Steve Robinson of RPS Technology & Cyber presented "Discussing Cyber Risk Coverage With Your Commercial Clients" to the 68th Annual F. Addison Fowler Fall Seminar on October 17, 2014.

1. Discussing Cyber Risk Coverage
With Your Commercial Clients
Steve Robinson
Area President
RPS Technology & Cyber
October 17, 2014

2. Threat Landscape
and Common
Misperceptions

3. Facts
 When it comes to data breach, size
doesn’t matter*
 It’s more than just hacking
 The “we’ve got this covered” attitude is
waning
 IT is now very much on board
*Source: 2013 Data Breach Investigations Report
Verizon RISK Team, et al

4. The Changing Threat Landscape
“Our 2013 findings suggest that there’s a lot of
complacency among organizations about the
risk of espionage attacks. The assumption is
that these attacks only target government,
military and high-profile organizations, but our
data shows that this increasingly isn’t true.
Don’t underestimate the likelihood that your
organization will be a target..”
Source: 2013 Data Breach Investigations Report
Verizon RISK Team, et al
RPS Technology & Cyber

5. Information Risks –
What Can Go Wrong?

6. Information Risks
Hazards
 Hacker Attacks/Unauthorized Access
 Virus/Malicious Code
 Denial of Services Attacks
 Malicious Hardware
 Physical Theft of Device/Media
 Accidental Release
 Employee/Vendor Error
 Rogue Employees
 Social Engineering

7. Information Risks
Source: Open Security Foundation

8. Industry-Specific
Threats

9. Industry-Specific Threats
Healthcare Retail Education Hospitality Financial Public Entity Nonprofit Mfg Technology
RPS Technology & Cyber
Breach of Personally
Identifiable Info (PII)
Breach of credit card
data & PCI Fines
Breach of Protected
Health Information
(PHI)
Breach of customers’
rights to privacy
Breach of
confidential
employee data
eBusiness
Interruption
Technology Errors or
Omissions
Personal Injury –
Social Media
Environment
Intellectual Property
Infringement
Regulatory Liability
Electronic Theft
Cyber Extortion

10. Cost of a Data Breach

11. Data Breach Related Costs
 Average cost per compromised record = $201.00*
 Direct
 Coordination
 Defense
 Notification expenses
 Credit monitoring
 Regulatory fines
 Indirect
 Customer churn
 Impact on shareholder value
 Loss of future opportunity
Source: Ponemon Institute 2013 Annual Study “Cost of a Data Breach”

12. Related Costs
Per Capita Cost By Industry Classification*
Source: Ponemon Institute 2013 Annual Study “Cost of a Data Breach”

13. Mitigating Risk in our
Clients’ Businesses

14. How Can Clients Reduce Their Risk?
 Data Management*
 Collection
 What employee, customer, donor/volunteer (nonprofits) data are you storing?
 Do you need to store it?
 Access
 Who in your organization has access to sensitive information?
 Do those with access absolutely need access to perform their job?
 What of this information is publically available?
 Use
 Are you using customer info in a manner it was originally intended (and consistent with the
way you communicated to your customers?)
 Storage
 Where is your data stored?
 Is the stored information protected by access controls?
 Does sensitive customer information exist in multiple formats?
 Eradication
 How long do you keep customer information?
 What do you do with info (in any format) you no longer need?
 3rd party vendor agreements for document storage,
disposal, janitorial services, etc.
Source: NTEN – Nonprofit Technology Network

15. How Can Clients Reduce Their Risk?
 Policies & Procedures
 Privacy
 Do you have a written privacy policy in place?
 Have employees and/or volunteers been trained?
 Social Media
 Inventory your social media presence - regularly
 Restrict authority for creation and content management on behalf of your organization to
one or two designated employees
 Are there restrictions for social media access on systems that connect to your network
containing personal information on customers, employees, etc.?
 Websites, Intellectual Property & Electronic Communication
 Consistency of content and message?
 Legal review?
 Have appropriate rights been secured (music, lyrics, video, etc.)
 Staff training in email etiquette
 Network Security
 Software, patch management, spam filters, firewall protection, etc. & Credentialing
 Encryption of data - at rest and in a mobile state
 Vulnerability testing
 BYOD policies

16. How Can Clients Reduce Their Risk?
 Risk Transfer
 Vendor Agreements
 Appropriate transfer of liability language in vendor contracts?
 Cloud providers
 Payment processors
 Website hosting services
 Document disposal, storage and janitorial services
 Insurance
 Cyber/Privacy Liability Insurance

17. Cyber Risk
Insurance Coverage

18. What is Cyber Risk Insurance?
 Insurance coverage designed to protect a business from:
 Liability associated with:
• Unauthorized release of confidential information
• Violation of a person’s rights to privacy
• Personal injury in an electronic/social media environment
• Intellectual property infringement
• Violations of state or federal privacy laws
 Out-of-pocket expenses incurred to make the above problems go away

