← All insurers
Cyber insurance evidence

Answering the Chubb Cyber ERM proposal form.

Chubb publishes its Cyber Enterprise Risk Management proposal form as a public PDF, so Australian brokers and underwriters work from the same questions every renewal. AttackEdge produces dated external-security evidence for the technical-scanning questions you cannot answer from inside your environment.

Insurer Chubb Insurance AustraliaForm Cyber ERM Standard (06/2023)Hosted in Sydney
Questionnaire mapping

Question by question, where AttackEdge helps.

Pulled from the public Chubb Cyber ERM Standard Cyber Proposal Form. Section numbers match the PDF, so a broker reading this can cross-reference directly.

Question the insurer asksWhere AttackEdge helpsWhere it doesn’t
V.3 β€” External penetration testing conducted at least annuallyAttackEdge runs recurring external scans against your in-scope assets on the cadence you choose. The dated PDF is not a substitute for a manual pen test, but it is the recurring external scanning evidence underwriters expect alongside it.Not a substitute for a manual penetration test. If Chubb asks for a pen test report, you still need one.Partial
V.12 β€” Sender Policy Framework (SPF) enforcedChecked every cycle and re-checkable any time. The PDF shows the published SPF record and whether it is enforced.β€”Helps
V.12 β€” Domain Keys Identified Mail (DKIM) is enforcedDKIM presence on the active selector is reported in every cycle, with the public-key length and signing posture.β€”Helps
V.12 β€” MFA is required for webmail or cloud-hosted emailβ€”MFA is configured inside Microsoft 365 / Google Workspace / Okta. AttackEdge can flag exposed login pages but cannot read your MFA policy.Out of scope
V.27 β€” Inventory of hardware and software assets; percentage in scope for scanningYour asset list inside AttackEdge is the inventory. Passive discovery flags subdomains and hosts you forgot about, so the percentage in scope reflects reality.Internal hardware and unconnected software inventory still has to come from your IT or MSP.Partial
V.28 β€” How often do you perform vulnerability scans (internal / external)?External: monthly on Solo and SMB, plus on-demand re-checks after you change DNS or push a fix. The dated PDF answers the external column directly.Internal scanning needs an agent or network appliance and is out of scope.Partial
V.30 β€” Do you operate any end-of-life or unsupported hardware, software, or systems on the internet?Banner and version detection on internet-facing services flags end-of-life web servers, PHP versions, CMS plugins, and TLS stacks. The PDF lists what was detected.EOL software inside your network (workstations, internal apps) sits outside an external scanner.Helps
V.31 β€” Do you regularly scan for and disable unnecessary open ports and protocols?Every cycle enumerates exposed ports on your in-scope IPs and flags risky or unexpected services.β€”Helps
V.32–34 β€” Formal patch management process and timelines by CVSS severityThe findings PDF is timestamped, so a reduction in critical and high findings over consecutive months is itself patch-cadence evidence.The patch policy document and your internal-system patch SLA are still things you write, not things we observe.Partial
V.13–16 β€” Formal Business Continuity Plan, immutable backups, restore testingβ€”Backup posture is inside your environment. We see backup endpoints if they happen to be exposed (which they should not be), but we do not verify immutability or restore testing.Out of scope
V.25 β€” Security Information and Event Monitoring (SIEM) and EDR coverageβ€”SIEM and EDR are internal tooling. AttackEdge is an external scanner; ask your MSP or IT vendor for this evidence.Out of scope
IV.1e β€” Formal cyber-specific incident response plan tested at least annuallyβ€”The plan document and tabletop exercise are out of scope. AttackEdge gives you a stream of dated detection evidence the plan can reference.Out of scope
XV.1 β€” Phishing training exercises on a regular basisβ€”Phishing simulation services (KnowBe4, Hoxhunt, etc.) are a separate tool. We surface email-authentication posture, which makes phishing harder against your domain.Out of scope
V.27 (TLS posture, implicit) β€” Certificates current; weak ciphers and missing headersCertificate validity, weak ciphers, and missing security headers (HSTS, CSP) are reported every cycle on each in-scope host.β€”Helps
What you hand the broker

Three artefacts that travel with the submission.

