WIXLIB

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTProtected Personal Information or Protected Healthcare InformationDo you collect, input, store, process, or maintain any Protected Personal Information or ProtectedHealthcare Information Records for third party corporate entities?ResponseYesThird Party Corporate Confidential InformationDo you store, process or maintain any third party corporate confidential information?ResponseYesInformation SharingDoes the Applicant share private or personal information gathered from customers (by the Applicant orothers) with third parties?ResponseYesInformation Security StaffDo you outsource your information security to a firm specializing in information security or have staffresponsible for and trained in information security?ResponseYesFollow-up: Information Security StaffList of Information Security StaffEnter the name of firm or staff rk, Computer System, Information Security OutsourcingPROPRIETARY & CONFIDENTIALPage 13 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTDo you outsource any part of your network, computer system or information security functions?ResponseYesFollow-up: Network, Computer System, Information Security OutsourcingOutsourced Security ServicesIndicate which services are being provided and the vendor's name:ServiceOutsourcedData Center Hosting Managed Security Data Processing Application Service Provider Alert Log Monitoring Offsite Backup and Storage Vendor NameCompu-Global-Hyper-Mega-NetCloud Service ProvidersDoes the Applicant currently use a Cloud Service Provider in the course of business operations?ResponseYesFollow-up: Cloud Service ProvidersList of Cloud Service ProvidersList all Cloud Service Providers.ResponseSHIELDDo you require third party technology providers meet requiredregulatory requirements (e.g., PCI-DSS, HIPAA, SOX, etc.)?ResponseN/APROPRIETARY & CONFIDENTIALPage 14 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTThird Party Security ProvisionsDo third party contracts include security provisions? Attach contracts or portions related to securityprovisions.ResponseYesAttached ImagesExhibits KapDentalSecurityProvisions.docxThird Party Security StandardsDoes your company enforce security standards for third parties that connect to your network?ResponseYesThird Party Security Assessments or AuditsDoes your company perform assessments or audits to ensure third party technology providers meetcompany security requirements?ResponseNoContract Review and Approval ProcessDoes your company have a formal process for reviewing and approving contracts with third partytechnology service providers? Please attach appropriate documentation.ResponseYesSensitive or Confidential Information Written AgreementsDo you enter into written agreement for such third-party services that address care, use, and control ofsensitive or confidential information?PROPRIETARY & CONFIDENTIALPage 15 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTResponseNoHold Harmless and Indemnification AgreementsDo contracts with service providers include hold harmless and indemnification agreements? Attachagreements or relevant sections.ResponseYesAttached ImagesExhibits KapDentalHoldHarmlessContracts.docxData Protection ReviewsDoes the company perform reviews at least annually of the company's third-party service providers toensure they adhere to company requirements for data protection?ResponseNoVendor Liability InsuranceDoes your company require all vendors to maintain liability insurance? Attach Policy and Procedures andindicate relevant section in notes.ResponseYesEvidence of Network Security and Privacy Liability CoverageDo you require third parties to provide evidence of network security and privacy liability coverage? If yes,please note where those records are kept.ResponseYesPROPRIETARY & CONFIDENTIALPage 16 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTComputer Service Provider Security Policies and ProceduresDo you require computer service providers who may have access to confidential information or PII todemonstrate adequate security policies and procedures?ResponseNoHealthcare Information ExchangesIf the Applicant is in the healthcare industry, does the Applicant host, operate or manage a HealthcareInformation Exchange on which other organizations may store PHI?ResponseApplicant does not operate or manage a Healthcare Information ExchangeVendor Data SecurityDo you require all vendors to whom you outsource data processing or hosting functions (e.g., databackup, application service providers, etc.) to demonstrate adequate security of their computer systems?ResponseYesFollow-up: Vendor Data