Domestic & General USA Information Security Requirements

The terms set out below form part of the Client Agreement with Domestic & General, LLC (the “Agreement”).

Definitions and Interpretation

In addition to any words and meanings defined in the Agreement which shall apply to the terms set out here, the following expressions shall have the meanings set out below:

“Authorized User”

means, as appropriate, (i) employees, servants, agents or otherwise of the Client who are required to access the DG USA Systems to undertake any of the obligations of the Client under this Agreement; or (ii) employees, servants, agents or otherwise of DG USA who are required to access the Client’s Systems to undertake any of the obligations of DG USA under this Agreement;

“Cardholder Data”

means data which, at a minimum, contains the full PAN but which may include the full PAN plus any of the following (a) Cardholder name; (b) expiration date; (c) Service Code and (d) Security Code;

Client Systems

means any of the systems hosted and/or maintained by the Client that DG USA is required to access in order to fulfill its obligations under this Agreement.

“DG USA Systems”

means any of the systems hosted and/or maintained by DG USA that the Client is required to access in order to fulfill its obligations under this Agreement;

“IT Infrastructure”

means any hardware, software, network, servers, data centers, cloud computing (inc. but not limited to PaS and SaaS), personal computers, devices, routers, switches, software apps, operating systems, bios, firmware, virtual machines, internet connectivity, VPN, desktop virtualization, firewalls, security and any other item or otherwise which data (including confidential information) traverses and/or processed through a business;

“Malware”

means viruses, trojan horses, worms and other harmful computer code;

“PAN” 

is the acronym for “primary account number” (also referred to as “account number”) being the unique payment card number (typically for credit or debit cards) that identifies the issuer and the particular cardholder account;

“Service Code”

means the three-digit or four-digit value in the magnetic stripe that follows the expiration date of the payment card on the track data; and

“Security Code” means the card-validation code or value (three- or four-digit number printed on the front or back of a payment card used to validate card-not-present transactions).

1. Minimum Requirements

1.1.    The Parties shall:
a.    meet the minimum control requirements set out in Annex 1 below;
     i.    Notwithstanding 1.1(a), where a Party does not meet the requirements set out in Annex 1: Minimum Standards, the other Party(ies) may agree in writing any deviations from Annex 1 (the “Remedial Action Plan”). The Remedial Action Plan shall include remedial actions required to remedy any areas of non-compliance in accordance with agreed timescales.
     ii.    If the Remedial Action Plan is not met within the agreed timescales, then the other Party(ies) reserve(s) the right to terminate or suspend performance of the Services or the Agreement on written notice unless a revised date for full compliance has been agreed between the Parties in writing. 


b.    maintain an appropriate risk-based information security management programme aligned to industry best practices, with all personnel aware of their responsibilities in identifying and responding to security threats.  The programme must be supported by the necessary senior management oversight, budget and capabilities required to protect the confidentiality, integrity, and availability of data; and


c.    at all times be ISO27001 or equivalent compliant and hold such accreditation.

2. Due Diligence

2.1. The Client shall cooperate, assist, and meet DG USA’s mutually agreed upon reasonable due diligence requirements which include:

   a.    completion of DG USA’s information security questionnaire;
   b.    remote information security testing;
   c.    onsite information security testing; or,
   d.    any other such due diligence as determined by DG USA subject at all times that such additional due diligence is reasonable in respect of the activities and obligations owed by the Client under the Agreement.  

2.2.    Such due diligence set out in paragraph 2.1 above shall occur:
   a.    prior to but no later than the yearly anniversary of the Effective Date of the Agreement;
   b.    on renewal of the Agreement;
   c.    where the activities or obligations of the Client under the Agreement have changed; or,
   d.    where DG USA has become aware of any incidents or concerns notified to it or which are discovered as a consequence of any audit or reviews of information carried out.

2.3.    Any resources required by the Client to support the due diligence as detailed in paragraph 2.1 and 2.2 above shall be at the Client’s own cost and shall be no more than the standard business hours within two (2) Business Days of participation and effort by the Client unless additional time is agreed in writing between the Parties.

3.    Payment card industry data security standard (PCI DSS) 

3.1.    The Client acknowledges that the Payment Card Industry Data Security Standard requires DG USA to obtain a written acknowledgement from its suppliers that store, process, or transmit (including any underlying platforms) its Consumers’ Cardholder Data of their responsibility for securing the same. The Client may periodically come into the possession of Consumers’ Cardholder Data during the performance of its contractual obligations to DG USA and the Client hereby warrants and agrees that prior to storing, processing or transmitting any Consumer Card Holder Data it and any permitted Sub-Processors it uses (in the latter case with effect from the date upon which such Sub-Processor commences Processing Cardholder Data) who have access to Consumers’ Cardholder Data are, and will continue to be, compliant with the PCI DSS. 

3.2.    On request from DG USA, the Client will provide DG USA with a copy of its certification confirming that it is PCI DSS compliant and undertakes to supply DG USA with any subsequent certificate of compliance it receives. DG USA reserves the right to terminate or suspend performance of the Services or the Agreement on written notice if the Client fails to provide a copy of its certification confirming that it is PCI DSS compliant.

