF) is an email authentication
technique used to prevent spammers from sending messages on
behalf of your domain. With SPF, your organization can publish
authorized mail servers.
Vulnerability management tool is a cloud service that gives you
instantaneous, global visibility into where your IT systems might
be vulnerable to the latest Internet threats and how to protect
against them. The tool is an ongoing process that includes
proactive asset discovery, continuous monitoring, mitigation,
remediation and defense tactics to protect your organization's
modern IT attack surface from cyber threats.
Common Providers: Qualys; InsightVM by Rapid7; and
Nessus by Tenable TM
-+, I'.
TOKIOMARINE
HCC
Cyber & Professional Lines Group
Esther Gesick
From:
Sent:
To:
Subject:
Good afternoon, Esther.
Michelle Raimer
Thursday, June 22, 2023 2:28 PM
Esther Gesick
Cyber Insurance Application Signature
Can you help with the Board's signature on page 5 of the attached renewal application? Thanks!
MichelleRaimer
Deputy Director
Human Resources
P O Box 758
Greeley CO 80632
tel: 970-400-4233
cell: 970-302-2423
fax: 970-400-4024
Weld County Human Resources is a strategic business partner dedicated to
enhancing the employee experience, collaborating with individual departments,
and supporting the values and goals of Weld County Government.
<< OLE Object: Picture (Device Independent Bitmap)»
Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for
the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise
protected from disclosure. If you have received this communication in error, please immediately notify sender by return
e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the
contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited.
RENEWAL/EXTENSION #1 APPLICATION FOR NETGUARD PLUS CYBER LIABILITY
SECURITY FOR CLAIMS AND REPORTED POLICY - TOKIO MARINE, HCC / CYBER AND
PROFESSIONAL LINES GROUP
APPROVED AS TO SUBSTANCE.
Elected Official, D partead, or Deputy Department Head
APPROVED AS TO FUNDING.
Chief Financial O leer, or ontroller
APPROVED AS TO FORM.
County Attorney
TOKIOMARINE
N E
HCC
Cyber & Professional Lines Group
16501 Ventura Blvd. Suite 200, Encino, CA 91436
main (818) 382-2030
NetGuard® Plus Cyber Liability Insurance Application
THIS IS AN APPLICATION FOR A CLAIMS MADE AND REPORTED POLICY. THIS APPLICATION IS NOT A BINDER.
This application for NetGuard® Plus Cyber Liability Insurance is intended to be used for the preliminary evaluation of a submission. When
completed in its entirety, this application will enable the Underwriter to decide whether or not to authorize the binding of insurance. Please
type or print clearly and answer all questions. If space is insufficient to answer any question fully, attach a separate sheet. Complete all
required supplemental forms/applications. "You" and "Your, as used in this application, means the Applicant unless noted otherwise
below.
ME
Name of Applicant:
Weld County
Street Address:
1150 O Street
City, State, Zip:
Greeley CO 80631 Phone:
970-400-4234
Website:
https://www.weld.gov Fax:
970-400-4024
`��,�.��w.�.°. � �
a. Applicant is a(an): ❑ Individual ❑ Corporation O Partnership ® Other: Local Government
b. Date established:
11/3/1861
c. Description of operations:
Local County Government
d. Total number of employees:
1,768
e. Please attach a list of all subsidiaries, affiliated companies or entities owned by the Applicant. Please describe (1) the nature of
operations of each such subsidiary, affiliated company or entity, (2) its relationship to the Applicant and (3) the percentage of
ownership by the Applicant.
Y r
Current Fiscal Year
ending 12 / 22
(current projected)
Last Fiscal Year
ending 12 / 21
Two Fiscal Years ago
ending 12 /20
Total gross revenues:
$ 811,775,768
$ 672,881,857 $ 510,325,269
, �4 r .. ,r.� -5 _td;tr`r... '� .... PY.�'.;,';,+m. ., x,. «:Y, c.,zr+ _
a. Do you collect,
or electronic form?
