John A. Wright, CEO WIPFLI Client Appreciation June 8, 2017 Cyber Risk Management and Risk Transfer Issues Issues and Challenges for Companies managing Cyber Exposures John A. Wright, CEO WIPFLI Client Appreciation June 8, 2017

Discussion Outline Understanding the scope of the problem What are the first steps? Understanding and evaluating your exposures Establish a Crisis plan Planning for Risk Mitigation Cyber Insurance Areas of insurance to be aware of and explore Prevention strategies

Uncomfortable Truths of Cyber Risk* Technology Solutions alone can never keep pace with dynamic cyber threats Defense is harder to play than Offense They only have to win once to cause damage True for all threat management Attackers have patience and latency on their side Source: Harvard Business Review May 16, 2017, “The Best Cybersecurity Investment You Can Make Is Better Training” by Dante Disparte and Chris Furlow

Prophetic Words

Data Records Lost or Stolen Statistics* Daily – 4,428,790 records breached 4% of Breaches were “Secure Breaches” Encryption was used Stolen Data rendered useless Symantec Threat Report – 2016 Breaches of Firms by Employees Size 43% of breaches: 1-250 employees 22% of breaches: 251-2500 employees 35% of breaches 2500+ employees

Evaluation of Exposures What types of information do you maintain internally/externally What contractual commitments has your company committed to on behalf of others Open end assumption of IP in the event of cyber breaches that your company, employees, independent contractors, subs. are responsible for Limitation of Damages Duty to notify their constituents What contracts do you have with “data storage providers” such as cloud services What protections do they provide via indemnity, hold harmless agreements, insurance protection, etc. Are there limitations of damages in their contracts

Methods for determining Financial Exposures to Loss Number of Records requiring statutory notification Not just customers but unique data records Contractual Obligations Number of Employee records Archived Data Information Credit Card transactions Calculators online Basic guidelines: Small to Mid-size companies - $65 per record to calculate transferable risk exposure Average Cyber Breach Loss - $2,100,000

Types of Information held Counts Assume 10,000 records breached Net Diligence Mini Data Breach Cost Calculator No Class Action Lawsuits assumed PCI records: $380,750 $38 cost per record PII and PHI records: $ 2,257,250 $226 cost per record Differential is mostly Regulatory Fines and Penalties

Plan Ahead Before a Breach Happens – Just scratching the surface Identify your Exposures and Quantify Establish Policies and Procedures for Data Security Establish a Crisis Response protocol and team- Who is in charge? Train All Employees on basics Password protocols Financial transfer procedures Understanding consequences of opening attachments Dual authentication of information Understanding what is a reportable Breach and what to do in the event it occurs BYOD policies and safeguards File Discipline and Storage

Cyber Risk Insurance Very little coverage for Data Breach events in your insurance programs without Cyber Risk Coverage. There is no intent to cover this under standard policies of General Liability, Commercial Crime, and D&O coverage Approximately 80 different underwriters offer various types of cyber insurance No policy form is the same! Rapidly evolving terms and conditions

Cyber Liability Defined Insurance coverage specifically designed to protect a business or organization from: Liability claims involving the unauthorized release of information for which the organization has a legal obligation to keep private or confidential Liability claims alleging invasion of privacy and/or copyright/trademark violations in a digital, online or social media environment Liability claims alleging failures of computer security that result in deletion/alteration of data, transmission of malicious code, denial of service, etc. Defense costs in State or Federal regulatory proceedings that involve violations of privacy law The provision of expert resources and monetary reimbursement to the Insured for the out-of-pocket (1st Party) expenses associated with the appropriate handling of the types of incidents listed above

Coverage Components Privacy Liability Coverage Privacy Regulatory Claims Coverage Security Breach Response Coverage Security Liability Multimedia Liability Cyber Extortion Business income and Digital Asset Restoration PCI-DSS Assessments Cyber Deception coverage

Some Issues to be aware of! What is the definition of Cyber Breach? Hacking event? Data that is sent mistakenly to an unauthorized party? Dumpster Diving? Are there policy warranties – Conditions that void coverage if not in place Encryption Prohibited use of memory sticks Personal devices

Some Issues to be aware of! Who are the Crisis Response teams for Breach response and Forensics What services do they provide pre-breach? Can you choose your own? Can you access them 24 hours? What are your deductibles? Per breach event? Deductible per coverage section Is there a percentage deductible?

Some Issues to be aware of! Are coverage limits aggregated or separate? Is there a # of records limit versus monetary value? Is there coverage for Contractually assumed exposures? What are the claims triggers by coverage? Claims made and reported? Claims made? Extended reporting periods? What is the duty to notify? What type of notification is covered? Statuatory or Voluntary

Prevention Strategies Patch applications and operating systems “Whitelist” applications Restrict administrative privileges Segment and separate networks – restrict host to host communications paths Validate inputs Tune file reputation systems Maintain firewalls Source: Joint analysis report 16-20296, Dept. of Homeland Security and the FBI

Conclusion The game has changed regarding protection of confidential data held by you Statutory oversights have increased Enterprise risk management by cloud service providers and payment processors have limited the potential to recover from them or be protected by them Internal policies, focus and external risk transfer can provide a safety net to protect your balance sheet if prepared If not, watch out!!