3.3.    The Client shall fully indemnify DG USA against all actions, claims, demands, proceedings, damages, costs, fees, and expenses arising from or incurred by reason of any breach by the Client of its PCI DSS obligations under this Agreement.

4. Responsibility for Access

4.1.    The Client must ensure that all systems from which it or its Authorized Users access the DG USA Systems and data are appropriately protected by:
     a.    security access mechanisms such as unique username and password requirements and automatic locks after inactivity; and 
     b.    encrypted session for authentication data.

4.2.    The Client shall, and shall procure that its Personnel or any of its Sub-Processors shall, ensure that its technology system that may interface with the DG USA’s System which Processes any data under this Agreement is free of Malware and it undertakes to use reasonable efforts to keep its software free of Malware including maintaining up to date Malware definitions on any commercial anti-malware product that it may have deployed.

5. Audit Rights

5.1.    The Client (“Audit Party”) shall and shall procure its Personnel or any of its Sub-Processors shall upon request provide evidence to DG USA (“Requesting Party”) of the measures implemented by it or its Sub-Processors to comply with these information security obligations, including but not limited to that the Client shall allow  DG USA, its auditors, its regulators, including any representative of the foregoing, to have access to and audit any processes, procedures, documentation, and/or any premises of the Client, it’s Personnel or any of its Sub-Processors where Processing of data under this Agreement is carried out. Such access may take place on ten (10) days prior notice unless DG USA reasonably believes that the Client, it’s Personnel or any of its Sub-Processors is in breach of any obligations herein, or a shorter notice period is required by any regulator, in which case DG USA shall not be obliged to give such prior notice and the Client, it’s Personnel or any of its Sub-Processors shall provide full co-operation and assistance to DG USA, its auditors, its regulators, including any representative of the foregoing, at no additional charge to DG USA.

5.2.    Where the Client, its Personnel or any of its Sub-Processors no longer has a valid accreditation required to be held or a Party, its Personnel or any of its Sub-Processors has suffered or undertaken any act of non-compliance with such accreditation (the “Impacted Party”), the Impacted Party, its Personnel or any of its Sub-Processors will immediately notify DG USA and will cooperate fully with DG USA concerning  any actions to be taken in response which may extend to immediately ceasing to Process any data under this Agreement. If certified compliance with the relevant accreditation is not maintained again by the Impacted Party by a date which DG USA considers reasonable then DG USA may terminate or suspend the Agreement on written notice unless a revised date for full compliance can be agreed.

6. Continuing Compliance

6.1.    The Client shall and shall ensure that its personnel or any of its sub-processors work together with DG USA and/or its representatives to implement any corrective actions identified by DG USA as necessary to comply with these provisions, within a reasonable period of time agreed with DG USA, and reasonableness shall be assessed having regard to the nature and seriousness of the area(s) of non-compliance identified.

6.2  DG USA reserves the right to review and update its data security standards and requirements, having reference to any legal and statutory requirements, guidance, and best industry practices. DG USA shall notify the Client in writing of any such changes to these requirements which it considers are necessary and such changes mutually agreed upon shall form part of the Agreement.

Annex 1: Minimum Standards

1.    Operational Technology Controls Minimum Standards: These are the minimum requirements to be in place across the Digital, Technology and IT Infrastructure:

a.    The principle of “least privilege” access across IT Infrastructure which shall be reviewed at least every three (3) months for privileged users (for example administrators) or every six (6) months for all other users and ratified by an attestation process;
b.    Out of support/legacy IT Infrastructure and/or systems shall be isolated from the main network and secured with a plan to remove from the IT Infrastructure;
c.    Have in place a Security Operations Center / Security Information and Event Management solution which is underpinned by a process that logs, monitors, reviews, and responds to any unusual activity across the Digital, Technology and IT Infrastructure;
d.    A cyber security incident response exercise must be completed at least every twelve (12) months;
e.    Vulnerability scanning of the IT Infrastructure shall be undertaken at least every thirty (30) days, where a high and/or critical vulnerability is identified, remediation must be completed within fifteen (15) days;
f.    Penetration testing of Digital, Technology and IT Infrastructure is performed at least every twelve (12) months;
g.    All traffic is encrypted in line with industry standards;
h.    Applications must be developed securely using only secure components and secure development practices. Appropriate measures must be implemented within your software development lifecycle to provide reasonable assurance of the security and quality of software developed.
i.    Any developed code is managed in a secure manner so that it cannot be altered or amended without sufficient authorization;
j.    Developer coding tools must have 2FA activated if such a feature exists;
k.    APIs should be secured and protected in line with industry standards and good practice.
l.    Information security training is in place, with staff or 3rd Parties (including any who access the IT Infrastructure) receive training at least every twelve (12) months;
m.    Have in place an inventory of the Digital, Technology and IT Infrastructure which is maintained and appropriately updated;
n.    Have in place a process to log, monitor, alert and remediate (removal or isolation) any unauthorized IT Infrastructure that is detected on the Digital, Technology and IT Infrastructure;
o.    Have in place defined security baselines for Digital, Technology and IT Infrastructure.