SecurityMethod of VerificationPlease indicate method of verification:ResponseSecurity is assessed by internal staffThird Party Audit or MonitoringHave the Applicant's internal networks and/or Computer Systems been subject to third party audit ormonitoring?ResponseYesPROPRIETARY & CONFIDENTIALPage 17 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTFollow-up: Third Party Audit or MonitoringDate of Last Audit and List of Improvements and RecommendationsWhen was the last audit? Attach list of improvements and recommendations.Response4/30/19Attached ImagesExhibits KapDentalImprovements.docxFollow-up: Third Party Audit or MonitoringImprovements and Recommendations ImplementationHave all improvements and recommendations been implemented? Attach relevant documentation.ResponseYesAttached ImagesExhibits KapDentalImprovementsCompleted.docxPROPRIETARY & CONFIDENTIALPage 18 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTHandling of DataSensitive Data Management ProcessDo you have a process to manage access to Sensitive Data including timely account termination?ResponseYesFollow-up: Sensitive Data Management ProcessSensitive Data Management Process DetailsPlease describe:ResponseErase terminated employee accounts completely.Former Employee Associated Computer Access TerminationIs all associated computer access terminated when an employee leaves the company?ResponseYesUser Account ProcessesDoes the company have processes established that ensure the proper addition, deletion and modificationof user accounts and associated access rights?ResponseYesUser Account Management ProcessDoes your company have a process for managing user accounts?ResponseYesPROPRIETARY & CONFIDENTIALPage 19 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTFirewallDoes the Applicant have up-to-date, active firewall technology?ResponseYesFollow-up: FirewallFirewall VendorWhich firewall vendor is used?ResponseZoneAlarmFollow-up: FirewallFirewall Update ProcedureWhat is the current procedure for updating the firewall?ResponseSteve updates it daily.Anti-virusDoes the Applicant currently have in place updated anti-virus software active?ResponseYesAnti-virus InstallationIs anti-virus installed on all of the Applicant's computer systems, including laptops, personal computersand networks?ResponseYesExternal Computer System Intrusion PreventionPROPRIETARY & CONFIDENTIALPage 20 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTDo your external computer systems (e.g., commercial websites and mobile devices) use firewall andintrusion prevention systems?ResponseYesFollow-up: External Computer System Intrusion PreventionIntrusion Prevention Security TechnologiesPlease identify the security technologies used:ResponseZoneAlarmPassword Management ProcessDoes your company enforce a password management process?ResponsePassword ComplexityDoes the company enforce passwords that are at least seven characters and contain both numeric andalphabetic characters?ResponseYesPassword ExpirationAre procedures in place regarding the creation and periodic updating of passwords?ResponseYesUser and Password Procedure DocumentationDoes the Applicant have a formal documented user and password procedure in place? Attachdocumentation.ResponsePROPRIETARY & CONFIDENTIALPage 21 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTYesMulti-Factor LoginDoes Applicant currently have in place Multi-Factor login for privileged access? Attach documentation orscreenshots.ResponseYesCritical System Security TestingDo critical systems receive full security testing before deployment? Attach proof of latest tests.ResponseYesSystem Security ConsiderationsWhen a new system is developed or purchased, are security considerations taken into account? Attachrelevant procedures document.ResponseYesProduction Security ReviewAre new applications and non-cosmetic changes reviewed for security vulnerabilities prior to migration toproduction? Attach relevant procedures document.ResponseYesSeparation of Development SystemsAre staging, test, and development systems kept separate from production systems? Attach networkdiagram indicating the separation of staging, test, development, and production systems.ResponseYesPROPRIETARY & CONFIDENTIALPage 22 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTTechnical Security Configuration DocumentationIs there technical security configuration documentation for the technologies or major businessapplications in your company?ResponseYesFollow-up: Technical Security Configuration DocumentationTechnical Security Configuration Documentation LocationWhere is the documentation stored?ResponseC:\ on main computerSecurity