SPECIAL GUEST JAMES GRAY Underwriter, London UK Specialty Treaty Beazley Group All 6 Beazley Lloyd's Syndicates are rated A (Excellent) by A.M. Best Admitted Carrier in the US Beazley Ins Co rated A (Excellent) A.M. Best Specialist insurer began in 1986 and has grown to over $2.1bn in gross written premium in 2016 1
AGENDA Why cyber and data threat protection Padlock Q & A WHY CYBER AND DATA THREAT PROTECTION. 2
I GLOBAL CYBER EXPOSURES The cyber risk to business is growing in frequency and financial impact. The cost to the global economy of cybercrime has been estimated at $445 billion a year (WE 2017). This threat is varied and adaptable, easier to attack than defend. The rise of internet connected devices (IoT) gives attackers more opportunity. Not just about technology, human factor is significant. II THE CANADIAN PERSPECTIVE $7.2m Amount of money small and medium-sized businesses across Canada spent in 2016 to recover from data breaches +44% The increase in the average number of cyber attacks against small and medium-sized businesses in Canada since 2014 $278 The average cost per lost or stolen record in Canada #2 Canada s ranking in the list of the world s most affected regions for ransomware attacks Digital Privacy Act (DPA) will take effect later this year. This act mandates that all data breaches are reported. Organizations will have to notify users of any breach that that could pose a real risk or significant harm. 3
III WHAT ARE THE THREATS INSIDE THREATS Employee negligence Security failures Lost portable devices Unintended disclosures by email, fax, phone or in person Failure to encrypt portable devices Employee ignorance Improper disposal of personal information (dumpsters) Lack of education and awareness Malicious and/or nosey employees OUTSIDE THREATS Hackers Malware Phishing and spear phishing Thieves Social engineering tools Stolen portable devices Vendors/Business Associates IV WHAT IS AT STAKE? Time - Time spent on incident response is time away from day-to-day operations Money - Responding to incidents can mean legal fees, forensic investigation costs, notification and call center costs, and paying for credit monitoring, Lawsuits, Regulatory investigation, fines, corrective action, and penalties Reputation Customers trust 4
Padlock Industry leading cyber and data threat PROTECTION Coverage Structure Discussion Breach and claim scenarios Eligibility criteria Special acceptances PADLOCK CYBER & DATA THREAT PROTECTION COVERAGE SUMMARY Third Party Protection Information Security and Privacy Liability Regulatory Defense and Penalties Website Media and Content Liability First Party Protection for your Business Customers Privacy Breach Response Services PCI Fines and Penalties Cyber Extortion First Party Data Protection First Party Network Business Interruption 5
PADLOCK CYBER & DATA THREAT PROTECTION COVERAGE THIRD PARTY PROTECTION Information Security and Privacy Liability Covers damages and expenses resulting from a violation of a privacy law for: theft, loss, or unauthorized disclosure of personally identifiable non-public information or third party corporate information acts or incidents that directly result from a failure of computer security to prevent a security breach failure to timely disclose an incident in violation of any breach notice law failure to comply with that part of a business privacy policy Regulatory Defense and Penalties Covers defense expenses and penalties resulting from a regulatory proceeding resulting from a violation of privacy law PADLOCK CYBER & DATA THREAT PROTECTION COVERAGE THIRD PARTY PROTECTION Website Media and Content Liability Covers damages and expenses for one or more of the following acts committed during the course of media activities: Defamation, libel or slander Violation of the rights of privacy of an individual Invasion or interference with an individual s right of publicity Plagiarism, piracy, misappropriation of ideas Infringement of copyright Infringement of domain name, trademark, trade name, logo etc Improper deep-linking or framing within electronic content 6
PADLOCK CYBER & DATA THREAT PROTECTION COVERAGE PRIVACY BREACH RESPONSE SERVICES Privacy Breach Response Services To provide breach services that include: forensic and legal assistance from a panel of experts to help determine the extent of the breach and the steps needed to comply with applicable laws notification to persons who must be notified under applicable law credit monitoring and fraud protection services to affected individuals. Alternatively, insureds may choose to offer their customers a data monitoring service public relations expenses & crisis management consultants PCI Fines and Penalties To indemnify the insured for PCI fines and expenses that they may incur following a breach PADLOCK CYBER & DATA THREAT PROTECTION COVERAGE FIRST PARTY PROTECTION FOR YOUR BUSINESS CUSTOMERS Cyber Extortion Coverage for payments made to prevent or stop a threat to breach computer security, destroy or corrupt data, or interrupt or computer systems. First Party Data Protection First party coverage for data restoration, data recreation and system restoration, a data protection loss as a direct result of alteration, corruption, destruction, deletion or damage to a data asset, or inability to access a data asset, that is directly caused by a failure of computer security to prevent a security breach. First Party Network Business Interruption Business interruption loss, lost income and extra expenses as a direct result of an actual and necessary interruption of computer systems caused directly by a failure of computer security to prevent a security breach. 7
