Cyber Insurance: An Update on the Market’s Hottest Product Richard S. Betterley, CMC Betterley Risk Consultants, Inc. Sterling, MA Independent Risk Management Consultants since 1932 Publishers of The Betterley Report at www.betterley.com

Cyber Risk Insurance: What Does (or Should) it Cover? Liability for loss of personally identifiable information Not just electronic, but all types of data, including paper Corporate information, not just individuals All types of data, not just financial Some cover loss of data when in the possession of a 3rd party, such as a vendor Many think it covers all liability for all types of electronic activity, such as social media; it doesn’t Costs for responding to a data breach Public relations response Legal guidance Victim notification Credit monitoring 9/21/2018

Coverage (cont’d.) Fines and penalties Value-added Services Defense costs Consumer Redress funds Civil money penalties (but not if unlawful to insure; look for most favored venue language) Penalties imposed by credit card issuing entities (Visa/MasterCard, etc.) Typically sub limited Value-added Services Discounted response services Network testing 9/21/2018

Coverage Options 1st Party Theft Loss of Data Business Interruption and Extra Expense Cyber Extortion Crisis Response Fund Theft Data $$$ Products or Services 9/21/2018

Media Liability All media activities or just online media (including social media) Intellectual Property liability coverage: Copyright infringement – can be included Trade or Service Mark infringement – can be included Patent Infringement – cannot be included in most forms 9/21/2018

Notable Exclusions Dishonest/Criminal/Intentional Acts (but severability generally applies) Contractual Liability Data Outside of Your Network This is in reference to cloud-type computing, which is often insurable Non-electronic data Such as paper documents; generally insurable 9/21/2018

Deductible or SIR (Minimum & Maximum) Prominent Carriers Carrier Capacity Available Deductible or SIR (Minimum & Maximum) Ace $25 million Minimum Retention $5,000 Data Breach Fund Retention $0 Allied World $5,000 minimum – no maximum Beazley Minimum normally $25,000 (3rd-party), $100,000 (1st party) CFC $10 million Minimum Retention $1.000 Chartis Minimum retention $5,000 Chubb Minimum Deductible Amount: $15,000 CNA Varies The Hartford $10 million (Primary or Excess) Minimum Deductible: $25,000 Hiscox $10 million for stand-alone Privacy Protection and Breach Costs coverage Minimum Retention: $2,500 Safeonline $20 million Minimum Deductible $2,500 Travelers $10 million for commercial accounts Minimum Deductible: $5,000

The Market Annual premium volume in the U.S. (GWP) = $800 million and growing (following tables from Betterley Risk Research’s “Understanding the Cyber Risk Insurance and Remediation Services Marketplace: A Report on the Experiences and Opinions of Middle Market CFOs” © 2010) 9/21/2018

Objections to Buying Cyber Insurance 9/21/2018

Problem Areas Serious concern whether underwriting and pricing can keep up with the black hats Active hostiles operating outside the law and largely invisible Extensive cooperative network to share and improve tools Automated attacks Rapidly evolving tools and techniques 9/21/2018

Technology-oriented coverage is not well understood by agents/brokers and insureds (and probably consultants) Confusion in the marketplace leading to bad buying decisions – or no buying decision Copycat carriers lack tools to understand and manage the risk Not enough knowledgeable underwriters and claims staff 9/21/2018

Cloud computing – does it improve or degrade the risk for the user? Potential for improvement because centralized data services are easier to defend But when a breach occurs… Accumulation risk Users may focus on price and assume security 9/21/2018

Opportunity Potential for rapid growth Add in for package policies and Management Liability products Declining cost of breach response services 9/21/2018

The Betterley Report A series of 6 annual evaluations of specialty commercial lines insurance products; including: Technology E&O (February) Intellectual Property and Media Liability (April) Cyber/Privacy (June) Private Company Management Liability (August) Side A D&O (October) EPLI (December) For more information, go to www.betterley.com 9/21/2018

Sources for this Presentation Betterley Risk Research “Understanding the Cyber Risk Insurance and Remediation Services Marketplace: A Report on the Experiences and Opinions of Middle Market CFOs” published September 2010 www.betterley.com The Betterley Report “Cyber Risk and Privacy Insurance Market Survey 2011” published June 2011 www.betterley.com 9/21/2018