ProductsDoes your computer system (including e-mail and remote access) use security products that addressviruses, worms, Trojans and other malware?ResponseYesFollow-up: Security ProductsSecurity Products UsedPlease identify the technologies used:ResponseGFI LanguardGFI Software VIPREMicrosoft Security EssentialsSymantec AntiVirusVIPREWindows DefenderVirus Controls and FilteringDo you implement virus controls and filtering on all systems?PROPRIETARY & CONFIDENTIALPage 23 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTResponseYesAnti-virus and Firewall UpdatesDo you have anti-virus software and firewalls in place that are regularly updated (at least quarterly)?ResponseYesAnti-malwareDoes the company install and update an anti-malware solution on all systems commonly affected bymalicious software (particularly personal computers and servers)?ResponseYesRetired Software or HardwareDoes the company use any software or hardware that has been officially retired (i.e., considered 'end- oflife') by the manufacturer (e.g., Windows XP)?ResponseYesCritical PatchesAre critical patches installed within thirty (30) days of release?ResponseYesPhysical SecurityDo you have physical security program in place to prohibit and track unauthorized access to yourcomputer system and data center?ResponseYesPROPRIETARY & CONFIDENTIALPage 24 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTFollow-up: Physical SecurityPhysical Security Program DetailsPlease describe the physical security program. Attach additional documentation if available.ResponseWe have security guards at every entrance and exit.Attached ImagesExhibits KapDentalSecurityGuardFloorPlan.docxAutomated Patch ManagementDo you have an automated patch management program?ResponseYesUnauthorized AccessDo you have a way to detect unauthorized access or attempts to access sensitive information?ResponseYesFollow-up: Unauthorized AccessUnauthorized Access Detection DetailsPlease describe how you detect unauthorized access or attempts to access sensitive information.ResponseSteve checks logs daily.Intrusion DetectionDoes the company have an intrusion detection solution that detects and alerts an individual or groupresponsible for reviewing malicious activity on the company network?PROPRIETARY & CONFIDENTIALPage 25 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTResponseYesFollow-up: Intrusion DetectionIntrusion Detection SoftwareWhat intrusion detection software are you using?ResponseMcAfeeSecurity Software UpgradesDescribe the process for upgrading security software (i.e. how often and by whom):ResponseSteve updates it every day.Physical AccessDoes the company have entry controls that limit and monitor physical access to company facilities (e.g.,offices, data centers, etc.)? Attach photos of entry controls.ResponseYesAttached ImagesExhibits KapDentalSecurityPlan.pngNetwork ChangesDo you control and track all changes to your network to ensure that it remains secure?ResponseYesPROPRIETARY & CONFIDENTIALPage 26 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTFollow-up: Network ChangesNetwork Change TrackingHow are changes tracked?ResponseSteve keeps logs.Network Security ControlsDo you have a procedure to test or audit network security controls?ResponseYesFollow-up: Network Security ControlsNetwork Security Controls DetailsPlease describe. Attach additional documents if available.ResponseAttached ImagesExhibits Network Security Controls Details.docxInternet/DMZ SystemsAre systems in your Internet/DMZ environment secured?ResponseYesInternal SystemsAre internal systems secured?PROPRIETARY & CONFIDENTIALPage 27 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTResponseYesNetwork Access ControlsAre controls in place to secure network access?ResponseYesFollow-up: Network Access ControlsNetwork Access Controls DetailsPlease describe. Attach additional documents if available.Responsesee docxAttached ImagesExhibits Network Access Controls Details.docxOpen Source Software UpdatesDoes the company update open source software (e.g., Java, Linux, PHP, Python, OpenSSL) that is notcommercially supported for known security vulnerabilities?ResponseYesFollow-up: Open Source Software UpdatesOpen Source Software Updates DetailsPlease describe. Attach additional documents if available.Responsesee docxAttached ImagesPROPRIETARY & CONFIDENTIALPage 28 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTExhibits Open Source Software Updates Details.docxFactory Default SettingsDo you replace factory default settings to ensure your information security systems are securelyconfigured?ResponseYesVulnerability AssessmentDo you have a proactive