GSBA RMS Webinar Topic: GSBA Coverage Solution for Member’s Cyber Risk Exposures July 23, 2013

Cyber-Risk Protection Introduction  Today’s speakers 1. Tom Flynn, Managing Director, Marsh USA 2.Max Perkins, Specialty Lines Underwriter, Beazley Group  Today’s Webinar: Definitions, Exposures/Threats, Legal, Case Examples, Estimated Costs, GSBA Solution, Conclusion

Cyber-Risk Protection Privacy & Computer Security Protection Privacy & Data Breach  Coverage has many names in the industry but basic risk is the same: 1. School district “mishandles” personal data resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach”; or 2.School district is hacked and the information is stolen resulting in regulatory requirements to notify and monitor for some period of time the impact on those individual affected by the “breach” plus any potential liability resulting from the hackers stealing the data

Threats to a School District  Internal Threats: Rogue employee who was fired and wants to “hurt” School District “Idealist” who wants to “change” the School District policies by disrupting normal operations Accidental or careless staff who loose the data in either paper format or electronic via a lost laptop  External Threats: Outside vendor or business associate with access to School District data who steals personal data sources Organized crime – both foreign and domestic Hackers or “Hacktivists” who do it “to change the world”

Threats to a School District  Technology: Viruses, SQL Injections, etc Structural vulnerability to your network Employee use of Social Media / networking “opening the door” for hackers to enter your network Remote teaching putting strain on the security of your internal network firewalls Phishing  “Old School”: Dumpster diving for discarded papers that are not shredded Loss or theft of a laptop with personal data on it

Threats to a School District  Regulatory/Legal: 47 states now have breach notification laws oGeorgia is one of the 47 states and it applies to any entity, government or private, that has a breach, the law requires that they notify the people affected by the breach – Georgia Personal Identity Protection Act of 2007 Many breaches do not develop into identifiable theft but the notification and tracking requirement is very expensive to the School District School nurses have to be careful with HIPAA information especially At the present time, it is unclear how immunity would apply if the District were sued by a third party injured by a breach

Case Example One  Scenario: Your employee is mad about furlough days and lack of raises so they deliberately post private resident information and employee salary data on your website for everyone to see, and use inappropriately Are you covered and for what? oNot under traditional policies nor under GSBA manuscript form oPersonal Injury coverage section covers mental anguish but it excludes “willful violation of penal statute or ordinance committed by or with the consent of the Member including the unsolicited transmission of printed, electronic, oral, (including “robotic” phone messages), facsimiles and or s oSchool Leaders Liability excludes “any dishonest, fraudulent or criminal act or intentional act performed with intent to do malice” and also excludes “an utterance or publication from which a claim of libel, slander, …………, or an utterance or publication in violation of an individual’s right of privacy …”

Case Example Two  Scenario: A hacker gains unauthorized access to your network and steals the social security numbers, full names and addresses of all employees of your School District so that he can sell them to organized crime for identify theft purposes Are you covered and for what? oNot under traditional policies nor under GSBA manuscript form oNo bodily injury or property damage and same personal injury exclusions would apply oCrime coverage would cover “other property” under the Computer Theft portion of coverage but that only applies to tangible property with intrinsic value oSame School Leaders Liability exclusion would apply oBiggest cost item, however, is the notification requirement to the families and the monitoring expense of the credit files

Case Example Three  Scenario: A school guidance counselor is working with seniors to make sure all the college applications are filed in a timely manner. Due to the deadlines, he takes home a large quantity of data on his laptop to work on it over the weekend but the laptop is either lost or stolen over the weekend Are you covered and for what? oNot under traditional policies nor under GSBA manuscript form oSame basic exclusions as under Scenario Two. There would be coverage for the laptop itself and for the cost to re-create the data on the laptop but there would not be any coverage for the liability resulting from the data being released into the cyber-world (if stolen for criminal purposes) nor for the cost of notification or credit monitoring as would be required under Georgia law

The Cost of a Breach

The GSBA Solution  Conservative approach but one based in making sure School Districts in Georgia have a competitive, broad coverage option to address this growing exposure  RMF has worked with Beazley, a prominent carrier in the Cyber Insurance space, to initially offer a group purchased option for each School District in RMF  Over the next couple of years, RMF will assume some of the risk via the pool to make sure pricing remains stable and any underwriting profits accrue to the benefit of School Districts  Beazley will issue policies and has the infrastructure to guide a Member through any type of breach and how to help reduce the exposure of a breach

The GSBA Solution  The goal is to adapt the Beazley form into the RMF coverage document as of July 1 st, 2014 so that we have an affirmative grant of coverage in the coverage document  For July 1 st, 2013, coverage purchased will be on a stand-alone basis with a policy issued from Beazley  Even once the form is adapted into the RMF coverage document, and RMF assumes a layer of risk like it does now on the property and liability coverage lines, Beazley will provide the specialty claims and risk control services to the Members

