Executive Risk Monday September 21, 2015 Northern Ohio Association for Financial Professionals 2015 Idea Exchange Seminar Data Security/Privacy (Cyber) 101

Nicholas J Milanich, Vice President Hylant Executive Risk Phone # (216) hylantexecutiverisk.com

AGENDA The Risk Cyber Attacks Recent Data Breach Examples Loss Statistics Legislative Environment Emerging Risks The Insurance 3 rd Party Coverage 1 st Party Coverage Coverage examples

CYBER ATTACKS Microsoft X-Box, Sony Playstation (denial of service) US State Department (cyber vandalism) US Weather Station (satellite system) Sony Pictures (corporate information) VeriSign (internet security company) TD Waterhouse (unauthorized access) YouTube (website content) Care First of Maryland (website content) Authorize.net (denial of service attack) Six Apart, Ltd. (denial of service attack) Paine Weber (malicious code)

RECENT DATA BREACH EXAMPLES Federal Government – Office of Personnel Management Up to 20 million individuals PII – names, addresses, DOB’s, SS#’s Key-point credentials compromised via zero-day malware (pre-patch) Anthem 80 million current and former members information Unencrypted data; employee password compromised; State sponsored action Mostly PII: names, addresses, social security #’s, medical ID #’s, birth dates, salaries, addresses Self-insured plans may have notice requirements Home Depot 56 million credit card numbers Targeted attack at payment terminals Announced estimated costs so far of $62 million $27 million insurance recovery 44 lawsuits consolidated to two: consumer and financial institution Target 110 million credit/debit card numbers Malware at POS $236 million direct data breach costs. Half for software upgrades $90 million insurance recovery

HISTORICAL LARGE DATA BREACH EXAMPLES Heartland Payment Systems 6 th largest credit-card payment processor in the country 100 million card transactions each month, 250,000 businesses May-November 2008, spyware installed Unencrypted credit card data – 250 million records Magnetic strip & names More than 220 banks effected Hannaford Brothers Grocery chain 4.2million credit/debit card numbers 1800 cases of identity theft 26 lawsuits TJ Max 94 million individuals Criminals had access for 17 months 3 year credit monitoring/ victim assistance Follow-on D&O, other litigation Total estimated cost over $1.3 billion

CYBER EXTORTION Avid Life Media - Ashley Madison (8/15) Credit card info, names, addresses, addresses- demanded that the site be taken down and an undisclosed amount of money Nokia (7/14) Source code for operating system – “several million euros” Dominos (6/14) Customer data in Europe - $40,000 demand Express Scripts (2/12) PHI – unknown demand

LOSS STATISTICS - FREQUENCY Summary from Risk Based Security, Inc. – 2014 Number of Breaches 3,014 in 2014 – up 33% 2,261 in 2013 Number of Records exposed 1.1 billion in 2014 – up 34% 823 million in 2013 How Records were exposed Outside (hackers) – 76% Inside, accidental – 9.5% Inside, malicious – 6% Inside, unknown – 4.5% Unknown – 4%

LOSS STATISTICS – FREQUENCY Summary from Risk Based Security, Inc. – 2014

LOSS STATISTICS Summary of Ponemon Institute’s 2014 Annual Cost of a Data Breach Report: –Average cost and per record cost increased modestly to $5.8 million and $201, respectively. –Direct costs are estimated at $66 per record. (notification letters, credit monitoring, forensic IT, etc.) Cost by industry classPer record Average$201 Education$294 Retail$105 Healthcare$359 Financial Institutions$206

LOSS STATISTICS Summary of NetDiligence 2014 Cyber Claims Study: –Insurance company database of actual claims between 2011 – 2013 –Average total cost was $733,109 –Only 12% of the claims resulted in follow-on litigation, only 5% in regulatory action and only 3% PCI fines/penalties Cost TypeAverage Cost Forensics$119,278 Notification$175,147 Legal Guidance$117,613 Public Relations$4,513 Legal Defense$698,797 Legal Settlement$558,520 Regulatory Defense$1,041,906 Regulatory Settlement$937,500 PCI fines/penalties$2,328,667

LOSS STATISTICS Possible Additional Costs Associated with Data Breach –Defense costs and settlements associated with follow-on litigation –Regulatory enforcement body (HHS, OCR, FTC, FCC, States Attorney General) –Private plaintiffs (common law privacy, breach of contract, emotional distress allegations) –HIPAA fines/penalties ($5k-$50k per offense, up to $1.5m cap) –FACTA fines/penalties ($1k-$2.5k per employee + puni’s, fees) –PCI compliance fines/penalties

