September 14, 2011 Network Risk/Privacy Insurance Exposure and Coverage Issues

Aon Risk Solutions | Financial Services Group Proprietary & Confidential 1 Network Risk and Data Exposures  Networks and data essential to operations –IT infrastructure interruption –Data disclosure risk – Account info; PII/PHI; Customer/Shareholder/Employee/Business partner data –Data collection/use risk; Credit Cards  Web presence –Online transactions –Web content/tools  Advertising & Branding –Online advertising, product information, etc. –Social Media  Other online systems – jobs/vendor/information management/employee data  TRUST may be a big issue depending upon industry – FI and healthcare vs. retail - a breach can lead to severe reputational harm.

Aon Risk Solutions | Financial Services Group Proprietary & Confidential 2 Data Breach Litigation & Costs *January 2011 Ponemon Institute Study  The Heartland Payment Systems breach disclosed in January 2009 affected over 250,000 merchants and 500+ financial institutions. Fourteen lawsuits filed against Heartland. $65 Million Visa Settlement Rejected by attorneys.  TJX reached a $40.9 Million settlement agreement with banks that processed credit card transactions. This represented only a fraction of the $256 million+ cost of the breach.  Hannaford data breach consumer suffering case accepted by Maine Supreme Court – Hannaford wins!  TD Ameritrade Settlement Rejected by court because of insufficient remuneration to the class. Lawyers do well – consumers get little.  They keep happening…Epsilon, Sony, Lockheed, Citi…the NY Yankees! Of the 78% of Fortune 1,000 U.S. entities that have reported a data breach*: 80% of breaches = total insurable amount < $1,000,000 15% of breaches = total insurable amount $1,000,000 - $20,000,000 5% of breaches = total insurable amount > $20,000,000

Aon Risk Solutions | Financial Services Group Proprietary & Confidential 3 Cost Timeline of a Breach  Recognize breach  Forensics - Determine extent of breach, number of records lost, type of information lost  Review federal and state statutes, actions necessary in breach response  Notification, credit monitoring, credit restoration  Potential regulatory fines and penalties incurred  Vendor fines and penalties incurred  Third party litigation and damages

Aon Risk Solutions | Financial Services Group Proprietary & Confidential 4 Regulatory Environment  46 State Breach Disclosure Laws in effect  State AG & FTC actions more prevalent  FINRA now active  MN Plastic Card Security Act (WA now has similar law)  New Federal Laws –HiTech Act created first federal law  HIPAA enforcement ramping up –CVS/Caremark fined $2.5M - many recent fines  FACTA “Red Flag” rule –Mandatory compliance  GLBA, FCRA, FACTA, COPPA, etc  PCI standards being enforced more aggressively Implications:  Fines & Penalties  Injunctions  Oversight/Remediation requirements  Harm to Reputation  Criminal Indictments  Precursor to Civil Liability

Aon Risk Solutions | Financial Services Group Proprietary & Confidential 5  Breaches of confidential information can lead to significant expenses and liability: –Post-breach expenses like compliance with breach disclosure laws, forensics, public relations costs, and identity theft prevention services –Litigation from credit card issuing banks and consumers –Regulatory actions alleging violation of consumer protection and privacy laws –Fines, penalties and/or remediation expenses if PCI non- compliance is found or from government regulators  Recent breach events show: –Plaintiff’s attorneys adopting new strategies –Significant implications for settlements/judgments –Financial institutions tired of holding the bag –Real incurred losses –Medical Identity Theft on the rise –Increased potential for regulatory penalties Minor costs per record – size of the breach can lead to major costs: $1- cost to notify $20-$30 cost to monitor/year $20 -$35 card re-issuance $1k-$5k damages sought per victim Significant damages/cost: Fraud Losses Class Action plaintiff’s attorneys fees Theft of confidential corporate information Average cost of a data breach in 2011* $214 per record $7,200,000 per incident *January 2011 Ponemon Institute Study Costs of a Breach