If "Yes", please
Paper records:
*Private or sensitive
person, including,
payment card
numbers (PINs),
store, host, process, control, use or share any private or sensitive information* in either paper
provide the approximate number of unique records:
Electronic records:
® Yes O No
information includes any information or data that can be used to uniquely identify a
but not limited to, social security numbers or other government identification numbers,
information, drivers' license numbers, financial account numbers, personal identification
usemames, passwords, healthcare records and email addresses.
b. Do you collect, store, host, process, control, use or share any biometric information or data, such as
fingerprints, voiceprints, facial, hand, iris or retinal scans, DNA, or any other biological, physical or behavioral
characteristics that can be used to uniquely identify a person?
If "Yes", have you reviewed your policies relating to the collection, storage and destruction of such
information or data with a qualified attorney and confirmed compliance with applicable federal, state,
local and foreign laws?
['Yes O No
❑ Yes O No
c. Do you process, store or handle credit card transactions?
If "Yes", are you PCI-DSS Compliant?
0 Yes O No
La Yes O No
-� �. � �. $� r �;
,. t -.t 4 { ," # r#+
��Y'�3�v..nR?' . # i.�fpt #�`-P'4.��,"h
This section must be completed by the individual responsible for the Applicant's network security. As used in this section
only, "you" refers to the individual responsible for the Applicant's network security.
a. Who is responsible for the Applicant's network security?
Name:
Kyle Drumm
Title:
Chief Information Security Officer
Phone:
9704002519 I Email address: I kdrumm@weld.gov
IT Security Designation(s):
CISSP, CEH
NGP-NBA (1.2021)
.UonW*
OVA -3 /c2k5
PSI,Gt.e)
o,i.9-0Aa 3
2023-0248
F6 00 35
b The Applicant's network security is ❑ Outsourced 0 Managed internally/in-house
c How many IT personnel are on your team? 63
d How many dedicated IT security personnel are on your team? 3
By signing below, you confirm that you have reviewed all questions in Sections 6 through 8 of this application
Applicant's security controls, and, to the best of your knowledge, all answers are complete and accurate Additionally,
consent to receiving direct communications from the Insurer and/or its representatives regarding potentially
issues identified in relation to the Applicant's organization
Pnnt/Type Name Kyle Drumm
regarding the
you
urgent security
Signature
6 ' EMAILSECURITY CONTROLS ` - --
If the answer to any question in this section is "No", please provide additional details in the "Additional Comments" section
a Do you tag external emails to alert employees that the message originated from outside the organization'?
0 Yes ❑ No
b Do you pre-screen emails for potentially malicious attachments and links'?
If "Yes", do you have the capability to automatically detonate and evaluate attachments in a
sandbox to determine if they are malicious prior to delivery to the end -user?
0 Yes ❑ No
®Yes ❑ No
c Have you implemented any of the following to protect against phishing messages'? (Please check all that apply)
0 Sender Policy Framework (SPF)
0 DomainKeys Identified Mail (DKIM)
❑✓ Domain -based Message Authentication, Reporting & Conformance (DMARC)
❑ None of the above
d Can your users access email through a web application or a non -corporate device'?
If "Yes", do you enforce Multi -Factor Authentication (MFA)?
0 Yes ❑ No
® Yes ❑ No
e Do you use Office 365 in your organization?
If "Yes", do you use the Office 365 Advanced Threat Protection add-on?
0 Yes ❑ No
❑ Yes 0 No
ADDITIONAL COMMENTS (Use this space to explain any "No" answers in the above section and/or to list other relevant
IT security
measures you are utilizing that are not listed here )
We use Proofpolnt instead
7-INTERNALSECURITY CONTROLS `
If the answer to any question in this section is "No", please provide additional details in the Additional Comments" section
a Do you use a cloud provider to store data or host applications'?
If "Yes", please provide the name of the cloud provider Microsoft
0 Yes ❑ No
_
If you use more than one cloud provider to store data, please specify the cloud provider storing the largest
quantity of sensitive customer and/or employee records (e g , including medical records, personal health
information, social security numbers, bank account details and credit card numbers) for you
b Do you use MFA to secure all cloud provider services that you utilize (e g Amazon Web Services (AWS),
Microsoft Azure, Google Cloud)?