2. Business Continuity Minimum Standards: These are standards related to ensuring information security controls are not impacted by a disaster or unplanned incident:

a.    Backups must be made on a regular basis as per backup requirements (e.g. daily, weekly);
b.    Backup restore tests must be performed at least annually;
c.    Business continuity plan is tested at least annually; 
d.    Have a relevant cyber incident response plan in place to prepare, detect, analyse, contain, eradicate, and recover data; and
e.    Test the cyber incident response plan at least annually.

3. Account Controls Minimum Standards: These are standards related to user credentials for authentication and authorization:

a.    All unused accounts must be deleted or disabled as soon as practicable;
b.    Ensure that each account is granted on “least privilege” to enable user to perform designated job function(s);
c.    Each account must be assigned to one individual or to one service; 
d.    A process for staff joining, moving, or leaving a role must be in place to adjust access levels accordingly; and
e.    Accounts with access to the high-risk sections of the system (including but not limited to sections of the system that contain Personal Data, and/or Confidential Information) will be regularly reviewed, and access removed when a business need no longer exists for that access (for example, where a person has left the organization); 
f.    Passwords must meet industry standards, be sufficiently complex and enforced for all accounts; and,
g.    All accounts must utilize multi-factor authentication.

4. System Controls Minimum Standards: These standards are minimum best practices for systems administration:

a.    Ensure that key information security policies are in place, regularly reviewed and adhered to;
b.    Local login access to the system must be restricted by access control list to those accounts with a documented business need to use the data on the system;
c.    Only the minimum operating system components and applications required to carry out the business function shall be installed and monitored on a regular basis;
d.    A regular monthly patch cycle to ensure latest patches (including security patches) are installed for operating systems, databases and application services within a reasonable time based on the risk associated with the patch to keep systems within lifecycle support;
e.    Where a critical vulnerability is identified in the IT Infrastructure any patching must be completed within fourteen (14) days;  
f.    Critical Zero Day vulnerabilities should be patched as soon as is feasible, and commensurate with risk. The risk should be identified and assessed within twenty-four (24) hours after becoming aware of the vulnerability and the patch being made available. Where an exploit is known and available as an attack vector the patch should be applied within forty-eight (48) hours;
g.    If proprietary source code is being developed and/or deployed, it must be created using secure coding practices, stored in a secure repository, and checked for security errors prior to introduction;
h.    If automated notification of operating system, databases and application updates is available, it shall be enabled;
i.    Login access to the system must be restricted to those accounts with a documented business need to use the data on the system remotely;
j.    Ensure appropriate encryption at rest to safeguard Confidential Information, Personal Data, backups and data bases;
k.    Only pseudonymised personally identifiable information shall be used in non-production environments;
l.    Ensure an approved anti-Malware program is installed, running, monitored, and has on-access scanning and automatic updates enabled. Anti-Malware scanning must include email and web browsing traffic; 
m.    Shall ensure any information in an electronic format which it passes to the other Party shall be checked for Malware;
n.    Systems must be configured with an industry best practice secure configuration and run only the services required to perform the specific business function of the machine;
o.    Systems must have session timeouts and screen locks enabled; 
p.    Security logs must be shipped to a remote logging system or correlator; and,
q.    Systems must run an integrity checker on critical system and configuration files.

5. Network Controls Minimum Standards: These standards define network access that connect systems:

a.    System must be on a firewall protected network (which is managed regularly) shared only with systems in the same security domain;
b.    Network devices must be configured with an industry best practice secure configuration and run only the services required to perform the specific business function of the machine;
c.    Network traffic access shall be restricted to the minimum necessary to perform required functions; 
d.    Wireless networks must use industry best practice authentication and encryption protocols; and,
e.    Ensure all the area network (including internal and wireless) are segregated appropriately, where required.

6. Physical & Environmental Minimum Standards : These standards define requirements for physical securing and protecting of equipment:

a.    Shall procure that any Personnel shall ensure that any information in a physical format is handled in a secure manner.
b.    Systems must be located in a locked room with limited access;
c.    Systems must be located in a locked rack or cage;
d.    Backup media must be physically secured from unauthorized access;
e.    Backup media must be stored in a physically diverse location;
f.    Backup media must be encrypted;
g.    Systems must be provided with power protection-air-conditioning, uninterruptable power supply UPS, and backup generator;
h.    Systems must be located in a room with appropriate environmental controls, e.g., heat, humidity;
i.    Systems storage media must be securely erased or disposed of when system function/role changes including equipment disposal; and
j.    Storage media must be physically destroyed when system function or role changes to a lower classification or at equipment disposal. In case of reusing storage media, the device must be secure erased in line with an appropriate industry standard.

Service plans and maintenance and support plans are provided by Domestic & General Services Limited. Insurance policies are provided by Domestic & General Insurance PLC. Domestic & General Insurance PLC is not an insurance intermediary. We’re the underwriter of the insurance policies and don’t provide personal recommendations or advice.

Domestic & General Insurance PLC is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Financial register number 202111