Financial Institutions and Cyber Insurance National Council of Higher Education Resources October 6, 2017 Lorie Masters Partner, Hunton & Williams LLP (202) 955-1851 lmasters@hunton.com Jennifer White Associate, Hunton & Williams LLP (202) 955-1866 jewhite@hunton.com www.huntoninsurancerecoveryblog.com

Financial Institutions are Risk 2012: Wells Fargo, Bank of America, Citi Group and JP Morgan Chase experience internet blackouts 2014: JPMorgan Chase compromises 83M accounts affecting 76M households 2016: Tesco Bank loses $3M from 9K customer accounts; according to Beazley, banks and credit unions reported 46% of industry breaches in the first half of 2016 (versus 35% in 2015) 2017: Equifax

Cyber Breaches – Breaches by Industry* *Net Diligence, 2016 Cyber Claims Study (December 2016)

Cyber Breaches – Perpetrators within Banking* * Business Insider, quoting IBM X-Force Research; available at http://www.businessinsider.com/bank-data-breaches-are-up-and-its-an-insider-job-2017-5

Cyber Breaches – What It’s Worth to the Bad Actors* * Symantec, Internet Security Threat Report (April 2017)

Cyber Breaches – US Cyber Insurance Claims by Industry* *Net Diligence, 2016 Cyber Claims Study (December 2016)

Cyber Breaches – The Current Climate* $3.62 Million Average cost per incident in 2016 (up 29% since 2013) $141/stolen record 27.7% change of recurring breach over next 2 years Up by 2.7% from 2016 * Ponemon Institute, 2017 Cost of Data Breach Study: Global Overview (June 2017)

Cyber Breaches – Costs of Claims, by Industry* Financial services had the highest average cost of all sectors. *Net Diligence, 2016 Cyber Claims Study (December 2016)

Cost of a Data Breach – Per Capita Cost By Industry* * Ponemon Institute, 2017 Cost of Data Breach Study: United States (June 2017)

Abnormal Churn Rates by Industry* Churn rate = customer attrition following breach * Ponemon Institute, 2017 Cost of Data Breach Study: United States (June 2017)

Why Financial Institutions Need Cyber-Specific Insurance Portfolios Financial Institutions are Exposed* 19% of financial services companies have unpatched security vulnerabilities. Nearly 1 out of 5 financial institutions use an email service provider with severe security vulnerabilities. Financial Institutions are Under the Microscope Increased regulatory attention (e.g., NY law). Vendor/business associate exposure *Information from SecurityScorecard, available at https://cdn2.hubspot.net/hubfs/533449/SecurityScorecard_2016_Financial_Report.pdf

Cyber Coverage – General Overview “Pure” First Party Coverages Covered Claims Data/Information Loss Business Interruption Network Failure/Interruption Cyber-Extortion Reputational Harm Covered Costs Forensics Legal and PR Data Restoration Lost Income Common Endorsements PCI-DSS Dependent Business Income

Cyber Coverage – General Overview “Hybrid” First Party Coverage – Event Management/Breach Response Costs Covered Claims/Incidents Security Event (e.g., breach, use of code or DDOS against 3rd party) Privacy Event (involving PII or Confidential Business Information) Covered Costs Forensics to Determine Existence, Cause & Scope Legal and PR Mandated – and, sometimes, voluntary – Breach Notification Calls Centers Credit/Identity Monitoring Data Restoration

Cyber Coverage – General Overview Third Party Coverages What Third Parties? Customers/clients Employees Regulators Covered Liabilities Security failures Privacy failures Professional Services failures Media (e.g., online data) Covered Costs Defense Costs Judgments & Settlements Some types of interest Fines? Not Covered Costs Punitive damages

Critical Partner: Crime Insurance Why It Is Critical Financial loss due to social engineering threats Common Elements Covers dishonest third-party acts, e.g.: Employee theft Forgery or alteration Computer fraud and funds transfer fraud Kidnap, ransom, or extortion On- and off-premises robbery, etc. Counterfeit

Cyber-Risk Insurance Best Practices 1. Be careful with your insurance applications & renewals. Involve critical personnel. Answer fully and qualify answers when necessary. Don’t overstep. Practice what you preach. “Do you re-assess your exposure to information security and privacy threats at least yearly, and enhance your risk controls in response to changes?” “Whenever you entrust sensitive information to 3rd parties, do you perform due diligence . . . to ensure that their safeguards for protecting sensitive information meet your standards . . . ?” Review prior applications at renewal.

Cyber-Risk Insurance Best Practices 2. Aim for broad triggers and short waiting periods. Does first-party coverage require a wrongful act or an affirmative “failure”? Does coverage trigger on “discovery” or “occurrence”? Are you covered for “alleged” or “suspected” breaches? Keep the waiting period SHORT!

Cyber-Risk Insurance Best Practices 3. Mind the gaps. Both traditional coverages (CGL, Property, Crime, D&O) and cyber-specific insurance products may not provide adequate coverage financial industry cyber risks. Don’t assume you are covered. E.g., PCI-DSS coverage E.g., Apache case. Review every year, as if it were the first time.

Cyber-Risk Insurance Best Practices Examples of Common Gaps Definitions “Employee” – is it all-inclusive? “Control Group” – knowledge, exclusions, notice “Network” PII/Confidential Business Information Damages – does it include fines? Penalties? Regulators – does it include HIPAA, ERISA, SEC; “formal” v. informal? Exclusions Contract War Exclusion Other Retro Date The Word “Direct” Cryptocurrency (e.g., bitcoin) Single v. Multiple Event Actual v. Suspected

Cyber-Risk Insurance Best Practices 4. Think outside of the box on endorsements. Dependent service provider and contingent business interruption coverages Difference in Conditions (DIC) insurance, including provisional protection in the event of a coverage dispute. Property endorsements that offer DIC and Difference in Limits (DIL) insurance to the scheduled property for loss and damage related to cyber events.

Cyber-Risk Insurance Best Practices 5. Spread the risk. Contractual requirements for types and amounts of insurance Additional insured provisions BUT, may require carve- backs for certain exclusions (e.g., insured-versus-insured exclusion) Shift loss through litigation

Cyber-Risk Insurance Best Practices 6. Don’t stop thinking about insurance after the policies are in place. Insurance may come up again … Change in control. Change in scope of services/work. Acquisitions/mergers. New risks. New contracts.

Cyber-Risk Insurance Best Practices 7. Make sure you have the right advocates . . . Counsel Vendors . . . and then get them pre-approved.

Read more from Lorie and Jenn at Hunton’s Insurance Recovery Blog: Lorelie S. Masters is a nationally recognized insurance coverage litigator who has advised clients on a wide range of liability coverages, including insurance for environmental, employment, directors and officers, fiduciary, property damage, cyber, and other liabilities. Most recently, she obtained a settlement worth millions of dollars under D&O and E&O policies bought by a national nonprofit facing RICO and other high- stakes claims.  She served as lead trial counsel for policyholder in an action enforcing CGL insurance coverage for the then-largest property damage class action settlement ever.  The National Law Journal called that jury’s verdict one of the “most significant jury verdicts” of the year.  In addition to litigating insurance coverage disputes, Jennifer White advises industry leaders in finance, retail, manufacturing, and energy at the purchase and renewal stages of various types of insurance policies. Jenn excels at advising clients about how to improve cyber and crime insurance programs, and internal controls. Read more from Lorie and Jenn at Hunton’s Insurance Recovery Blog:   www.huntoninsurancerecoveryblog.com