0 Yes ❑ No
c Do you encrypt all sensitive and confidential information stored on your organization's systems and networks'?
If "No", are the following compensating controls in place
(1) Segregation of servers that store sensitive and confidential information?
(2) Access control with role -based assignments?
❑ Yes 0 No
0 Yes ❑ No
® Yes ❑ No
d Do you allow remote access to your network'?
If "Yes"
(1) Do you use MFA to secure all remote access to your network, including any remote desktop
protocol (RDP) connections?
If MFA is used, please select your MFA provider Other
If "Other", please provide the name of your MFA provider Microsoft and RSA
0 Yes ❑ No
`
® Yes ❑ No
e Do you use a next -generation antivirus (NGAV) product to protect all endpoints across your enterprise?
If "Yes", please select your NGAV provider CrowdStnke Falcon Prevent
If "Other", please provide the name of your NGAV provider
0 Yes ❑ No
NGP-NBA (1 2021)
Page 2of5
f.
Do you use an endpoint
detection
and
response
(EDR)
tool
that
includes
centralized
monitoring
and
logging
of
all
endpoint
activity
across your enterprise?
1
Yes
❑
No
If
"Yes",
"Other",
please
select
your
EDR
provider:
CrowdStrike
Falcon
Insight
If
please
provide
the
name
of
your EDR
provider:
g.
Do you
use
MFA
to
protect
access
to
privileged
user
accounts?
/l
Yes
❑
No
h.
Do you
manage
privileged
accounts
using
privileged
account
management
software
(e.g., CyberArk,
BeyondTrust,
etc.)?
VI
Yes
❑
No
If
"Yes",
please
provide
the
name
of
your provider:
Microsoft
AD
/
LAPS
i.
Do
you
actively
monitor
all
administrator
access
for unusual
behavior
patterns?
!/
Yes
❑
No
If
"Yes",
please
provide
the
name
of
your monitoring
tool:
j.
Do
you
roll
out
a
hardened
baseline
configuration
across servers,
laptops,
desktops
and
managed
mobile
devices?
VI Yes
❑
No
k.
Do
you
record
and
track
all
software
and
hardware
assets
deployed
across
your
organization?
!/
Yes
No
If
"Yes",
please
provide
the
name
of
the
tool
used
for
this
purpose
(if
any):
I.
Do
non
-IT
users
have
local
administration
rights
on their
laptop
/ desktop?
❑
Yes
!A
No
m.
How
frequently
do
you
install
critical
and
high
severity
patches
across
your
enterprise?
1-3
days
❑
4-7
days
!I
8-30
days
❑
One
month
or
longer
n.
Do you
have
any
end
of
life
or
end
of
support
software?
!4
Yes
❑
No
"Yes",
VI
❑
If
is
it
segregated
from
the
rest
of
your
network?
Yes
No
o.
Do you
use
a
protective
DNS
service
(e.g.
ZScaler,
Quad9,
OpenDNS
or
the
public
sector
PDNS)
to
block
access
to
known
malicious
websites?
!/
Yes
No
If
"Yes",
please
provide
the
name
of
your
DNS
provider:
InfoBlox
BloxOne
p.
Do you
use
endpoint
application
isolation
and
containment
technology
on all
endpoints?
❑
Yes
!►A
No
If
"Yes",
"Other",
please
select
your
provider:
If
please
provide
the name
of
your
provider:
q.
Can users
run
Microsoft
Office
Macro
enabled
documents
on
their
system
by default?
❑
Yes clI
No
r.
Do you implement
PowerShell
best
practices
as
outlined
in the
Environment
Recommendations
by
Microsoft?
,
Yes
❑
No
s.
Do you utilize
a Security
Information
and
Event
Management
(SIEM)
system?
VI
Yes
❑
No
t.
Do you utilize
a Security
Operations
Center
(SOC)?
0
Yes
❑
No
"Yes",
If
is it
monitored
24
hours
a day,
7 days
a week?
!/
Yes
❑
No
u.
Do you use
a
vulnerability
management
tool?