vulnerability assessment program that monitors for breaches and ensures timelyupdates of anti-virus signatures and critical security patches?ResponseYesVirus SignaturesHow often are virus signatures updated?ResponsedailyPatch Management ProceduresDoes the Applicant currently have in place patch management procedures?ResponseYesCommercial Software UpdatesDoes the company update (e.g., patch, upgrade) commercial software for known security vulnerabilitiesper the manufacturer advice?PROPRIETARY & CONFIDENTIALPage 29 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTResponseYesMulti-Factor AuthenticationDoes the company use multi-factor authentication for remote network access originating from outside thecompany network by employees and third parties (e.g., VPN, remote desktop)?ResponseYesFollow-up: Multi-Factor AuthenticationMulti-Factor Authentication DetailsPlease describe. Attach additional documents if available.Responseemail and phone number verificationAttached ImagesExhibits Multi-Factor Authentication Details.docxRemote AccessDoes the Applicant currently have in place remote access limited to VPN?ResponseYesMobile Device Unauthorized AccessDoes the company have a solution to protect mobile devices (e.g., Laptops, iPhones, iPads, Android,Tablets) to prevent unauthorized access in the event the device is lost or stolen?ResponseYesPROPRIETARY & CONFIDENTIALPage 30 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTFollow-up: Mobile Device Unauthorized AccessMobile Device Unauthorized Access Solution DetailsPlease describe. Attach additional documents if available.Responsewe erase them remotelyAttached ImagesExhibits Mobile Device Unauthorized Access Solution Details.docxLaptop or Web Server Sensitive DataDoes the Applicant store sensitive data on laptops or web servers?ResponseYesFollow-up: Laptop or Web Server Sensitive DataLaptop or Web Server Sensitive Data EncryptionIs the data encrypted?ResponseYesEncryption ToolsDo you have encryption tools to ensure integrity and confidentiality of Sensitive Data including data onremovable media (e.g., CDs, DVD, tapes, disk drives, USB devices etc.)? If 'Yes', please describetechnologies used:ResponseYesFollow-up: Encryption ToolsEncryption Tools DetailsPlease describe technologies used. Attach additional documents if available.PROPRIETARY & CONFIDENTIALPage 31 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTResponsesee docxAttached ImagesExhibits Encryption Tools Details.docxList of Encrypted Privacy InformationDoes your company encrypt Privacy Information when: (Check all that apply) Data is at rest Stored on mobile assets (e.g. laptops, phones, tablets, flash drives)Transmitted over public networks (e.g. the Internet), in transitStored on enterprise assets (e.g. databases, file shares, backups)Stored with 3rd party services (e.g. cloud)Portable Data StorageAre users able to store data to the hard drive of portable computers or portable media devices such asUSB drives?ResponseYesPortable Data Storage SecurityDescribe any additional controls the Applicant has implemented to protect data stored on portabledevices:ResponseRemote data deletion.Portable Data Storage EncryptionAre tapes and other portable media containing backup materials encrypted?PROPRIETARY & CONFIDENTIALPage 32 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTResponseYesOffsite Portable Data Storage Secure Transportation and FacilitiesAre tapes or other portable media stored offsite using secured transportation and secured facilities?ResponseYesOffsite Portable Data Storage Transportation LogsIf stored offsite, are transportation logs maintained?ResponseYesOnsite Portable Data Storage Physical Security ControlsIf stored onsite, please describe physical security controlsResponseYesRemote Access EncryptionDo you authenticate and encrypt all remote access to your network and require all such access to be fromsystems at least as secure as your own? Check N/A if you do not allow remote access to your systems.ResponseYesWireless Network SecurityOn your wireless networks, do you use security at least as strong as WPA authentication and encryption?Check N/A if you do not use wireless networks.ResponseYesPROPRIETARY & CONFIDENTIALPage 33 of 49

Cyber Liability QuestionnaireCYBER RISK ASSESSMENTExternal Network Privacy Information SecurityDoes your company sto

Do you require third party technology providers meet required regulatory requirements (e.g., PCI-DSS, HIPAA, SOX, etc.)? 2.16 - Third Party Security Provisions 2.17 - Third Party Security Standards. 2.18 - Third Party Security Assessments or Audits 2.19 - Contract Review and Approval Process