Lockton Companies International Limited. Authorised and regulated by the Financial Services Authority. A Lloyd’s Broker. Protecting Your Business from Information Thieves: Overview of Security/Privacy Risks and Risks Transfer Malcolm Randles

2 Some Key Discovery Questions? Does your business model, services, or solutions involve (collecting, storing, using, transmitting, selling, etc.) personally identifiable information of individuals? Do you outsource or offshore important elements of your IT management or business infrastucture (such as fulfillment, customer service, etc.)? How many employees do you have? Are you self-insured for your employee medical plan? Have you had any incidents, losses, or regulatory investigations concerning privacy or security? Is your computer network very time sensitive if it were down? Does it vary by season or time of year? Do you indemnify your customers under contract for breach of confidentiality or security? Does any of your products or services have a patent infringement exposure, whether the patent is for design, physical product, software, or business process?

3 Cyber Liability Risk Basics – People, Processes, and Technology in an Ever-Changing Environment Security Liability: Someone (including an associate, vendor or an independent contractor) attacks or accesses/uses your computer network in an unauthorised manner…..or someone steals mobile computer equipment to perpetrate data theft. Responsibility is on the data owner worldwide to its consumers and employees Insiders are the most frequent perpetrators Constant new threats Identity and data theft (cyber crime) biggest issue From nuisance/malicious hacking motives through extortion and terrorism Transmission of malicious code Denial of service attack (against your network or co-opting your computers to participate in an attack on others)

4 Cyber Liability Risk Basics – People, Processes, and Technology in an Ever-Changing Environment Privacy Liability: Violation of privacy laws or regulations that permit individuals to control the collection, access, transmission, use, and accuracy of their personally identifiable financial information

5 Severity Risk and Getting Worse  Responsibility to warn consumers (and employees) of potential security breach to their personal information.  Identity theft is a business and heavily involves organized crime around the world. (phishing and pharming). CEO of McAfee suggests it is now bigger then the illicit drug trade.  Impact of vicarious liability resulting from increased outsourcing and off- shoring.  Regulators like Financial Services Authority & ICO bring enforcement actions for breaches of privacy and security as identity theft continues to grow. NATIONWIDE  Significant class action activity and derivative shareholder actions on back of large security breaches. Largest loss is over $150 ML (T. J. Maxx).

6 Why purchase cyber insurance? Investor fallout from uncovered losses with large claim. Major impact on brand and reputation. Traditional insurance does not cover security liability or adequately cover privacy risks. No system can be designed to eliminate the potential for loss, as people and processes failures cannot be eliminated. Insiders may be perpetrators. Many functions are conducted by outside vendors and contractors who may lack insurance and assets to respond. Responsibility rests with the merchant from a legal, regulatory perspective, and credit card association operating regulations.

7 Cyber Liability Coverages  Civil Liability - Defense Costs - Single/class action - Potential plaintiffs can include owners, other third parties, and employees  Privacy/Security Regulatory Actions (Sublimit) - Defense Costs - Payment of civil fine or penalty  Notification and Crisis Management Costs (Sublimit) - mailing costs - offers of free credit report and credit monitoring to affected group - outside PR and legal advice - professional call center - other costs associated with VISA/MasterCard credit card rules.

8 Cyber First Party Coverages Data/Electronic Information Loss Covers the cost of recollecting or retrieving data destroyed, damaged or corrupted due to a computer attack. Business Interruption or Network Failure Expenses Covers cost of lost net revenue and extra expense arising from a computer attack and other human-related perils. Especially valuable for computer networks with high availability needs. Cyber-extortion Covers both the cost of investigation and the extortion demand amount related a threat to commit a computer attack, implant a virus, etc.

9 Summary Identifying, preventing, mitigating and transferring privacy/security is a major priority for any company that accepts a debit or credit card as a form of payment, and public traded companies. Outsourcing and offshoring is a fact of life, but definitely increases data protection risks. Vendor management process is needed which includes due diligence, contract protections, and vendor insurance requirements. This is a risk of survivability, not invincibility. Develop a team and plan for a data breach incident response, just like your contingency plans for other threats. Client should consider insurance protection, either on a combination with professional liability coverage or stand-alone coverage. Insurance is not a substitute for best security practices, but deals with the potential severity risk you cannot prevent. Quality of coverage and management of claims very important, as well as experience of the underwriter; be a thoughtful buyer.

10 Contact Details Lockton International Malcolm Randles