0
Yes
❑
No
If
If
"Yes",
"Other",
please
please
select
provide
your
provider:
the name
of
Nessus/Tenable
your
provider:
Also
Qualys
ADDITIONAL
COMMENTS
(Use this
space to
explain any
"No"
answers
in
the above section and/or to list other relevant IT security
measures you are
utilizing
that
are
not
listed here.)
8. BACKUP
AND
RECOVERY
POLICIES
"No",
"Additional
If
the answer to the
question
in
this section
is
please
provide
additional
details
in the
Comments" section.
Do you use a data
backup
solution?
!/
Yes
❑
No
If
"Yes":
a.
How
frequently
does
it
run?
!4
Daily
❑
Weekly
❑
Monthly
b. Estimated
amount
of
time
it
will
take
to restore
essential
functions
in
the event
of
a widespread
malware
or ransomware attack
within
your
network?
[7(
0-24
hours
❑
1-3 days
❑
4-6
days
❑
1
week or longer
NGP-NBA (1.2021)
Page 3 of 5
c Please check all that apply
® Backups are encrypted
V Backups are kept separate from your network (offline/air-gapped), or in a cloud service designed
for this purpose
0 Backups are secured with different access credentials from other administrator credentials
® You utilize MFA to restrict access to your backups
❑ You use a cloud -syncing service (e g Dropbox, OneDrive, SharePoint, Google Drive) for backups
❑ Your cloud -syncing service is protected by MFA
® You have tested the successful restoration and recovery of key server configurations and data
from backups in the last 6 months
® You are able to test the integrity of backups prior to restoration to ensum that they are free of
malware
ADDITIONAL COMMENTS (Use this space to explain any "No" answers in the above section and/or to hst other relevant
IT security
measures you are utilizing that are not listed here )
9 ,:> PHISHING CONTROLS_ ,h
a Do any of the following employees at your company complete social engineering training
(1) Employees with financial or accounting responsibilities?
(2) Employees without financial or accounting responsibilities?
VI Yes ❑ No
IZI Yes ❑ No
Yes ❑ No
If "Yes" to question 9 a (1) or 9 a (2) above, does your social engineering training include phishing
simulation?
b Does your organization send and/or receive wire transfers?
If "Yes", does your wire transfer authorization process include the following
(1) A wire request documentation form?
(2) A protocol for obtaining proper written authorization for wire transfers?
(3) A separation of authority protocol?
(4) A protocol for confirming all payment or funds transfer instructions/requests from a new vendor,
client or customer via direct call to that vendor, client or customer using only the telephone
number provided by the vendor, client or customer before the payment or funds transfer
instruction/request was received?
(5) A protocol for confirming any vendor, client or customer account information change requests
(including requests to change bank account numbers, contact information or mailing addresses)
via direct call to that vendor, client or customer using only the telephone number provided by the
vendor, client or customer before the change request was received?
V] Yes ❑ No
❑ Yes ❑ No
V Yes ❑ No
0 Yes ❑ No
❑ Yes ❑ No
❑ Yes ❑ No
10 Loss HISTORY ' ,
If the answer to any question in 10 a through 10 c below is "Yes", please complete a Claim Supplemental Form for each
claim, allegation or incident
a In the past 3 years, has the Applicant or any other person or organization proposed for this insurance
(1) Received any complaints or written demands or been a subject in litigation involving matters of privacy
injury, breach of private information, network security, defamation, content infringement, identity theft,
denial of service attacks, computer virus infections, theft of information, damage to third party networks
or the ability of third parties to rely on the Applicant's network?
(2) Been the subject of any government action, investigation or other proceedings regarding any alleged
violation of privacy law or regulation?
(3) Notified customers, clients or any third party of any security breach or privacy breach'?
(4) Received any cyber extortion demand or threat?
(5) Sustained any unscheduled network outage or interruption for any reason?
(6) Sustained any property damage or business interruption losses as a result of a cyber-attack?
(7) Sustained any losses due to wire transfer fraud, telecommunications fraud or phishing fraud?
