Cyber Insurance - Risk Exposures and Strategic Solutions ILTA Webinar January 25, 2017

Speakers Debbie Novy Senior IT Manager of Special Projects Hunton & Williams dnovy@hunton.com Jack Huddleston Director of Administration Thomas Horstemeyer Jack.HuddlestonPhD@thomashorstemeyer.com Gary G. Beck, LL.M. Professional Services Group gbeck@arcxs.com Richard Creel, RPLU,ASLI,MLIS rcreel@arcxs.com

Survey 66.67% of those responding to the Cyber Liability Policy Survey DO NOT have a cyber liability policy in place 60% responded they do not have cyber liability indicating the primary reason was that they were unsure as to what limits and deductibles were appropriate 80% of those responding indicate that they are currently actively working with their broker regarding cyber liability coverage 60% of those responding have a formal incident response plan in place Those having/not having a security breach response team were split (46.67%/53.33%) almost evenly Over half (60%) of those responding indicated that they have a breach response team leader in place Jack

Understanding and Communicating the Business Case Fills gaps in other insurance that may not fully cover cyber liability Risk management – you may still be responsible if a breach occurs even if it involves hosted data Business continuity Provides resources and expertise that you may lack in setting up a risk analysis and ensuring compliance Clients are requiring it… From Jack Transition to Debbie

Understanding and Communicating the Business Case Clients are now requiring their law firms to have cyber insurance. Outside Counsel Guidelines and Security Assessment questionnaires often state a coverage amount and items that must be covered, such as: System Attacks Unauthorized access and use of computer systems Spread of malicious code Crisis management and customer notification expense Privacy regulatory defense and penalties Liability arising from the cost or disclosure of confidential data *Note – Cyber insurance may not cover all of these items. As we will discuss later, it is important to have the right combination of insurance to ensure the maximum level of protection. In addition to covering the firm, clients expect these same protections to the be extended to the law firm’s third party vendors. From Debbie

Legal Landscape: Regulations Lead to New Insurance Needs ABA Model Rule 1.6(c) Personal Data Privacy & Security Act of 2007 Health Insurance Portability and Accountability Act of 1996 (HIPAA) The Gramm-Leach-Bliley Act of 1999 (GLBA) Fair Credit Reporting Act Fair & Accurate Credit Transactions Act of 2003 Electronic Communication Privacy Act of 1986 Family Educational Rights & Privacy Act (FERPA) State Specific Security Breach Notification Laws High Tech Act (enacted with Jan 2009 Federal Stimulus Package) GDPR – New European regulations State Bar specific canons/rules and state laws Debbie (Gary would address any questions) Debbie hand off to Rick

Current Market Overview Cyber market is broadening-Significant capacity available Growth coming from small to medium firms newly aware of the possible liability Annual gross written premium estimate-$3.25 billion (up from $2.75 billion) Improved Risk Management services Sublimits reduce insurer exposure Rick

How does Cyber Coverage fill potential gap issues? Lawyers Professional Liability (LPL) Policies built to cover lawyers for malpractice Not designed to cover cyber risk (endorsements may exist) Should provide defense expenses and damages for certain third-party cyber claims First-party Property Cyber Risks are arguably not covered unless specifically included under sublimits Kidnap & Ransom Covers Ransomware/Cyber Extortion related payments Crime 1st party identity fraud expense reimbursement Rogue employee sabotage Computer crime by a third party Property / Business Interruption Physical data destruction due to fire, water, or property damage Cyber coverage excludes physical damages due to non Cyber exposures Rick/Gary

What does Cyber Insurance Cover? Common First-Party covers direct financial and consequential losses Forensic investigation of the breach Legal advise to determine your notification and regulatory obligations Business Income & Extra Expenses (due to breach) Crime Extortion Public relations Common Third-Party (includes third-parties with no direct contact) if you fail to protect your client confidential information Financial damages to that party Legal defense Settlements, damages and judgements related to the breach Regulatory fines & penalties (including Payment Card industry fines) Costs of responding to regulatory inquiries Professional liability Rick/Gary

What to Look for or Consider when Placing Cyber Insurance Liability-defense and settlement costs for the insured arising out of its failure to properly care for private data Remediation-response costs following a data breach, including investigation, public relations, customer notification, and credit monitoring Regulatory Fines and/or Penalties-the cost to investigate, defend and settle PCI (Credit Card) Fines & Penalties Business Interruption Restoration No Terrorism Exclusion No Sublimits Choice of Defense Counsel Enterprise wide protection for all your data even when its outsourced to the cloud Alternative flexible D.I.C Cyber policy can be primary, excess, or co-primary depending on LPL coverage From Gary/Rick

What to Expect When Purchasing a Policy It can be a complex process Use a broker with law firm cyber liability insurance experience Application process can be long and detailed – each carrier has their own application Present your risk in the best possible way Cost Rule-of-Thumb: 10% of the LPL premium Questions to ask: Are international offices are covered? Who is responsible for breach of data stored in the cloud? The law firm, the cloud services provider, both? A broker can help simplify the entire process From Debbie/Rick/Gary

Audience Q&A