Prepared By: John Marshall, CRM, ERMCP, CIC, AAI Jenny Jacobsen, JD Cyber Liability Update April 21, 2016 Welcome

Introduction  John Marshall, CRM, ERMCP, CIC, AAI –Principal and shareholder –Head of Professional Risk Services division –Based in Omaha, Nebraska –I started in medical malpractice insurance 18 years ago, which lead to an accidental early education of cyber liability via my claims-made and professional liability experience –Cyber liability fits hand-in-hand with our enterprise risk management (ERM) approach 1

Introduction  Jenny Jacobsen, JD –Risk Management and Regulatory Affairs Advisor for the Professional Risk Services division –Based in Omaha, Nebraska –I am an attorney by training, but my background is in healthcare –I focus on emerging risks, such as cyber liability and helping clients with strategic risk management 2

Learning Objectives  Identify and quantify cyber exposures that are most costly  Identify what cyber insurance can and cannot do  Discuss claims trends  Discussion/questions 3

Categories of Exposure 4 Technology Hardware/ software Devices Internet-based E-commerce Human Employees Patients Vendors/other third parties Cyber terrorism E&O Liability arising for products or services provided to third parties Network and system security breach Data breach Physical breach

Cyber Risk – Types of Losses  Protected health and financial information  Identity theft  Business interruption due to cyber event  Cyber extortion  Lost or destroyed hardware, device or data  Computer fraud and employee dishonesty  Infringement of protected rights – e.g., copyrights  Theft of intellectual property  Virus transmission  Loss caused by third parties  Data that is not properly destroyed  Breach of contract damages 5

Quantification of Losses 6 Direct Cost  Breach investigation and breach notification costs  Credit monitoring expenses  Data and hardware restoration costs  Business interruption expenses  Crisis management and public relations expenses  Compensatory or consequential damages  Legal expenses  Breach of contract damages  Fines and penalties  Punitive damages Indirect and Opportunity Cost  Time spent on breach investigation and breach notification  Time spent educating, training and effectuating compliance  Time spent on research and implementation of new security and privacy programs  Abnormal customer churn  Increased customer acquisition activities  Diminished goodwill and loss of brand value  Loss of reputation  Cost of employee turnover

Quantification of Losses 7  Ponemon Institute’s 2015 Cost of Data Breach Study: United States  Based on 62 U.S. companies  Number of records breached ranged from 5,655 to 96,550  Per capita cost is defined as the total cost of data the data breach divided by the number of lost or stolen records NetDiligence’s 2015 Cyber Claims Study  Based on 160 data breach insurance claims  Number of records breached ranged from 1 to 110,000,000  Only represents claim payouts for specific breach-related expenses – does not include opportunity costs or customer defections

Quantification of Losses 8 * 2015 Cyber Claims Study, NetDiligence Institute ** 2015 Cost of Data Breach Study: United States, Ponemon

Quantification of Losses 9 * 2015 Cyber Claims Study, NetDiligence Institute ** 2015 Cost of Data Breach Study: United States, Ponemon

Quantification of Losses 10 * 2015 Cost of Data Breach Study: United States, Ponemon

Cyber/Technology Insurance  Why? –It’s not a matter of if you will be breached, but a matter of when you will be breached –898,584,384 records containing “sensitive personal information” were breached between January, 2005 and April, 2016 –Companies are requiring it to do business with you  “Within six years, we’re going to be well on our way to everyone having cyber insurance as just a basic set of insurance, just like property insurance.” – Ari Schwartz, Director for Cybersecurity on the White House National Security Council, September 8, Sources: Privacy Rights Clearinghouse Survey Finds CPAs in Dark on Cyber Threats, Gabrielle Karol 60% of small businesses close within six months of a cyber crime 20% of all cyber attacks hit business with 250 or fewer employees

What Cyber Coverage Can Do  With the exception of reputational loss, the greatest expenses related to a breach are likely insurable –Breach notification, crisis management, legal and forensics expenses –Vicarious liability provides coverage for contractual liability with clients and vendors –Covers expenses to rebuild, recreate and fix network systems and records 12 * 2015 Cyber Claims Study, NetDiligence Crisis Services* median cost: $60,563 average cost: $499,710 Legal Defense* median cost: $73,600 average cost: $434,354

What Cyber Coverage Can Do 13 Third Party Network liability Privacy liability Media liability Regulatory First Party Breach/notification costs Business interruption Cyber extortion PR costs Forensic costs

What Cyber Coverage Can’t Do As with every insurance policy, there are many common exclusions to note  Malpractice or other bodily injury stemming from a cyber error or incident  Unlawful collection or distribution of personal information  Patent infringement  Inadequate server capacity  Programming errors  Most reputational injury  Loss of unprotected laptops or other devices 14

What Cyber Coverage Can’t Do Continued list of exclusions  Fines and penalties (limited coverage)  Product related claims/product recall  State-sponsored cyber terrorism  Losses if controls were not functioning at time of loss (contestability clause)  Exposures not “disclosed” in your application  Service interruption  Employment-related claims 15

What Cyber Coverage Can’t Do A cyber policy does not cover technology E&O  If a claim results from the failure to prevent a breach of a client’s data in the delivery of technology products and services – that claim is generally covered under a technology E&O form  If the claim results from a breach of your own data – that claim is generally covered under a traditional “cyber” form * Many times, these can be written by the same carrier on the same form to avoid gaps in coverage 16

Who Needs Technology E&O? Any organization with “professional” exposures  Technology consultants  Software and internet vendors/retailers  Outsourced IT providers  Electronics and device manufacturers/medical technology companies  Cloud service providers  Hosting data for others for disaster recovery Many non-technology companies have a tech E&O exposure. If any technology products or services are being provided to third parties, an organization may have this exposure if excluded by traditional GL/products coverage. 17

Due Diligence – What Can Your Clients Do?  Utilize secure sending and receiving programs for exchanging sensitive information  Only use secure connections; never using public Wi-Fi to conduct confidential work  Secure any device that contains firm and client data, including encrypting data  Educate clients about firm security standards, including any dual authentication requirements  Encourage clients to make protection of information and cyber security a priority by having a third party IT assessment and addressing deficiencies, implementing employee training and considering risk financing methods 18

Claims Trends  Ransomware –Finding success in healthcare  Identity theft –Last year the IRS caught 1.4 million cases of identity theft in returns seeking $8.4 billion dollars  Telephone Consumer Protection Act (TCPA) –Almost always excluded from all policies –Improper collection of information – is a third party advertising or marketing on your behalf? –Courts are starting to interpret meanings, e.g., “advertisement” and “telemarketing” 19

Claims Trends  Business Compromise (BEC) –Number one claim and type of near-miss we hear about from clients and prospects –Over $1.2 billion in exposed loss according to FBI –FBI issued Public Service Announcements in August, 2015 and April, 2016 warning of BEC scams  Portable Devices –FDIC data breach of 44,000 records inadvertently downloaded on a portable device by employee who was leaving –Laptops continue to be stolen or go missing –Implement Best Practices 20

Final Thoughts  Cyber security and privacy liability risk management is a never ending marathon; not a sprint  Beware of anyone who believes they have it all figured out!  Questions or discussion? 21

Thank you!