LEGISLATIVE ENVIRONMENT Federal Statutes Gramm Leach Bliley, HIPAA, GINA, FACTA Consumer Fraud & Abuse Act, Stored Communications Act, Electronic Communication Privacy Act Obama Personal Data Notification and Protection Act (pending) 30 days, likely to pre-empt State Notification laws (below) State Notification Laws (46 + D.C., Puerto Rico, V.I.) Mass. – requires written security policy, min. standards) CA. – Zip codes Ohio: Section Computer related only Encryption safe-harbor Notification ASAP, within 45 days $1,000/day penalties which escalate after 60/90 days Common law allegations Invasion of privacy Negligence Breach of implied contract Right of publicity

ORC 2744 Ohio State Immunity Very little information regarding immunity and data breaches Expect to incur data breach expenses: notification, credit monitoring, forensic IT, etc. Contractual obligations: PCI/DSS Federal Statues: HIPAA, HITECH, FACTA

EMERGING ISSUES NIST to become de facto standard? Supply chain data risk Chip & Pin (EMV) – retail merchants “Internet of Things” – open source, manufacturing Article III standing “Do not track” cases Persistent identifiers (User ID’s, device identifiers, IP addresses) Terms of service Legal developments in Cloud computing and BYOD

BASIC BEST PRACTICES Inventory your data: What kind? How much? Where is it? Who has access? How is it protected? Evaluate contracts with outside service providers – especially 3 rd party IT, payment processors, data storage or data processing vendors Consider requiring certificates of insurance for both professional E&O and Data Security/Privacy (Cyber) coverage Continuous 3 rd party security and vulnerability assessments of your organization Establish an incident response plan and team with experienced outside vendors Test your incident response plan Insurance is a “safety net”, but not a substitute for internal and external safeguards

John Menefee CyberRisk Underwriting Manager Travelers Phone # (216) travelers.com

18 Network/Privacy Insurance Coverage Triggers Virus transmission Failure to provide access Unauthorized access or use of data Failure to Notify Website/Social Media Liability Covered Data Insured’s systems Data in transit Non-electronic data Data residing on others’ systems Employees’ data Corporate data

19 Network/Privacy Insurance – First Party Costs Notification & Crisis Management Expenses Breach Coach Legal costs to determine applicability of breach laws Computer forensics Notification documents (preparing and sending) Call center for incoming and outgoing communications Payment card charge backs Other fees to comply with requirements of breach laws Public relations expenses to respond to negative publicity and restore brand reputation ID Fraud Policies / Credit Monitoring to affected individuals

20 Network/Privacy Insurance – First Party Costs Crime –Computer fraud –Funds transfer fraud Cyber extortion –Threat of release of information, damage of data or systems, introduction of virus, or restriction of access to system resources Fines/Penalties –PCI contract penalties –Regulatory fines/penalties Telecommunications theft –Outgoing long distance phone calls Network business income/extra expense –Business interruption due to network event – typically some form of denial of service –Dependent Business Interruption (very limited market)

21 Limitations to watch for Specific exclusions to watch for –“Reckless Disregard” –Unencrypted laptops / mobile devices –Violating own policies & procedures –Keeping IT security up to date –Exclusions for known viruses / malicious software –Coverage limited to electronic data only

22 Employee Mistake Unauthorized Access Lost Laptop Coverage Examples

23 These examples are generic. CGL, E&O, and Cyber Insurance forms differ greatly between companies. Examples are exploring general coverage “intent” to illustrate the differences that may exist between the various coverages. Individual claim circumstances and complaint wording can trigger or limit coverage in a variety of ways. Disclaimer:

24 Scenario 1 – Employee Mistake What Happened: Your employee accidentally or deliberately publishes private customer information on your company’s website or via . Your customer sues. Coverage:  Look for coverage under the personal injury section of the CGL. Publication of material that violates a right or privacy – check to see if your CGL excludes or limits this grant when the publication occurs in an electronic format.  Look to a dedicated Cyber Liability policy.

25 Scenario 2 – Customer / Employee Info What Happened: A hacker gains unauthorized access to your network and steals personally identifiable information of employees and customers Coverage: Look for coverage in a Cyber Insurance policy.

26 Scenario 3 – Lost Laptop What Happened: An employee’s laptop computer containing customer information is lost or stolen during travel. Coverage: Cost to replace the physical property that was stolen may be covered under a property policy, however additional costs associated with an information breach typically will not. May find coverage under a Cyber Liability policy Check policy wording for limitations regarding whether the laptop needs to be part of the “communications network.” Check policy wording for limitations regarding encryption of data.

Thank you!