FORMS · HARTFORD CYBER INSURANCE · 2026 APPLICATION
00 OF 47 FILLEDHartford Cyber 2026 Application.
Forty-seven questions, blank. Auto-fill from your assessment, review, edit anything that's wrong, fill in the few we can't know, and download.
Who can sign in to your systems, and how.
Do you require multi-factor authentication for all administrative accounts?
Do you require multi-factor authentication for all employee accounts?
Do you enforce strong password policies (minimum 12 characters, complexity requirements)?
Do you maintain a list of authorized personnel with access to sensitive data?
Are former employee accounts disabled within 24 hours of departure?
Do you use single sign-on (SSO) for company applications?
Do you conduct quarterly access reviews?
How many privileged or administrative accounts exist in your environment?
Do you maintain a centralized identity directory (e.g., Microsoft 365, Okta)?
Are passwords stored in a managed password vault?
The laptops, desktops, and devices your team uses.
How many endpoint devices (laptops, desktops, mobile) are in your environment?
Do you have endpoint detection and response (EDR) software installed on all endpoints?
Are all endpoints managed by a mobile device management (MDM) tool?
Are critical security patches applied within 30 days of release?
Is encryption enforced on all endpoint hard drives?
How many of your endpoints run Windows?
How many of your endpoints run macOS?
Do you use a secure web gateway or DNS filtering?
Is anti-malware software installed on all endpoints?
Do you have a documented endpoint hardening standard?
How your customer data is handled, encrypted, and backed up.
Do you classify customer data (e.g., PII, financial, health)?
Is customer data encrypted at rest?
Is customer data encrypted in transit (TLS)?
Do you store payment card data?
Do you have a documented data retention policy?
Approximately how many customer records do you store?
Do you back up customer data regularly?
Are backups stored offsite or in cloud?
Are backups tested for successful restoration at least quarterly?
What you do when something goes wrong.
Do you have a written incident response plan?
Have you conducted an incident response tabletop exercise in the past 12 months?
Do you currently have a cyber insurance policy in force?
Have you experienced a cyber incident, breach, or data loss event in the past 24 months?
Do you have a designated incident response team or external retainer?
What is your committed time-to-detect for security incidents (in hours)?
What is your committed time-to-notify customers and regulators after a confirmed breach (in hours)?
Do you maintain logs of system access for at least 90 days?
Have you ever paid a ransomware demand?
Your company profile and regulatory posture.
What is your industry sector?
How many employees do you have?
What is your approximate annual revenue?
Are you registered with the SEC?
Are you registered with FINRA?
Are you registered with NYDFS?
Do you operate in states with active cyber notification or data-protection requirements?
How many third-party vendors have access to customer data?
What policy limit are you requesting on this application?