Managing a Cyber Event Steven P. Gibson President Dealer Risk Services, Inc. sgibson@dealerriskservices.com www.dealerriskservices.com

A REVIEW OF THE EXPOSURE Entities that we entrust to safeguard our Personal and Confidential information Banks/Lending Institutions Physicians/Medical Offices Auto Dealerships Of these 3...which would be the most vulnerable to a cyber/security breach?

DEALERSHIP AREAS OF EXPOSURE Handling/Storage of Hard/Paper Files Customer Files HR Files DMS Systems Dealership Computer Systems/Servers Employee Owned Devices

POTENTIAL PERPETRATORS Disgruntled Employees Terminations Under performers Employees with unknown issues Outside Influences Hackers Competitors Vendors

CLAIM/EVENT CONSEQUENCES Cost of Legal Services Cost of Computer Forensic Services Mandatory Notification Costs Call Center Services Breach Resolution and Mitigation Services Suits/Litigation Individuals Class Action Public Relations and Crisis Management Expenses Fines and Penalties

INSURANCE 101 Handling the Cost of a Loss Risk Avoidance – Eliminating the Risk Risk Acceptance – Accepting the entire cost of the Risk Risk Transfer – Moving all or a portion of the Risk to a Third Party

CYBER – SPECIALTY MARKETS AIG BEAZLEY ENDURANCE HISCOX LIBERTY INTERNATIONAL CHUBB LLOYDS

THE COVERAGE Insuring Clause I – Cyber & Privacy Cyber Liability Privacy Liability System Damage System Business Interruption Consequential Reputational Harm Regulatory Actions and Investigations

THE COVERAGE (CONTINUED) Insuring Clause II – Privacy Breach Notification Costs Your Notification Costs Third Party Notification Costs

THE COVERAGE (CONTINUED) Insuring Clause III – Cyber Crime Computer Crime Identity Theft Cyber Threats and Extortion Telephone Hacking Phishing Scams

THE COVERAGE (CONTINUED) Insuring Clause IV – Multimedia & Advertising Injury Defamation Intellectual Property Rights Infringement Invasion of Rights of Privacy Content Liability

THE COVERAGE (CONTINUED) Insuring Clause V – Technology Errors & Omissions Insuring Clause VI – Court Attendance Costs Insuring Clause VII – Crisis Communications Costs

THE COVERAGE (CONTINUED) Definitions You/Named Insured Claim Cloud Computing Provider Computer Systems Confidential Information Hacking Attack Security and Privacy Third Party Loss Exclusions Fines and Penalties (unless insurable by law)

THE COVERAGE LIMIT Limit of Liability per Claim Aggregate Limit of Liability How Much is Enough Potential Exposure Number of Records (PIIs) held Notification Costs $ 35 to $ 135 per Record Public Relations Costs Defense Costs Normally included in Limit of Insurance Deductibles Retention Limits

THE CYBER EVENT TEAM Breach Response Team Event Analysis (forensics) Managing the Response Notification Letters Credit Monitoring Monitoring Affected Individuals Public Relations Initial Damage Control Ongoing Campaigns

NOTIFICATION PROCESS - TIMELINE Notification to Carrier Carrier Breach Team investigates the extent of the breach and consults with Insured on regulations Insured and Counsel approve notification letter Notification letters sent with offer of Credit Monitoring Package Responses of potentially affected Individuals are monitored

PUBLIC RELATIONS Post Event Public Relations Campaign Key Strategies Designed to lessen the negative impact on sales Reduce potential for class action litigation Key Strategies Manage the News Initial Press Releases Ongoing Ad Campaign Initiate Preventative Measures Reactive measures Proactive measures

The Storm on the Horizon Large Data/Security Breaches Yahoo 500M Records MySpace 360M Records LinkedIn 167M Records Ebay 145M Records Target Stores 110M Records Sony Entertainment 102M Records Anthem 80M Records JP Morgan/Chase 76M Records Target 70M Records The Home Depot 56M Records Ashley Madison 37M Records Office of Personnel Mgmt 21.5M Records Excellus Blue Cross 10M Records Community Health Services 4.5M Records Neiman Marcus 1.1M Records

Breach Cost – example Target Stores Class Action Lawsuits Notification Costs Loss of Revenues