Society of Risk Management Consultants Cyber Risk Current market(s) and drivers of change Scott Kannry 03.20.2015 Society of Risk Management Consultants

1st Party Damages (to your organization) 3rd Party Damages (to others) Losses due to cyber events (data breaches, destructive attacks, and other unauthorized access or use of your computer systems) can be categorized into these four quadrants Financial Damages Tangible (Physical) Damages Cyber Loss Spectrum Society of Risk Management Consultants

Cyber Insurance Timeline Cyber: The New CAT Ingram Micro v. American Guarantee & Liability CA SB 1386 Breach Notification Stuxnet Events 46 State-level Notification Laws 1990 2000 2010 More robust electronic data exclusions P&C carriers strengthen exclusions, e.g. CL380 Cyber coverages begin to appear Privacy Breach Liability Coverage New cyber coverages emerge Coverages Breach Regulatory Event Expense Future?Affirmative coverage in existing lines Network Business Interruption Information Asset Protection Society of Risk Management Consultants

Financial Damages Upper two quadrants: Society of Risk Management Consultants

Data Breach — Target, by the numbers 40 million credit cards + 70 million customer records stolen $54 million: income to cyber criminals $400 million: cost of replacing credit cards $150 million: Target initial response cost $1 billion: estimated ultimate cost to Target 140: number of active lawsuits against Target 2: Number of C-suite executives at Target who were fired 7: Number of Directors targeted by Institutional Shareholder Services for ouster, claiming failed duties to shareholders Important to watch because of unprecedented impact of Board and C-Suite and record-breaking damages. All data with black-market value is at risk. Society of Risk Management Consultants

1st Party Damages (to your organization) Response costs: forensics, notifications, credit monitoring, crisis management, public relations Legal expenses: advice and defense Revenue losses from network or computer outages, including cloud Cost of restoring lost data Cyber extortion expenses Value of stolen intellectual property and associated revenue and market share losses Financial Damages 3rd Party Tangible (Physical) Damages Cyber Loss Spectrum Society of Risk Management Consultants

1st Party Damages (to your organization) Response costs: forensics, notifications, credit monitoring, crisis management, public relations Legal expenses: advice and defense Revenue losses from network or computer outages, including cloud Cost of restoring lost data Cyber extortion expenses Value of stolen intellectual property and associated revenue and market share losses Widely available cyber insurance ~60 Insurers Limits of up to $200 million (or greater with some work) Specifics vary by carrier: triggers, cloud asset coverage, flexibility in service providers (read the policy) Financial Damages 3rd Party Unavailable coverage Tangible (Physical) Damages Available Insurance Society of Risk Management Consultants

3rd Party Damages (to others) 3rd Party Entities may seek to recover: Consequential revenue losses Restoration expenses Legal expenses Credit monitoring costs 3rd Party Entities may issue or be awarded civil fines and penalties Financial Damages 1st Party Tangible (Physical) Damages Cyber Loss Spectrum Society of Risk Management Consultants

Available Insurance Widely available cyber insurance Financial Damages 1st Party Tangible (Physical) Damages 3rd Party Damages (to others) 3rd Party Entities may seek to recover: Consequential revenue losses Restoration expenses Legal expenses Credit monitoring costs 3rd Party Entities may issue or be awarded civil fines and penalties Widely available cyber insurance Subject to caveats on previous page (read your policy) Available Insurance Society of Risk Management Consultants

Tangible (Physical) Damages Lower two quadrants: Tangible (Physical) Damages Society of Risk Management Consultants

Destructive Attack — BTC Pipeline Source – Bloomberg.com , 12/10/2014 © 2015 Bloomberg 2008: Turkey deemed cyber attack in 2014 Cyber attack through wireless network for surveillance cameras Shut down alarms, Severed communications, and Super-pressurized oil in pipeline Impact Spilled 30,000 barrels of crude 3-week pipeline disruption Azerbaijan lost $1B in revenue BP lost $10 million in tariffs Replaces Stuxnet as first cyber attack resulting in major physical damage Image from Bloomberg: http://www.bloomberg.com/news/articles/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar Society of Risk Management Consultants

Tangible (Physical) Damages 3rd Party 1st Party Damages (to your organization) Financial Damages Mechanical breakdown of your equipment Destruction or damage to your facilities or other property Environmental cleanup of your property Lost revenues from physical damage to your (or dependent) equipment or facilities (business interruption) Bodily injury to your employees Tangible (Physical) Damages Point out here that the lost revenue bullet point should perhaps be in the upper left quadrant, but has been placed here because it is typically covered by property insurance. Cyber Loss Spectrum Society of Risk Management Consultants

Tangible (Physical) Damages 3rd Party Financial Damages Tangible (Physical) Damages 1st Party Damages (to your organization) Mechanical breakdown of your equipment Destruction or damage to your facilities or other property Environmental cleanup of your property Lost revenues from physical damage to your (or dependent) equipment or facilities (business interruption) Bodily injury to your employees Excluded from traditional cyber insurance coverage Traditional Cyber Insurance Society of Risk Management Consultants