Padlock - Cyber and Data Protection STRUCTURE PADLOCK CYBER & DATA PROTECTION STRUCTURE UNDERSTANDING THE POLICY... THREE TOWERS OF COVERAGE Separate towers means more cover for Padlock policyholders 8
PADLOCK CYBER & DATA PROTECTION STRUCTURE UNDERSTANDING THE POLICY... THREE TOWERS OF COVERAGE PADLOCK CYBER & DATA PROTECTION STRUCTURE UNDERSTANDING THE POLICY... THREE TOWERS OF COVERAGE 9
Padlock - Cyber and Data threat Protection DISCUSSION Key Messages Common Objections Discussion Questions KEY MESSAGES THE THREAT IS REAL It s no longer a matter of if, but when it is likely that businesses at some time will be affected by a breach event The law may impose obligations upon insureds are they in a position to understand and do they have the resources required to effectively respond Business may rely on outsourced providers, but if they are entrust them with their data the business may still ultimately remain legally liable if the data is misplaced Even the most sophisticated security systems can be impacted by human error or a rogue employee VALUABLE HELP AFTER AN INCIDENT Padlock gives insureds access to a breach response services team which has handled over 5,500 breaches globally since 2009 They have the capability and expertise to support a range of insureds from large multi-nationals to micro-business The team is available to consult with the insured and liaise with vendors from the approved panel that have the knowledge and capabilities to handle the response Access to the service team is included within the policy at no charge and does not erode the policy limits 10
KEY MESSAGES PADLOCK WAS DESIGNED SPECIFICALLY FOR SMALL BUSINESS Small businesses are generally less prepared for breach response before the event and have less resources to dedicate when it occurs Accessing this experience allows the small business to carry on business without having to divert as much time and energy to dealing with the problem Small business rely on trust of their employees and do not believe their employees would either cause a breach maliciously or innocently COMMON OBJECTIONS AREN T THE EXPOSURES ALREADY COVERED UNDER THE CGL? This product often fills a gap in coverage their other general commercial policies may have excluded or are beginning to exclude cyber from these policies The GL is unlikely to pick up the first party response costs nor is the form likely to be as robust Data is not often property under CGL IS THE AUTOMATIC LIMIT A LOW STARTING POINT? Highly affordable coverage at a structure that would be unobtainable from many insurers Low friction, no additional underwriting questions to at point of sale for automatic limit Padlock has robust coverages across 3 Towers of separate and distinct aggregates, most insurers will stack all coverages in one CAD aggregate, important when benchmarking If the insured wants to complete an application then they can be underwritten for larger limits, just ask your Gore contact 11
COMMON OBJECTIONS MY CLIENTS ARE TO SMALL TO BE ON THE RADAR OF HACKERS? Media only sensationalize mega breaches. Vast majority of breaches are small (< 100,000) and boring SMEs are often low hanging fruit due to lacks security Not all attacks are bespoke, the majority are broad and indiscriminate Not all breaches are electronic in nature. 18% are physical loss WILL THE BREACH RESPONSE SERVICES TEAM MAKE DECISIONS FOR THE CLIENT The experienced breach response services team assist the insured navigate breach They help by co-ordinating and analysing the situation through the lifecycle of the breach Decision on how to respond remains with the insured Transparency and choice of selection on select service providers DISCUSSION QUESTIONS HOW PREPARED IS YOUR CLIENT FOR THE AFFECTS OF A CYBER INCIDENT? Even tight security systems can be fallible Insurance purchase should be part of their preparation WHAT ASSISTANCE DOES YOUR CLIENT NEED IN THE EVENT OF A DATA BREACH INCIDENT AND HOW DOES THAT MATCH WITH THE INSURER S OFFERING? Not all offerings are the same Broadly speaking forms range from solely reimbursement to full response service offering Padlock puts response first with a breach response services team and utilising a panel of service providers offering; Capability & Competency Capacity (outside of Conflict)Cost (preferred rates means more bang for your buck ) 12
