CyberEdge® Risk Management Solution

Today’s Discussion Topics Cyber as a Peril The Need for an End-to-End Risk Management Approach for Cyber 2 2

What’s New Cyber as a Peril CyberEdge Plus 3

Cyber Impact Framework Potential damages from a cyber event 1st Party Damages 3rd Party Damages Financial Cyber event impacts and insurance coverages map to these four quadrants Tangible

Impacts from a Cyber Event — the details Cyber impacts will align with one or more of these four quadrants 1st Party Damages 3rd Party Damages Response costs: forensics, notifications, credit monitoring Legal: advice and defense Public Relations: brand protection Revenue losses from network or computer outages, including cloud Cost of restoring lost data Cyber extortion expenses Value of intellectual property 3rd Parties may seek to recover: Consequential revenue losses Restoration expenses Legal expenses Shareholder losses Contractual liabilities Other financial damages 3rd Party Entities may issue or be awarded civil fines and penalties Mechanical breakdown of your equipment Destruction or damage to your facilities or other property Environmental cleanup of your property Lost revenues from physical damage to your (or dependent) equipment or facilities (business interruption) Bodily injury to your employees Mechanical breakdown of others’ equipment Destruction or damage to others’ facilities or other property Environmental cleanup of others’ property Bodily injury to others Financial Tangible

Destructive Cyber Attack Security failure was of the pipeline owner’s computer system Resulted in pipeline breach and spilled 30,000 barrels of oil Impact summary: 1st 3rd Financial Tangible Environmental Cleanup Property Damage Business interruption

Cyber Product Liability Unlike the other 2 examples, security failure was of a computer system designed by the Auto maker, but was owned by vehicle owner Demonstration of capability to hack, did not result in accidents, but did result in recall by auto manufacturer to minimize potential for accidents and injuries Potential impact summary: 1st 3rd Financial Tangible Investigation expenses Public relations and other event response expenses Accidents and injuries did not occur, but could have, which would have resulted in damages in this quadrant INTERNAL USE ONLY

End-to-End Risk Management Solution 8 8 8

Claims Narratives in CyberEdge App

CyberEdge Hotline: 1-800-CYBR-345 Infrastructure Vulnerability Scanning Powered by IBM Key Components Reports demonstrate compliance with federal, state and industry regulations Assess an environment from either the external or internal perspective IBM expertise improves accuracy of findings and reduces mitigation time Consultation on recommendations for improved security CyberEdge Hotline: 1-800-CYBR-345 24/7 hotline staffed by IBM experts to respond to Insureds concern that they may be victim of a breach The IBM experts will go over key indicators of a breach with the Insured’s IT department to determine if one has indeed occurred. If a breach is suspected or has occurred, Insureds will be automatically connected with our CyberEdge Breach Resolution Team. Provides vulnerability management led by an experienced security consultant Detects vulnerabilities across network devices, servers, web applications, and databases to help reduce risk exposure and better manage compliance requirements Strong security expertise provides vulnerability identification with resulting prioritized plan for remediation and improved security CyberEdge Hotline: 1-800-CYBR-345 IBM experts respond to Insureds and review key indicators of a breach with the Insured’s IT 13

RiskAnalytics CyberEdge RiskTool Proactive Shunning Services Managing the human element of risk Proactive Shunning Services New layer of network security 14

75% of breaches reported were due to human error/negligence. CyberEdge RiskTool 75% of breaches reported were due to human error/negligence. Web-based customizable risk management platform Manage the human element of cyber risk and manage compliance Pre-populated with: Corporate security policies Training with exams Self assessments and risk guides Simplifies and documents end user training Unlimited use

What is Shunning? Service blocks CrimeWare through multiple appliance options Matched to network speed and failover requirements Positioned outside the firewall, no impact to existing network Real-time updates

Cybersecurity Maturity Assessment Leverages the NIST Cybersecurity Framework Organizations will have a view of gaps between their current and ideal cybersecurity posture. Insureds have access to RSA’s Advanced Cyber Defense (ACD) practice to provide operational expertise in closing the gaps and protecting the critical business assets.

NIST Cybersecurity Framework Overview Core Tiers Profile Functions Categories Subcategories Informative References IDENTIFY PROTECT DETECT RESPOND RECOVER Tier 1: Partial Ad hoc risk management Limited cybersecurity risk awareness Low external participation Tier 2: Risk Informed Some risk management practices Increased awareness, no program Informal external participation Tier 3: Repeatable Formalized risk management Organization-wide program Receives external partner info Tier 4: Adaptive Adaptive risk management practices Cultural, risk-informed program Actively shares information Current Profile Current state of alignment between Core elements and organizational requirements, risk tolerance, & resources. Where am I today relative to the Framework? Roadmap Target Profile Desired state of alignment between Core elements and organizational requirements, risk tolerance, & resources. Where do I aspire to be relative to the Framework?