❑ Yes ® No
❑ Yes ® No
❑ Yes ® No
❑ Yes ® No
❑ Yes WI No
❑ Yes No
❑ Yes VI No
b Do you or any other person or organization proposed for this insurance have knowledge of any security
breach, privacy breach, pnvacy-related event or incident or allegations of breach of privacy that may give nse
to a claim?
❑ Yes ® No
NGP-NBA (1 2021)
Page 4 of 5
c. In the past 3 years, has any service provider with access to the Applicant's network or computer system(s)
sustained an unscheduled network outage or interruption lasting longer than 4 hours?
If "Yes", did the Applicant experience an interruption in business as a result of such outage or
interruption?
❑ Yes ® No
['Yes ❑ No
The insurance for which you are applying will not respond to incidents about which any person proposed for coverage had
knowledge prior to the effective date of the policy nor will coverage apply to any claim or circumstance identified or that should
have been identified in questions 10.a. through 10.c of this application.
NOTICE TO NEW YORK APPLICANTS: ANY PERSON WHO KNOWINGLY AND WITH INTENT TO DEFRAUD ANY INSURANCE
COMPANY OR OTHER PERSON FILES AN APPLICATION FOR INSURANCE CONTAINING ANY FALSE INFORMATION, OR
CONCEALS FOR THE PURPOSE OF MISLEADING, INFORMATION CONCERNING ANY FACT MATERIAL THERETO, COMMITS A
FRAUDULENT INSURANCE ACT, WHICH IS A CRIME.
The Applicant hereby acknowledges that he/she/it is aware that the limit of liability shall be reduced, and may be completely
exhausted, by claim expenses and, in such event, the Insurer shall not be liable for claim expenses or any judgment or settlement
that exceed the limit of liability.
I HEREBY DECLARE that, after inquiry, the above statements and particulars are true and I have not suppressed or misstated
any material fact, and that I agree that this application shall be the basis of the contract with the Underwriters.
The. Applicant has read the foregoing and understands that completion of this application does not bind the Underwriter or the Broker to
provide coverage. It is agreed, however, that this application is complete and correct to the best of the Applicant's knowledge and belief,
and that all particulars which may have a bearing upon acceptability as a NetGuard® Plus Cyber Liability Insurance risk have been
revealed.
It is understood that this application shall form the basis of the contract should the Underwriter approve coverage, and should the Applicant
be satisfied with the Underwriter's quotation. It is further agreed that, if in the time between submission of this application and the requested
date for coverage to be effective, the Applicant becomes aware of any information which would change the answers furnished in response
to any question of this application, such information shall be revealed immediately in writing to the Underwriter.
This application shall be deemed attached to and form a part of the Policy should coverage be bound.
Must be signed by an officer of the company.
Print or Type Applicant's Name
Mike Freeman
Title of Applicant Chair, Board of Weld
County Commissioners
Signature of Applicant
'�M�.Ra4-te -
Date Signed by Applicant
JAN 2 3 2023
ATTEST: ddrAditi
�• ` ��
Weld .0 t Clerk to he Board
BY:
NGP-NBA (1.2021)
Page 5 of 0
o0023 - do2�
a 1
• Of
•
• • • •'•!'•- • ' •
• •
•
• ; r'% # • a
• • •
,r ` QV • • • ••
sit • 84 Ilk it
• ! • • •
s'
•
•
•
kkill TOKIO MARINE
HCC
Cyber & Professional Lines Group
Cyber Glossary
•
•
•
N
w ••
. •
•
a
1
t n •
•
I I a
r.
•
•
• :,,
•
t
C
a
if
a, •'a'/ ;• s• •
l
•
s
•
• •S
•
• •• sr` * • ••
• ••
l
• 6
•
• V
}
R #
= '
2-01.4 it
Ir
'411P, t •
ti Stu
*se•
i 4 f; • ss� •s M
et
• � r •. • - `•
C 3J • . •a: • . •
v • s
a-,-
• .9 • . • • • 4
•
•
•
i
4
S.
s
•
• 4l e: i •.• o • tie j ri bel • r d
•••11 • t
t
OD° •• •
• •
• • /• ••
•
•
••• • •
• • II
• .4•/ •t
••••
•
•
a
•
The following Cyber Glossary is provided to assist you in completing your application
correctly and completely.