DISCUSSION QUESTIONS WHAT IS THE TRIGGER TO DATA BREACH COVERAGE? Padlock goes beyond just providing cover for an incident to include coverage for a reasonably suspected incident DOES THE INSURER IMPOSE ANY MINIMUM SECURITY LEVEL OR PATCH REQUIREMENT WARRANTIES? Some insurers require robust and strict security controls Padlock does not impose such restrictions WHAT INFORMATION DO THEY REQUIRE IN THE UNDERWRITING PROCESS? Some insurers will need long and complicated applications We already have the information we need to provide Padlock at automatic limits Padlock - Cyber and Data threat Protection BREACH & CLAIM SCENARIOS 13
BREACH AND CLAIMS SCENARIOS #1 WANNACRY RANSOMWARE INFECTION HITS MULTIPLE INSURING AGREEMENTS The insured reported that one of its computers was infected with the WannaCry malware. The malware encrypted large chunks of data. The hackers demanded ransom payment to unencrypt. Privacy Breach Response Services To assist the insured and determine the best course of action throughout the whole response Cyber Extortion To cover ransom payments following an Extortion Threat if the insured decides to pay and that is pre-agreed by Gore First Party Data Protection To cover data restoration, data recreation and system restoration following damage to a data asset as a result of the event First Party Business Interruption To cover income loss and extra expense for the insured in their downtime following an event Information Security & Privacy If the event caused a disclosure of personally identifiable non-public information which violated Privacy Law the policy would cover damages and claim expenses for the insured BREACH AND CLAIMS SCENARIOS #2 BURGLARY PHYSICAL LOSS OF PAPER RECORDS A franchise notified their Insurer that one of its stores was broken into and a lockbox containing employee and direct deposit information was stolen. The Breach Response Service team connected the insured to privacy counsel who advised the insured that a breach of paper records containing employee personally identifiable information including social security numbers required notification under relevant provincial law. Privacy counsel drafted the legally required notifications and the Breach Response Service team arranged for credit monitoring to be offered to the affected employees and former employees. 14
BREACH AND CLAIMS SCENARIOS #3 HOTEL BREACH UNINTENDED DISCLOSURE Franchisee of hotel chain had a computer error where guests' credit card numbers, passport numbers, or driver's license numbers were entered into a field intended to house residential address information, which was then shared with marketing partners and/or used for a mailing. The Breach Response Service team connected the hotel with a law firm as well as a forensic firm, who together determined that approximately 30,000 individuals needed to be notified. The Breach Response Service team also lined up a notification and call center services vendor. One regulator opened a regulatory investigation. BREACH AND CLAIMS SCENARIOS #4 RETAIL POS BREACH EXAMPLE A small fast-food chain received a Common Point of Purchase (CPP) notice from VISA, MasterCard and Discover which indicated credit card vulnerabilities potentially related to one of the insured s restaurant locations. Breach Response Service Team recommended and connected insured with panel privacy counsel and forensics. The forensics assessment determined that approximately 6,000 cards were affected. Due to the fact that the insured did not retain customer names or addresses associated with the credit card numbers, and in order to satisfy the regulator substitute notice requirements, the insured posted notification on its website and in printed media. Costs exceeded $30,000 for legal, forensics and call center services; all services were facilitated by the Breach Response Services Team. 15
BREACH AND CLAIMS SCENARIOS #5 POTENTIAL DATA BREACH AT HOA The officer of an insured homeowners association discovered an unrecognized connection to his Dropbox account, on which homeowners association documents were stored for backup purposes. The officer and his wife were recently the victims of identity theft and were concerned that the unauthorized connection to Dropbox was how their identities were stolen. The Dropbox account contained the PII of members of the homeowners association as well as some contractors. The insured hired privacy counsel from the Breach Response Service panel, notified the affected individuals, and provided credit monitoring in connection with the notifications. Padlock - Cyber and Data threat Protection ELIGIBILITY CRITERIA 16
ELIGIBILITY CRITERIA We have a broad appetite for industry classes covering the vast majority of our policyholders. Policyholders are allocated a risk grading based on IAO code. Risk grading determines pricing structure. Padlock - Cyber and Data threat Protection HIGHER LIMITS 17
HIGHER LIMITS IF YOUR SMALL BUSINESS CUSTOMER WOULD LIKE HIGHER LIMITS OR IF THEY RE INELIGIBLE FOR THE AUTOMATIC PRODUCT: Contact your underwriter There is a short form application Additional premium would be required 18