Tangible (Physical) Damages 3rd Party Financial Damages Tangible (Physical) Damages 1st Party Damages (to your organization) Coverage under traditional property insurance is uncertain Many policies are silent (litigation risk) Some policies contain complete cyber exclusions (e.g., CL-380) Other policies contain potential exclusions Electronic data Terrorism Read your policy Mechanical breakdown of your equipment Destruction or damage to your facilities or other property Environmental cleanup of your property Lost revenues from physical damage to your (or dependent) equipment or facilities (business interruption) Bodily injury to your employees Property Insurance Society of Risk Management Consultants

Tangible (Physical) Damages 3rd Party Financial Damages Tangible (Physical) Damages 1st Party Damages (to your organization) New forms of cyber insurance are available to close gaps in property policies — affirming coverage 2 insurers offer “gap- filler” coverage Another offers a standalone policy Challenge: lower limits are available than many property programs Mechanical breakdown of your equipment Destruction or damage to your facilities or other property Environmental cleanup of your property Lost revenues from physical damage to your (or dependent) equipment or facilities (business interruption) Bodily injury to your employees Mention the risk of having this coverage in a separate tower – unprovable cyber risk quandary. “New” Cyber Insurance Society of Risk Management Consultants

Tangible (Physical) Damages 1st Party Financial Damages 3rd Party Damages (to others) Mechanical breakdown of others’ equipment Destruction or damage to others’ facilities or other property Environmental cleanup of others’ property Bodily injury to others Tangible (Physical) Damages Cyber Loss Spectrum Society of Risk Management Consultants

Tangible (Physical) Damages 1st Party Financial Damages Tangible (Physical) Damages 3rd Party Damages (to others) Mechanical breakdown of others’ equipment Destruction or damage to others’ facilities or other property Environmental cleanup of others’ property Bodily injury to others Excluded from traditional cyber insurance coverage Questionable coverage in traditional casualty policies (similar to property policies) “New” cyber coverage is available — mind the triggers Insurance Society of Risk Management Consultants

AXIO’s APPROACH INVEST IN CYBER CAPABILITY DEVELOPMENT SUSTAIN CAPABILITY AND INVEST IN INSURANCE Insurance lowers the risk impact curve overall Perhaps the biggest challenge currently faced by CISO’s, Risk Managers and Boards of Directors is the lack of actionable insight and metrics related to cyber program performance and cyber risk exposure. These individuals yearn for better information to help inform investment, continually mature cyber programs, and communicate resilience to shareholders and stakeholders. The insurance industry has filled this void in others areas of risk, such as the tangible property world, where dependable exposure and loss metrics have help inform investment into protective controls. This insight helps risk professionals achieve better harmony of controls and more effectively spend their next dollar to achieve the greatest risk reduction benefit. Axio Global is changing the game to deliver the cyber risk engineering promise of the insurance industry and help firms harmonize investment into cyber security technology and cyber insurance. Society of Risk Management Consultants

AXIO PROCESS The Axio process includes 5-steps that result in an optimized response to your cyber risk. Depending on your situation, all 5 steps may not be needed—we offer each step as an independent engagement. The completion of all steps leads to deployment of insurance instruments to protect your balance sheet with more comprehensive risk transfer capacity. Cyber Sapience™ Dashboard Program evaluation workshop to deploy the Axio dashboard. Provides initial programmatic benchmark. Evaluation is based on C2M2, the Cybersecurity Capability Maturity Model — a recommended approach to deploy the NIST Cyber Security Framework. Cyber Loss Scenarios Create notional and feasible cyber loss scenarios. 1-Day Workshop to describe scenarios that could lead to covered and uncovered losses; estimate potential impacts. Cyber Risk Engineering Inform investment through in-depth analyses. Detailed impact studies, frequency estimation, loss controls, statistical modeling, and improvement planning. Insurance Placement With brokers and insurers, secure meaningful coverage. Various new coverage forms and enhanced existing forms are becoming available. Policy Analysis Work with broker to identify gaps in current insurance coverage. Understand the types of cyber events that are not covered by your current insurance. 1 2 3 4 5 Society of Risk Management Consultants

CYBER SAPIENCE™ DASHBOARD Backed with financial data, CFOs are ready to brief the board at a moment’s notice. Axio’s Cyber Sapience™ Dashboard provides CISOs with the data set to do the same. The Cyber Sapience™ Dashboard provides CISOs constant visibility into cyber risk exposure and the overall health of the organization’s cyber program. Our holistic and cost effective solution: CYBER SAPIENCE INDEX PEER COMPARISON MEASURES IMPLEMENTATION & MATURITY Based on C2M2 — a recommended approach to deploy the NIST Cyber Security Framework. TRACKS PERFORMANCE By benchmarking internally and against peers. INFORMS INVESTMENT Helps prioritize investment decisions and defend your program’s budget. QUANTIFIES CYBER RISK EXPOSURE Captures impact estimates for your unique risks and helps understand the boundaries of your insurance program in covering those impacts. RISK IMPACT BENCHMARK BY SCENARIO WITH AND WITHOUT INSURANCE Society of Risk Management Consultants

Contact SCOTT KANNRY skannry@axioglobal.com 708-420-8611 New York, NY Executive Vice President skannry@axioglobal.com 708-420-8611 New York, NY Society of Risk Management Consultants