The GSBA Solution  There are five coverage parts in the policy that has been negotiated with Beazley  In keeping with the pool approach, there is some sharing of limits amongst all the Members in exchange for more competitive pricing for each Member  A full proposal with individual pricing has been sent by the GSBA RMS to each Member next week  Coverage is not mandatory although the program is built with some minimum levels of participation due to the pricing agreed upon with Beazley

The GSBA Solution  Overview of Program Structure: oCoverage Part 1.A. – Information Security and Privacy Liability Liability to a third part as a result of a failure of your network security to protect against identified threats Liability to a third party as a result of the disclosure of confidential information oCoverage Part 1.B. – Privacy Breach Response Services Crisis Management and Identify Theft response services and expense coverage in order to comply with regulatory compliance issues This also includes the expense for retaining a crisis management firm to perform a forensic investigation to protect or restore the School District’s reputation as a result of a breach of privacy event oCoverage Part 1.C. – Regulatory Defense and Penalties Fines and penalties associated with School District’s violation of a Privacy Law related to an insured breach

The GSBA Solution  Overview of Program Structure: oCoverage Part 1.D. – Website Media Content Liability Expansion for Cyber exposures of the coverage provided for under Personal Injury and School Leaders Liability coverage but without some of the electronic means limitations oCoverage Part 1.E. – Crisis Management and Public Relations To pay for the Public Relations and Crisis Management expenses associated with the costs to manage a breach that gets into the public eye via newspaper, radio, television in order to re-build the School District’s reputation or to avoid undue damage in the reporting of the breach event oCoverage Part 1.F. – PCI Fines and Costs Coverage for direct monetary fines and penalties owed by the School District under the terms of a Merchant Services Agreement and where the alleged breach was due to the result of a non-compliance with the published PCI Data Security Standards

The GSBA Solution  Limits of Liability to Members: oAny one claim limit combined from all sections except Privacy Breach Response Services, is $1,000,000 subject to no more than $500,000 from Regulatory Defense and Penalties and $50,000 each from Crisis Management and PCI Fines and Costs oFor Privacy Breach Response Services, there is no limit of liability as the coverage is based on the number of Notified Individuals. The RMF fund has an aggregate of 500,000 Notified Individuals subject to sub-limits for the legal and forensic expense coverage part which is limited to 250,000 and the foreign Notified Individuals extension which is limited to 50,000 oThe overall RMF fund aggregate limits for all Members from all coverage lines except Privacy Breach Response Services is $10,000,000 subject to no more than $5,000,000 from Regulatory Defense & Penalties and $500,000 each from Crisis Management and PCI Fines and Costs oUnder the Privacy Breach Response Services coverage, the RMF fund has an aggregate of 5,000,000 Notified Individuals subject to sub-limits for the legal and forensic expense coverage part which is limited to 2,500,000 and the foreign Notified Individuals extension which is limited to 500,000

The GSBA Solution  Retention / Deductibles for Members: oAny one claim limit combined from all sections except Privacy Breach Response Services, is $25,000 oFor Privacy Breach Response Services, the retention is broken into two parts: All costs and services under the legal and forensic services combined with the notification costs would be $10,000 combined subject to a sub-retention of no more than $5,000 in legal expenses exposed Under the Call Center Services and Credit Monitoring Program, the retenion of any expenses are limited based on the size of the district: Small Members, which are less than 1,000 FTE’s, would be responsible for any breaches involving less than 25 individuals Medium Members, which are more than 1,000 FTE’s but less than 10,000 FTE’s, would be responsible for any breaches involving less than 50 individuals Large Members, which are those Members with more than 10,000 FTE’s, would be responsible for any breaches involving less than 100 individuals

The GSBA Solution  Premium Brackets oPremium is based on FTE (current student and staff combined) oIncludes coverage for alumni records even though alumni count is not included in the FTE for premium determination oHere are the proposed pricing ranges based on Student Enrollment: 30,000 plus$29,638 to $31,453 20,000 to 29,999$24,432 to $28,227 10,000 to 19,999$13,903 to $21,683 5,000 to 9,999$7,111 to 11,504 2,500 to 4,999$4,392 to $6,658 1,000 to 2,499$1,942 to $4, or less$500 to $1,628

Conclusion  The exposure is here to stay Computers and mobile devices that store personal information about your employees and your students are an integral part of your District Accidental loss of, or criminal appropriation of, that personal information will continue to happen Attacks are getting more frequent and more sophisticated GSBA RMF and Beazley offer you broad coverage at a reasonable premium and a team ready to respond when necessary