Dated PDF report

One PDF per cycle, generated on the scan date. Attach it to your Chubb submission email or upload it to the broker portal. The header carries the scan window so the underwriter does not need to ask when it ran.

Public methodology link

A live, public page describing what every cycle checks and how. Underwriters can read it without an NDA. Linking to it answers the "how do you scan" question without you re-explaining.

Asset inventory and discovery log

The in-scope asset list inside AttackEdge plus the passive discovery findings. This is what feeds the inventory question on the form and shows that scope is current, not stale.

Honest scope.

AttackEdge is an external scanner. It does not answer the parts of the Chubb form that live inside your environment: MFA configuration, privileged access management, EDR or SIEM coverage, backup immutability, incident response plans, employee training, biometric data handling, and the third-party risk-management questions in Section VI. Those answers come from your IT team, your MSP, or a separate tool. The dated PDF only speaks to what is on the public internet.

About Chubb in Australia.

Chubb Insurance Australia Limited (ABN 23 001 642 020, AFSL 239687) underwrites the Cyber ERM policy in Australia. The proposal form is normally requested by your broker ahead of renewal and again whenever you change limits or add a new entity. Most Australian SMBs renewing cyber cover see one of the three Chubb forms or its underlying questions repeated by another underwriter, because the technical-scanning questions are an industry-wide baseline.

AttackEdge slots in early: subscribe before the form lands, run a cycle, and you have a dated PDF ready when the broker asks for evidence. The subscription means next year’s answer is the same answer, only newer.

Common questions

Chubb-specific FAQ.

  • Which version of the Chubb Cyber ERM proposal form should I be looking at?

    Chubb publishes three Australian versions: a Short MarketPlace form for businesses under A$50m revenue, the Standard form for A$50m–A$700m, and the Extensive form above A$700m. The technical-scanning questions are nearly identical across all three; only the depth varies. AttackEdge answers the same external-surface questions in each.

  • How does Chubb verify the answers on the proposal form?

    Chubb does not always re-scan; they often rely on the proposer's declaration plus, increasingly, an external scoring service (BitSight, SecurityScorecard) at quote stage. The AttackEdge PDF gives Chubb a primary-source second opinion. If the external scoring service flags something we already found and you fixed, your PDF history shows when.

  • Does AttackEdge replace the Optional Services Questionnaire at the end of the form?

    No. Section XV asks about phishing training, password management, and cyber-incident-response drills. None of that is external scanning. AttackEdge does not answer Section XV.

  • When in the renewal cycle should I attach an AttackEdge report?

    When you submit the completed proposal form to your broker. The broker will pass it to Chubb with the rest of the submission. If Chubb comes back with follow-up technical questions, the same PDF usually answers them. The Solo subscription means the next cycle's PDF is already running before the next renewal arrives.

  • My broker uses the Cyber ERM SME Marketplace platform β€” does the same evidence work?

    Yes. The Marketplace platform pre-populates the same underlying questions for businesses under A$50m revenue, so the technical-scanning answers AttackEdge supports are the ones you fill in there as well.

More insurers

Other insurer-specific guides.

Emergence

Emergence is Australia’s largest specialist cyber underwriter. The Cyber Event Protection form scales with revenue. See which sections AttackEdge feeds evidence into.

Read the guide β†’
Marsh

Marsh places cover with multiple underwriters in Australia, so the application form blends underwriter-specific and broker-side questions. AttackEdge covers the external-scanning ones.

Read the guide β†’
CGU

CGU’s SMB cyber product is distributed through brokers and the proposal is rarely published. The questions every SMB underwriter asks still apply, and AttackEdge answers the external ones.

Read the guide β†’
Renewal-ready evidence

Run the first scan before the form arrives.

Solo subscriptions start at A$39/month. The first PDF lands inside an hour of the first scan, dated and ready to attach.

Start a scan Run a free checkTalk to us