DomainKeys Identified Mail (DKIM) is an email authentication
method that allows senders to associate a domain name with an
email message, thus vouching for its authenticity. A sender
creates the DKIM by "signing" the email with a digital signature.
This "signature" is located in the message's header.
Domain -based Message Authentication, Reporting &
Conformance (DMARC) is an email authentication protocol that
uses Sender Policy Framework (SPF) and DKIM to determine the
authenticity of an email message.
Endpoint application isolation and containment technology
is a form of zero -trust endpoint security. Instead of detecting or
reacting to threats, it enforces controls that block and restrain
harmful actions to prevent compromise. Application
containment is used to block harmful file and memory actions to
other apps and the endpoint. Application isolation is used to
prevent other endpoint processes from altering or stealing from
an isolated app or resources.
Common Providers: Authentic8 Silo; BitDefenderTM
Browser Isolation; CylancePROTECT; Menlo Security
Isolation Platform; Symantec Web Security Service
Endpoint Detection and Response (EDR), also known as
endpoint threat detection and response, centrally collects and
ana yzes comprehensive endpoint data across your entire
organization to provide a full picture of potential threats.
Common Providers: Carbon Black Cloud; Crowdstrike
Falcon Insight; SentinelOne; Windows Defender
Endpoint
t
•
•
•
•
•
•
•
•
Multi -Factor Authentication (MFA) is an electronic
authentication method in which a computer user is granted
access to a website or application only after successfully
presenting two or more pieces of evidence to an authentication
mechanism: knowledge (e.g., password), possession (e.g., phone
or key), and inherence (e.g., FacelD or hand print). MFA for remote
email access can be enabled through most email providers.
Common MFA providers for remote network access:
Okta; Duo; LastPass; OneLogin; and AuthO.
Next -Generation Anti -Virus (NGAV) is software that uses
predictive analytics driven by machine learning and artificial
intelligence and combines with threat intelligence to detect and
prevent malware and fileless non-malware attacks, identify
malicious behavior, and respond to new and emerging threats
that previously went undetected. For purposes of completing
this application, NGAV refers to anti -virus protection that focuses
on detecting and preventing malware on each individual
endpoint. If your organization has a NGAV solution AND you are
centrally monitoring and analyzing all endpoint activity, please
indicate that you have NGAV & EDR on the application.
Common Providers: BitDefenderTM; Carbon Black;
CrowdStrike Falcon Prevent; SentinelOne; Sophos;
Symantec
Offline/Air-gapped backup solution refers to a backup and
recovery solution in which one copy of your organization's data is
offline (i.e., disconnected) and cannot be accessed. If a file or
system of files has no connection to the internet or a LAN, it can't
be remotely hacked or corrupted.
Cyber Glossary
Powershell is a cross -platform task automation and configuration
management framework from Microsoft, consisting of a
command -line shell and scripting language. It is used by IT
departments to run tasks on multiple computers in an efficient
manner. For example, Powershell can be used to install a new
application across your organization.
Privileged Account Management Software (PAM) is software
that allows you to secure your privileged credentials in a
centralized, secure vault (i.e., a password safe). To qualify as PAM,
a product must allow administrators to create privileged access
accounts; offer a secure vault to store privileged credentials; and
monitor and log user actions while using privileged accounts.
Common Providers: CyberArk and BeyondTrust.
Protective DNS Service (PDNS) refers to a service that provides
Doman Name Service (DNS) protection (also known as DNS
filtering) by blacklisting dangerous sites and filtering out
unwanted content. It can also help to detect & prevent malware
that uses DNS tunneling to communicate with a command and
control server.
Common Providers: Zscaler; Quad9; OpenDNS; and
public sector PDNS.
Remote Desktop Protocol (RDP) connections is a proprietary
protocol developed by Microsoft which provides a user with a
graphical interface to connect to another computer over a
network connection. The Microsoft RDP provides remote display
and input capabilities over network connections for
Windows -based applications running on a server.
