CYBER & Product Liability & Professional Indemnity Crawford & Company CYBER & Product Liability & Professional Indemnity ‘Everything you always wanted to know about claims ‘ Mark Vos, Head of GTS CEMEA June 2013 Version 18 June 2013

Now back to the basics + discussion of a case.

What is your Cyber Risk Many definitions C

How structured is your organisation ?

What is Cyber Liability Many definitions C

CYBER Risk definition Criminal Yearly Benefit Emerging Recurring Risk 2011: Norton  2013 USA

It is another Risk, which comes back in every kind of policy like Property, Casualty, Construction , Marine & Transportation; without national limitations. Loss of Control and Integrity * Hardware, * Software, * Data

Product Liability Professional Indemnity Defining the product What is Cyber proof? A Dynamic Risk Encryption & log–in strategy Procurement Over-selling & Under-delivery Misperception of expectation Contract What does the client say, he wants What does the final user actually needs Technical / Functionality specification Validation Warranty & Limited Liability Fit for purpose < -- > Critical in the Business Continuity

Who worries about our safety Chief Information Officer Who worries about the information storage and retrieval Days of the Business Process management data mining Chief Technology Officer Who worries about interconnectivity of systems Chief Digital Officer Who worries about total usage and management of data Big data en IP6 Data Protection Officer EU regulation 2104 applied per 2016: Data Protection Directive 95/46/EC Company > 250 staff Notify breaches to Authorities < 24 hrs

Anti Virus software Fire wall Anti Virus software System patches N-1 N Response on N-1 System patches

The Contamination

The Contamination

Liability starts at First Party running on Products (Product L + PI) Material damage ?  BI / drop of Share price Virus or hacker Down time and Business Interruption / Loss of Goodwill Regulation impact First Party Policy Requirements Internal protocols Back up USB clause Virus software clause Hardware or Data not necessarily at risk location Computer Centre Cloud (Public, Private, Hybrid) & EU Data Protection Directive 95/46/EC Spread throughout organisation Revalidation of software Master policy coverage versus local policy

Will your Company be hacked? Cyber crime is larger than Narcotics. Identity theft: USA 2007 $56 Billion  2011 $ 37 Billion / 8 Million people You do not die in the Internet Drivers Money transfer/ credit card data Knowledge / espionage Competition benefits Nuisance / power / authority / war Risk factors External Crime Nuisance Internal Content leakage Espionage Rotation of staff Fraud

10 Steps to Cyber Security

10 Steps to Cyber Security 1. Secure Configuration 2. Network Security 3. Malware Protection 4. Removable Media Controls 5. Managing User Privileges 6. User Education Awareness 7. Home & Mobile Working Contractors & Consultants The World 8. Information Risk Management Regime 9. Monitoring 10. Incident Management

Incident Management Can you shut down? Generally No, unless you are shut down Pre-select the appropriate companies, which can review your systems, and provide direct 24/7 support. Bring systems back in control. Make an inventory of level of First Party damage, and analyse virus in back-ups. Make an inventory of level of Third party damage, and analyse commercial and legal exposure. Report to insurers & Report to Press. Involve loss adjusters, who understand your problem.

Cyber Risk team Dr Mark Hawksworth, UK Mark Vos, CEMEA, Rotterdam

Crawford & Company Many countries Many languages Many specialists Many services ONE point of contact: www.crawfordandcompany.com