19. Cyber Risk Insurance
RPS Technology & Cyber
Exposure Category Description
Privacy Liability Provides liability coverage for failure to protect electronic or non-electronic information in your
care custody and control. Can include coverage for acts of vendors as well.
Network Security Liability Provides liability coverage if an Insured's Computer System fails to prevent a Security
Breach, becomes inaccessible to those who need it or unintentionally transmits a virus to a
3rd party.
Media Content Liability Provides liability coverage for Intellectual Property and Personal Injury lawsuits stemming
from your website or social media content under your direct control.
Regulatory Liability Defense coverage for legal proceedings or investigations by Federal, State, or Foreign
regulators relating to Privacy Laws.
Crisis Management
Legal Assistance Expense Expenses incurred to hire an attorney to help navigate the breach response process in accordance
with the multitude of State and federal laws.
Forensic Expense Expenses incurred to hire a firm to conduct IT forensics investigations following a data breach.
Notification Expense Expenses incurred to notify members of a breach in accordance with State and Federal laws.
Credit Monitoring Expense Expenses incurred to provide donors with access to identity protection services.
Public Relations Expense Expenses incurred to hire a public relations consultancy, media expenses, etc. in the wake of a data
breach.
Data Recovery/Restoration Expenses incurred to re-create data that is damaged as a result of a cyber incident.
Business Interruption The reduction of business income as a result of an interruption or use of a computer system as a
result of a network breach to their system.
Cyber Extortion Expenses incurred resulting from threats to introduce a system hack, virus, etc. or from threats to
disseminate or use information contained in your computer systems to destroy or alter your
computer systems.
Fines and Penalties Where permissible by law, expenses incurred as a result of a State, Federal or other (PCI DSS) fine or
penalty resulting from a data breach.

20. Doesn’t My Insurance
Already Cover This?

21. ISO General Liability Form
Coverage exclusion for claims of copyright,
trademark infringement.

22. ISO Property Form
Protects physical computers
but not the data that is stored on them.

23. CGL Data Breach Exclusions
Current ISO CGL form
coverage is provided:
“For personal and advertising
injury as the offense of an oral or
written publication in any manner,
or material that violates a person’s
right of privacy.”
New ISO GL Exclusion (effective
May 2014):
“Exclusion – Access or Disclosure of
confidential or personal information
and data-related liability – with limited
bodily injury exception.”

24. Doesn’t My Insurance Cover This?
General Liability Property Crime Professional K&R Cyber
3rd Party Privacy/Network
Security/Personal Injury/IP
Theft/Unauthorized Disclosure PII
Breach of Confidential Corporate Info
Technology E&O
Media Liability/Social Networking
Regulatory Defense/Penalties
Virus/Malicious Code Transmission
1st Party Privacy / Network Risks
Legal Assistance/Breach Coach
IT Forensics
Physical Damage to Data
Denial of Service Attack
Business Income from Security Event
Extortion or Threat
Rogue Employee - Data Related
Public Relations/Crisis Management
Coverage Provided?
Coverage Possible?
No Coverage?
* For reference and discussion only; policy language and facts of claim will require further analysis. This is not a
guarantee of coverage.

25. Cyber Risk Coverage:
Key Differentiators
RPS Technology & Cyber

26. Cyber Risk Coverage
 Samples of Key Differentiators:
 Look carefully at the definitions
 Unauthorized acts of employees
 Coverage for electronic and non-electronic information
 Vicarious liability - 3rd parties/vendors/cloud providers
 Defense of privacy regulatory actions (at full privacy limits)
 Regulatory fines & penalties
 Sublimits for 1st party vs full limits
 Breadth of media coverage

27. Cyber Risk Coverage
 Common Exclusions
 Intentional Acts – look closely here
 Infrastructure failure
 Software Responsibility/Inadequate Software
 Unencrypted portable media
 Wrongful Collection
 Employment Practices

28. Not All Policies Are Created Equal

29. Cyber Endorsement “Fail”

30. Application Process &
Rating Factors

31. Application Process & Rating Factors
 Pricing
 Class of business
• High/Medium/Low
• Number of patients and records held – medical
 Annual revenue
 Number of employees
 Network defense parameters in place and update procedures
 Information security policies
 Loss history
 Application
 New streamlined options available

32. Coverage Trends

33. Coverage Trends
 The tale of two worlds
 Large retail – appetite, capacity, underwriting
 Small business
 Business Interruption triggers
 Aggregation
 Reputational Harm
 Electronic Theft – monetary & otherwise
 Retro date

34. Summary
 Why Your Client Needs Cyber Risk Coverage
 Specific exclusions exist in traditional policies for:
• Privacy breach
• Network related incidents
• eBusiness Interruption
• Personal Injury in Social Media, websites, blogs, etc.
• Regulatory defense, fines
 Buying coverage aligns pre and post-breach resources not
afforded under other policies
 Claims are on the rise
 Laws are driving demand:
• GLB, HIPAA, HI-TECH Act, FTC’s Red Flag Rule, etc.
• 47 of 50 States require notification
 Coverage is more accessible and affordable than ever

35. Thank You
Steven R. Robinson
Area President
Steven_Robinson@RPSins.com
www.RPSins.com
410-901-0704 direct
800-336-5659 toll free