BitSight Security Ratings Security ratings for organizations to measure and monitor their own network and those of their third-party vendors. Continuous measuring of externally observable event and diligence data

BitSight Security Ratings

BitSight Security Ratings – sample report 21 21

Dark Net Intelligence Powered by K2 Intelligence Intel of latest chatter inside the black hacker markets and forums, ‘dark net’ Mines the dark net for data using web crawlers and sophisticated human intelligence Value Add Proactive threat intelligence Due diligence during M&A transactions 22 22

Portfolio Analysis Powered by Axio Global One-day loss scenario workshop to estimate the financial impact of information technology and control systems Analysis of a client’s entire Property and Casualty insurance portfolio to identify how it would respond to a complex cyber event Self-evaluation of a client’s cybersecurity program based on the Cybersecurity Capability Maturity Model (C2M2) 23 23

Consultation Two complimentary hours from a specialized law firm to provide guidance on building and executing an incident response plan, as well as ensuring an organization is compliant with regulatory standards. One complimentary hour from a forensic firm on what an organization’s technical response plan should include. One complimentary hour from a vetted public relations firm to discuss an effective crisis communication plan to handle and mitigate the potential reputational and brand risk an organization would face in the event of a breach.

DRAFT - NOT FINAL & NOT FOR USE CyberEdge Pre-loss Complimentary Services Service Name Value Summary Included RiskTool Employee Awareness, Training, & Compliance Unlimited use, customizable solution that reduces the single largest risk to an organization - human error. Blacklist IP Blocking Powered by Global Threat Intelligence Stops criminal activity on your network by blocking bad DNS and IP traffic – inbound or outbound SecureDNS Secures your DNS for a safer Internet Takes away a very critical route cyber criminals need to phish and trick users to deliver Ransomware, infect systems, exfiltration stolen data and cause a cyber breach. It redirects users to a safe landing page and sends bad traffic to a sinkhole for analysis Domain Protection Identify and Block typo squatting domains Protects your organization by identifying and then blocking knockoff domains used by criminals through social engineering to trick employees into clicking and accepting Infrastructure Vulnerability Scan Identification of high risk infrastructure vulnerabilities Select parts of your infrastructure to have experts discover and identify vulnerabilities that are open to potential exploits by cyber criminals Risk Consultation – Legal Review and strengthen Incident Response capabilities Two hours of consultation from an expert on incident response planning, regulatory compliance, security awareness, and privacy training. Risk Consultation --Forensic Organizational preparedness for different threat scenarios One hour from a forensic expert on what an organization needs to think about and prepare for different threat scenarios Risk Consultation -- Public Relations Crisis communication plan best practices and preparation One hour from an expert to discuss preparations and plans for your organization to handle potential scenarios should they occur CyberEdge Hotline 24/7/365 cyber forensic hotline Experts immediately available to call and review Indicators of Attack or Indicators of Compromise to triage potential cyber events Insurance Portfolio Diagnostic Cyber as a peril analysis against insurance portfolio Experts review your entire property and casualty portfolio to determine how it is anticipated to respond to the full spectrum of cyber predicated financial and tangible losses. Cybersecurity Information Portal Online Access to Cybersecurity Information 24/7 365 access to current cybersecurity information .

Discounted Fee Based Partner Services Dark Net Intelligence, Advisory Services Customized human intelligence gathering to help clients stay apprised of what the latest chatter is inside the black hacker markets and forums aka “dark net.” Cybersecurity Maturity Assessment RSA’s Governance, Risk, and Compliance (GRC) solution helps organizations assess their cybersecurity risk. BitSight Security Ratings Generates security ratings for organizations to measure and monitor their own network and those of their third-party vendors. Portfolio Analysis Provides clients with a holistic picture of their cyber exposure by addressing the full range of potential cyber losses. Configuration, Auditing, and Management Tool Focuses on compliance and remediation requirements for key areas like PCI DSS 3.0, HIPAA, ISO, CSA, etc. Security Regulation Resource Cybersecurity resource featuring information on mandates in 23 key markets

Discounted Fee Based Partner Services Anti-Phishing Simulated phishing attacks, auto enrollment, and interactive training modules for employees Vendor Security Ratings Generates security ratings for organizations to measure and monitor their own network and of their third party vendors Visit http://www.aig.com/business/insurance/cyber-insurance and watch our CyberEdge Partner video series. … and more to be announced shortly!

Contact Information Bridget Sakach Network Security & Privacy Specialist 216.479.8951 Bridget.Sakach@aig.com

American International Group, Inc American International Group, Inc. (AIG) is a leading international insurance organization serving customers in more than 130 countries. AIG companies serve commercial, institutional, and individual customers through one of the most extensive worldwide property-casualty networks of any insurer. In addition, AIG companies are leading providers of life insurance and retirement services in the United States. AIG common stock is listed on the New York Stock Exchange and the Tokyo Stock Exchange. Additional information about AIG can be found at www.aig.com | YouTube: www.youtube.com/aig | Twitter: @AIG_LatestNews | LinkedIn: http://www.linkedin.com/company/aig AIG is the marketing name for the worldwide property-casualty, life and retirement, and general insurance operations of American International Group, Inc. For additional information, please visit our website at www.aig.com. All products and services are written or provided by subsidiaries or affiliates of American International Group, Inc. Products or services may not be available in all countries, and coverage is subject to actual policy language. Non-insurance products and services may be provided by independent third parties. Certain property-casualty coverages may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds, and insureds are therefore not protected by such funds. 29