Travelers CyberRisk for Insurance Companies Heather Coelho - March 2015

Important Notice This presentation is not a representation that coverage does or does not exist for any particular claim or loss under any insurance policy. This presentation is not intended as legal advice. A company should always seek the advice of a qualified attorney when evaluating legal or statutory considerations. This presentation is not intended as insurance advice. A company should always seek the advice of a qualified insurance agent or broker when considering their insurance coverage.

Cyber Liability “There are only two types of companies. Those that have been hacked and those that will be.” — Robert Mueller, FBI Director, 2012

Agenda Reasons to think about Cyber Risk Management Techniques Costs Associated with Cyber exposures Dispel Risk Management Myths

New Cyber Threat Ransomware: Examples: Takes user information hostage and requires payment for its return Examples: CryptoLocker CryptoWall Kovter

Risk Management Evaluation What loss control initiatives do you have in place? Have you implemented regular audit procedures of all information security protocols and systems? Do you have a formal: business continuity plan? disaster recovery plan? information security policy? procedure for handling a data breach incident? Who is responsible for information security? Are employees trained on all policies relating to information security? What is your company policy for employee usage of company assets (computers, mobile devices, etc.)?

Top Five Types of Security Risks Network Security Virus, SQL Injection, Malware, Trojan Horses, etc. Physical Loss or Theft Lost or stolen laptop; physical file security Cyber Extortion Gaining access to sensitive data and threatening to release it Employee Mistakes IT professionals can’t prevent these types of losses Denial of Service Attack Targeted attack to slow or stop a network

Cyber Liability The average cost per record of a data breach increased to $201 in 2014 from $188 in 2013. - Ponemon 2014 Cost of Data Breach: Global Analysis

Information Security Policy Safeguard Privacy of Information Establish Password Management Govern Internet Usage Manage Email Usage Govern Company-owned mobile devices Establish Approval Process for Employee Owned Devices Govern Social Media Usage Oversee Software Copyright & Licensing Report Security Incidents

Network Security Strategies Set clear administrative privileges Secure your private network Secure endpoints by configuring DMZ Monitor the network Maintain firewalls Establish intrusion detection and prevention systems Protect remote access Isolate guest WLAN Use encryption programs Define and practice continuity plans/disaster recovery

Cyber Liability Incident response plans reduced the per record cost of a breach by an average of $12.77 - Ponemon 2014 Cost of Data Breach: Global Analysis

Incident Response Plan Develop and test it! Key Steps: Assemble your incident team Decide on effective outside help Validate the breach Manage the evidence Take action to mitigate the impact Clean your network of malicious code Notify data owners Conduct “lessons learned”

Lost Laptops (and other Mobile Information Devices) A 2008 Ponemon Institute study indicates that business travelers are losing over 10,000 laptops every week at U.S. Airports Only 1/3 of them are reclaimed Laptops not reclaimed are often sold at auction or donated to charity after 30 days More than 53% of business travelers polled say their laptops contain private or confidential information Further, 65% admit they do not take precautions to secure the information on their laptop

“Costs” of a Lost Device Average value of a lost laptop is around $50,000 and of a lost smartphone is $37,000 Replacement cost, detection, forensics, data breach, lost IP costs, lost productivity, and legal, consulting and regulatory expenses When data breach is possible, this exposure represents 80% of the costs $20,000 less costly when encrypted

Cyber Liability 31% of all breaches have occurred in organizations of 2,500 or fewer employees and 30% in organizations of fewer than 250 employees. - Symantec 2014 Internet Security Threat Report

Risk Management Myth #1 I Don’t Need to Consider Insurance Coverage: I’ve Never Had a Problem and I Don’t Know Anyone Who’s Had a Loss The legal landscape addressing the Internet is still developing Recent legal and statutory changes are requiring disclosure of security breaches – State Departments of Insurance, State Attorney Generals, FCC The requirement of insurance protection for data liability is beginning to be included in many customer contracts Can a company afford to handle all aspects of a data breach on its own? Traditional insurance products were not designed for current exposures. Insurance products continue to develop in response to the need.

Risk Management Myth #2 Only High Profile Companies Have Exposure To Internet Liability Types Of Claims The nature of the exposure is changing “Hacking” moving from thrill-seekers to the criminal realm Criminals are targeting small to midsize businesses because their security is easier to penetrate Hacking large corporations and government entities makes “news” but most data breaches involve companies with fewer than 100 employees (Verizon 2013 Data Breach Investigations Report) Virus attack and transmission is blind to size or prominence of company

Risk Management Myth #3 Risk Management Will Eliminate Exposures Good risk management reduces exposure and helps in defense of a claim but does not eliminate the exposure. High profile cases of large companies damaged by computer viruses and hacked by outsiders. Do you have better data security than each of these companies and government agencies? Dept. of Defense, FBI, NASA, Apple, Amazon, CIA, Google, etc. All of these companies have been hacked since the start of 2011. Firewalls, virus protection, intrusion detection, etc. are good…but they can be compromised, both externally and internally. Almost half of all data breach incidents are caused by staff mistake, lost device or rogue employee.

References Follows Us /company/travelers @travelers /travelers www.travelers.com/cyber Contact Me hcoelho@travelers.com 267.675.3149 The SANS Institute: http://www.sans.org/ Ponemon Institute: http://www.ponemon.org/ NetDiligence: http://www.netdiligence.com/

Questions?