Security Information and Event Management system (SIEM)
is a subsection within the field of computer security, wherein
software products and services combine security information
management and security event management. SIEM provides
real-time analysis of security alerts generated by applications and
network hardware.
r
♦
• •
•
I • l �. • • . S • •
♦ •• • •'! ♦ J
0.-• • 1'. • • • • • ► .s f 1r • 'I
♦
r. .•i • 4 • • • •• ♦t r 1911419114
•
J
k
r•
•
•
.1 r
•
t-
•
r
•
• /
Y
a
•
•
• •
•.t • •. it see • hJ
•
•
"
r `(
• r $
• •
•
a • / •
• •
•
r
,,•
2 •
• p•
'• l a;
•_' •r; •
Was •, hi
.� � a 1
• elli ► + A cta j• ,i ' 4 ••
••+ • • • ♦
• •
• i• •• •
r•
• •
• •
'• •
S
•
•
•
•
•
•
•
•
•
•
•-
•
•
•
•
•
•
•••N• ' • •
•• • II s '. • • • f • • ..•• • •
•
•
•
•
✓
• -
Security Operations Center (SOC) is a centralized unit that deals
with security issues on an organizational and technical level.
Sender Policy Framework (SPF) is an email authentication
technique used to prevent spammers from sending messages on
behalf of your domain. With SPF your organization can publish
authorized mail servers.
Vulnerability management tool is a cloud service that gives you
instantaneous, global visibility into where your IT systems might
be vulnerable to the latest internet threats and how to protect
against them. The tool is an ongoing process that includes
proactive asset discovery, continuous monitoring, mitigation,
remediation and defense tactics to protect your organization's
modern IT attack surface from cyber threats.
Common Providers: Qualys; InsightVM by Rapid7; and
Nessus by TenableTM
ACIO TOKIO MARINE
HCC
Cyber 81 Professional Lines Grour
To: Esther Gesick <egesick@weldgov.com>
Subject: FW: Updated Signature and Date Cyber Application
Importance: High
Good morning Esther,
Following my voicemail, note the following request below asking for an updated signature on page 5 of the attached
cyber insurance coverage application.
Let me know if you need more information and thanks for your help!
Wlichel% egainier
Deputy Director
Human Resources
P O Box 758
Greeley CO 80632
tel: 970-400-4233
cell: 970-302-2423
fax: 970-400-4024
Weld County Human Resources is a strategic business partner dedicated to
enhancing the employee experience, collaborating with individual departments,
and supporting the values and goals of Weld County Government.
Confidentiality Notice: This electronic transmission and any attached documents or other writings are intended only for
the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise
protected from disclosure. If you have received this communication in error, please immediately notify sender by return
e-mail and destroy the communication. Any disclosure, copying, distribution or the taking of any action concerning the
contents of this communication or any attachments by anyone other than the named recipient is strictly prohibited.
From: Brenda Hostetler <brenda@ctsi.org>
Sent: Thursday, December 22, 2022 12:31 PM
To: Michelle Raimer <mraimer@weldgov.com>
Subject: Updated Signature and Date Cyber Application
Importance: High
Caution: This email originated from outside of Weld County Government. Do not click links or open attachments unless you recognize the
sender and know the content is safe.
Good afternoon -
Attached is the Cyber Application your county has submitted to us. The excess carrier is asking for an updated
signature and date and amend any changes if any.
This is required in order to bind coverage for 2023.
Appreciate your promptness in this matter.
3
Have a wonderful Holiday Season!
Thank you,
Brenda Hostetler
Senior Risk Management Analyst
(303) 861-0507 (303) 861-2832
bhostetler@ctsi.org fr." ctsi.orq
800 N Grant St, Suite 400, Denver, CO 80203
4
APPLICATION FOR NETGUARD PLUS CYBER LIABILITY SECURITY FOR CLAIMS AND
REPORTED POLICY - TOKIO MARINE, HCC / CYBER AND PROFESSIONAL LINES
GROUP
APPROVED AS TO SUBSTANCE:
El ead, or Deputy Department Head
APPROVED AS TO FUNDING:
Chief Financial Officer, or Controller
APPROVED A
unty Attorney
Hello