Cyber Liability Coverage – Sell it or get sued By Augusto Russell and Rick Grimes

Table of Contents Introduction 3 Privacy Breach Coverages – First Party and Third Party 4 Post Breach Response Considerations 9 Coverage Features 10 Coverage Enhancements 12 Common Objections to Buying Cyber 13 Resources and Tools 16 Data Breach Costs 17 Key Questions 21 Conclusion 22

Introduction Cyber liability policies, officially known as “Network Security and Privacy Liability Products”, are specifically designed to address the growing exposure of privacy breach, network breach and Cyber Crime exposures. Yet even with the increase of well publicized incidents, many companies are still hesitant to pull the trigger on purchasing coverage. Deciphering confusing non-standardized policy language is half the battle. Being able to fully articulate the services and resources provided by a cyber policy and counter client objections is the other. If the current trends continue, so-called Cyber insurance coverage just may take its place alongside workers compensation, general liability, fire, and auto insurance in the core commercial P&C package, meaning a business would be foolish to open its doors without it. The reason is simple: Virtually every modern enterprise from the local doctor’s office and supermarket, to Fortune 100 corporations lives and breathes on its IT applications, databases and computer systems. When IT goes down, business screeches to a halt. If your clients suffer a cyber related loss and were unaware of an affordable insurance that could help guide them through a loss, provide and coordinate resources to assist during this crisis, guess who takes the blame?

Privacy Breach Coverages Privacy Breach Expense Legal Forensic investigations Crisis management Notification Call center support Credit monitoring Fraud remediation PR assistance 3rd Party (Liability) Defense costs Fines Penalties

Post Breach Response Considerations Determine if a privacy breach occurred Assess severity of the event Explain breach response requirements and best practices Breach Counseling Time-saving professional service to guide you in handling a breach Work closely with policyholder and claims to outline an action plan Public relations assistance to help restore your business’ reputation Crisis Management Drafting and review service for creating notification letters Support in drafting and delivering alternative forms of notification Assistance in discussions with 3rd parties that need to be notified Notification Assistance Service recommendations to impacted individuals such as call handling , monitoring products, and identity theft resolution services Remediation Planning Documentation of steps taken and remediation services provided to manage the privacy breach Expert Testimony witness if a claim goes to court Evidentiary Support

First Party Coverages Business Interruption - Provides coverage for business interruption incurred by an insured as the direct result of an enterprise security event which causes system failure. Data Restoration - Pays the reasonable costs incurred by the insured, in excess of any normal operating costs, for the restoration of any data stored on the insured’s computer system that is lost during the policy period as a result of an enterprise security event Cyber Extortion Payments - Provides coverage for expense and/or loss incurred as the result of any extortion threat first made against an insured during the policy period. Crisis Management Expenses - Covers crisis management and public relations expense incurred by an insured as the result of an enterprise security event .

First Party Coverages (Continued) Notification Expenses - Covers expenses incurred by Insured to notify customers whose sensitive personal information has been breached Credit Monitoring Expenses – Covers expenses incurred after a breach to provide credit monitoring to those third individuals impacted by breach Forensic Costs – Covers costs incurred for a forensics firm to determine the cause, source and extent of a Network Attack; or investigate, examine and analyze the Named Insured’s Network, to find the cause, source and extent of a Data Breach. Social Engineering / Funds Transfer Fraud – Covers Crime loss when employees, acting in good faith, comply with instructions sent via email to make a wire transfer or another type of transfer, to a fraudulent third party replicating a legitimate correspondence.

Third Party Coverages Network Security Liability - Covers liability of the organization arising out of the failure of network security, including unauthorized access or unauthorized use of corporate systems, a denial of service attack, or transmission of malicious code. Privacy Liability Coverage - Covers loss arising out of the organization’s failure to protect sensitive personal or corporate information in any format. Regulatory Actions - Provides coverage for regulatory proceedings brought by a government agency alleging the violation of any state, federal, or foreign identity theft or privacy protection legislation. Additional Coverage Electronic Media Liability Coverage (also known as Content Liability on some policies) - Covers infringement of copyright or trademark, invasion of privacy, libel, slander, plagiarism, personal injury, or negligence arising out of electronic and non-electronic content. Includes Advertising activities.

Post Breach Response Considerations Data Security IT Computer Forensics Breach Response Team Business Admin Privacy Law

Coverage Features Coverage for “Innocent Insureds” for authorized employees acting in “unauthorized manner” – Rogue Employees Coverage includes “off-line data / non-electronic data” in case of breach of data, not just data in electronic form. (Think paper files that have not or will not be scanned that contain sensitive third party corporate information or non-public personal information!) Coverage extends to Claims brought against the Insured due to unauthorized disclosure by independent contractors and vendors that are holding, processing or transferring information on behalf of the Insured Include coverage for breach of not only Non-public Personal data (i.e. Individual’s name, address, telephone number, social security number, etc) but also confidential / sensitive third party commercial information which Insured is obligated to keep such information private such as trade secret, data, design, interpretation, forecast, formula, method, practice, credit or debit card magnetic strip information, process, record, report, etc.

