Malcolm Randles malcolm.randles@uk.lockton

1. Protecting Your Business from Information Thieves:Overview of Security/Privacy Risks and Risks Transfer Malcolm Randles malcolm.randles@uk.lockton.com

2. Some Key Discovery Questions? • Does your business model, services, or solutions involve (collecting, storing, using, transmitting, selling, etc.) personally identifiable information of individuals? • Do you outsource or offshore important elements of your IT management or business infrastucture (such as fulfillment, customer service, etc.)? • How many employees do you have? Are you self-insured for your employee medical plan? • Have you had any incidents, losses, or regulatory investigations concerning privacy or security? • Is your computer network very time sensitive if it were down? Does it vary by season or time of year? • Do you indemnify your customers under contract for breach of confidentiality or security? • Does any of your products or services have a patent infringement exposure, whether the patent is for design, physical product, software, or business process?

3. Cyber Liability Risk Basics – People, Processes, and Technology in an Ever-Changing Environment • Security Liability: Someone (including an associate, vendor or an independent contractor) attacks or accesses/uses your computer network in an unauthorised manner…..or someone steals mobile computer equipment to perpetrate data theft. • Responsibility is on the data owner worldwide to its consumers and employees • Insiders are the most frequent perpetrators • Constant new threats • Identity and data theft (cyber crime) biggest issue • From nuisance/malicious hacking motives through extortion and terrorism • Transmission of malicious code • Denial of service attack (against your network or co-opting your computers to participate in an attack on others)

4. Cyber Liability Risk Basics – People, Processes, and Technology in an Ever-Changing Environment • Privacy Liability: Violation of privacy laws or regulations that permit individuals to control the collection, access, transmission, use, and accuracy of their personally identifiable financial information

5. Severity Risk and Getting Worse • Responsibility to warn consumers (and employees) of potential security breach to their personal information. • Identity theft is a business and heavily involves organized crime around the world. (phishing and pharming). CEO of McAfee suggests it is now bigger then the illicit drug trade. • Impact of vicarious liability resulting from increased outsourcing and off-shoring. • Regulators like Financial Services Authority & ICO bring enforcement actions for breaches of privacy and security as identity theft continues to grow. NATIONWIDE • Significant class action activity and derivative shareholder actions on back of large security breaches. Largest loss is over $150 ML (T. J. Maxx).

6. Why purchase cyber insurance? • Investor fallout from uncovered losses with large claim. Major impact on brand and reputation. • Traditional insurance does not cover security liability or adequately cover privacy risks. • No system can be designed to eliminate the potential for loss, as people and processes failures cannot be eliminated. Insiders may be perpetrators. • Many functions are conducted by outside vendors and contractors who may lack insurance and assets to respond. • Responsibility rests with the merchant from a legal, regulatory perspective, and credit card association operating regulations.

7. Cyber Liability Coverages • Civil Liability - Defense Costs • Single/class action • Potential plaintiffs can include owners, other third parties, and employees • Privacy/Security Regulatory Actions (Sublimit) - Defense Costs - Payment of civil fine or penalty • Notification and Crisis Management Costs (Sublimit) - mailing costs - offers of free credit report and credit monitoring to affected group - outside PR and legal advice - professional call center - other costs associated with VISA/MasterCard credit card rules.

8. Cyber First Party Coverages Data/Electronic Information Loss • Covers the cost of recollecting or retrieving data destroyed, damaged or corrupted due to a computer attack. Business Interruption or Network Failure Expenses • Covers cost of lost net revenue and extra expense arising from a computer attack and other human-related perils. Especially valuable for computer networks with high availability needs. Cyber-extortion • Covers both the cost of investigation and the extortion demand amount related a threat to commit a computer attack, implant a virus, etc.

9. Summary • Identifying, preventing, mitigating and transferring privacy/security is a major priority for any company that accepts a debit or credit card as a form of payment, and public traded companies. • Outsourcing and offshoring is a fact of life, but definitely increases data protection risks. Vendor management process is needed which includes due diligence, contract protections, and vendor insurance requirements. • This is a risk of survivability, not invincibility. Develop a team and plan for a data breach incident response, just like your contingency plans for other threats. • Client should consider insurance protection, either on a combination with professional liability coverage or stand-alone coverage. Insurance is not a substitute for best security practices, but deals with the potential severity risk you cannot prevent. • Quality of coverage and management of claims very important, as well as experience of the underwriter; be a thoughtful buyer.

10. Contact Details • Lockton International • Malcolm Randles • malcolm.randles@uk.lockton.com • 0207 933 2711