Coverage Features Full Prior Acts Coverage / No Retro Date Payment Card Industry (PCI) Loss coverage - monetary assessments, fines, penalties, chargebacks, reimbursements, and fraud recoveries which an Insured becomes legally obligated to pay Health Insurance Portability and Accountability Act (HIPAA) coverage Coverage can be bundled to include Technology E&O and Miscellaneous Professional Liability

Coverage Enhancements Cyber Crime: Social Engineering (Fraudulent Instruction) Funds Transfer Fraud (Financial Institution) Telephone Fraud Reputational Loss Criminal Rewards Business Interruption coverage broadened to include triggers for: Interruption to outsourced IT provider that impacts Insured’s revenue System failure of Insured or outsourced IT provider due to include administrative or operational mistakes not just a cyber event Bodily Injury caused by a data or privacy breach Option for Defense Costs and Breach Costs Outside Limit Access to third party cyber security consultants

Common Objections to Buying Cyber The applications are too long We do not sell products or services online We outsource credit card processing and data storage to outside vendors We have the latest network security / encryption / firewalls in place We are a small company, under the radar We do not keep any sensitive data of our customers on our server Other policies we have may provide coverage / We have cyber endorsed onto one of our policies already We are better off saving premium dollars to use in case we have a breach

Common Objections to Buying Cyber The applications are too long For many clients an indication can be generated by asking as few as 4 questions We do not sell products or services online Cyber Liability insurance is not limited to e-commerce We outsource credit card processing and data storage to outside vendors Ultimately Insured is responsible for safe-keeping of data We have the latest network security / encryption / firewalls in place Unfortunately most losses are caused by human error / rogue employees We are a small company, under the radar Hackers are targeting smaller firms that lack the sophistication and resources of larger more well known entities

Common Objections to Buying Cyber (Continued) We do not keep any sensitive data of our customers on our server Employers are still responsible for safekeeping of employee data Phishing claims are on the rise Other policies we have may provide coverage Since 2014 GL carriers have been excluding and court decisions have supported claim denials We have cyber endorsed onto one of our policies already These endorsements typically are low on limit and thin on overage. They can actually get you sued for E&O! We are better off saving premium dollars to use in case we have a breach Will discuss breach costs in later slide which should scare the self insurance approach. Also cyber policies provide more than just paying off lawsuits

Resources and Tools Privacy Rights Clearinghouse www.privacyrights.org Ability to sort by breach type, organization type and year Cyber Breach Calculator www.eriskhub.com/mini-dbcc Breaks down the cost by incident investigation, customer notification costs and crisis management, regulator fines and penalties, PCI, and class action lawsuits Cost of a Data Breach Study by Ponemon Register for Free Report available to the public that details average costs, industry trends impacting costs and factors that can influence and mitigate costs

Data Breach Costs

Typical Breach Response Costs $300 - $600 per hour Legal $250 - $600 per hour Forensics $150 per hour or legal rate Crisis Management $1 -$3 per letter Notification $7 - $25 per call Call Handling $8 - $75 per person Credit & Fraud Monitoring $400 per case Identity Theft Resolution

Typical Breach Response Costs Indirect Costs Customer churn Increased customer acquisition activities Damaged reputation Loss of goodwill Employee time & resources Direct Costs Crisis management Public relations Print & mail notification letters Remediation services Legal & forensic services Law suits $258 per record Factors That Influence U.S. Data Breach Costs Decrease $14 Increase $13 Incident response team Extensive use of encryption Third Party Involvement Employee Training Decrease $13 Decrease $9 Source: Ponemon Cost of Data Breach Study

Ponemon 2018 Cost of Data Breach Study: United States Analysis $7.91 million is the average total cost of data breach (+7.6%) $258 is the average cost per lost or stolen record (+14.6%) Cost per record break out: $152 - Indirect costs, which include abnormal turnover or churn of customers (+4.8%) $81 - Direct costs incurred to resolve the data breach, such as investments in technologies or legal fees. (+2.5%) Ponemon Institute© Research Report

Key Questions What factors are considered by Insurance carriers when rating cyber coverage? Who owns data? Who is responsible for a loss of data stored on the cloud? What if I outsource my data to a third party IT vendor? Do I have to wait for an insurance company to approve my response to a breach or can I just respond? How does a retro date limit coverage under a data breach policy?

Conclusion Network Security and Privacy Liability insurance is an important component of a risk management strategy in today’s business environment. Today, more businesses rely on information technology as the engine for operations and communications, thus it is more critical to protect digital assets with the right insurance coverage. In designing insurance coverage for an enterprise, buyers should start with a thorough assessment of potential risks and vulnerabilities of the existing systems, perhaps with the help of a security specialist, and then secure the appropriate insurance coverage. Network Security and Privacy Liability Insurance is just another important component of a Risk Management strategy in today’s business environment. The more businesses rely on information technology as an engine for operations and communication, the more crucial it becomes to protect IT assets with the right coverage.