Aon Risk Solutions | Financial Services Group Proprietary & Confidential 6 Hypothetical Breach Scenario 150,000 Records Response Step/EventEstimated CostInsurable? First Party Data Loss Damages Business interruption or suspension of network, including business income and extra expense – value to client of data lost Subject to large retention and per hour loss limit (i.e. $250K/hour) Yes, but no claims paid and difficult to prove. Does not cover future lost business. Crisis Management 1. Investigate and plan breach response (includes legal and/or public relations expenses) 2. Forensics costs to investigate breach $5,000 - $50,000 $5,000 - $1,000,000 Yes – almost always sublimited Notify customers in compliance with state data breach notice laws (likely able to use alternative notification provision) $4,500 - $20,000 Yes -almost always sublimited Offer credit monitoring services to affected individuals (cost could increase significantly depending on breadth of package and # of activations) $450,000 Yes - almost always sublimited Damages Damages sought by banks and credit unions for card re-issuance expenses$750,000 - $3,000,000Yes Damages sought in consumer class-action lawsuit$150,000,000Yes Damages sought in individual lawsuits alleging loss of money from movement of funds out of an account(s) $1,000,000Yes Contractual penalties Penalties in contractual agreements for non-compliance with Payment Card Industry Data Security Standard (PCI-DSS) $100,000 -$1,000,000 No, in most cases specifically excluded Regulatory defense Defense expenses related to HHS, FTC, or State AG investigations$50,000 - $2,000,000Yes Regulatory penalties Resolution/Settlement Agreement executed with HHS/FTC/State AG$100,000 - $10,000,000Yes Total potentially insurable amount:$150,00,000 +

Aon Risk Solutions | Financial Services Group Proprietary & Confidential 7  Computer Crime Policy – triggered by direct loss of the Insured  First Party Network Security – for losses incurred by the insured for network failures - similar to property coverage  Third Party Network Security – for losses incurred arising from a breach of network security, including transmission of a virus and identity theft – can include professional services coverage.  Privacy Violations – Loss and liability arising from a breach of privacy under defined privacy regulations, including GLB, HIPAA, and state privacy protection laws including, Data Breach Costs coverage - for costs associated with a breach (notification, credit reports, credit monitoring) BEFORE actual damages to individuals have occurred Network Risk Coverage Types Always Look to the Claim

Aon Risk Solutions | Financial Services Group Proprietary & Confidential 8 Sample Program Security and Privacy Policy $10,000,000 Primary Aggregate Limit (3 rd Party Coverage) Excess Limits $10,000,000 or more Retention Options of: $100K to $10M Event Manmgt. Sublimits $3,000,000 Regulatory Defense Costs Sublimit $1,000,000 Limits – $$2M, 5M or $10M in primary – Excess depends on size and industry. Retentions –Revenue is the big driver here but companies look at a variety of options. Higher retentions will have a material impact on pricing. Carriers –Lots of carriers but a subset of leaders. Lots of excess capacity if needed. Estimated Pricing – Dependent upon retention, industry class, revenue, claims history, terms. Excess Event Manmgt. Sublimits $3,000,000 (if needed) Excess Regulatory Defense (if needed) Sublimits – Part of the Full Limit

Aon Risk Solutions | Financial Services Group Proprietary & Confidential 9  An Art not a Science  Losses are very fact specific – how many records, what kind of records, nature of the breach – all have a large impact on the overall cost  Costs per Record figures are scary and include lots of hypothetical costs that may or may not have occurred and that if they did occur are difficult to accurately measure and cannot be insured  Most breaches are small – larger companies buy for the big one, not for the small ones  Benchmarking is available but illustrates that companies make a wide range of decisions as to limits  Factors to consider - Industry class, revenue size and number and types of records are metrics to consider. What limits are appropriate?

Aon Risk Solutions | Financial Services Group Proprietary & Confidential 10  Failure of Network Operations Security  Failure to Protect/Wrongful Disclosure of Information  Inclusion of Employees as Plaintiffs  Defense/Indemnity associated with Regulatory Actions  Vicarious Liability Coverage for Vendor Error  Notification Costs/Crisis Management  Regulatory Defense  Electronic Content Liability  Professional Services Liability Base policy forms vary and must be customized to ensure maximum possible coverage Proper Coverage is Essential!

Aon Risk Solutions | Financial Services Group Proprietary & Confidential 11 Underwriting Submission & Meetings  Risk management policies and loss history are critical.  Revenue and Industry Class are key drivers of pricing. First step: complete an Application and an IT Security Self-Assessment. The underwriters will then want to conduct a due diligence call with the Insured’s IT Security experts to discuss the information in the self-assessment. The underwriters will also require information from the Insured’s attorneys regarding contractual allocation of liability with respect to its IT security partners and vendors.

Aon Risk Solutions | Financial Services Group Proprietary & Confidential Questions/Contacts Aon Financial Services Group Professional Risk Solutions Steve Bridges

Aon Risk Solutions | Financial Services Group Proprietary & Confidential 13 Appendix - First Party Coverages  Damage to Intangible Property – Intangible property such as software and data, exposed to damage or theft by electronic means such as virus, unauthorized access or usage, as well as theft of computer system capacity  Network Business Interruption – Disruption of revenue streams by non-traditional means such as hacking, virus, or denial of service attacks  Cyber-Extortion – Loss arising from extortion threats regarding computer networks and intangible assets  Cyber-Terrorism – Loss and liability arising from cyber-terrorism events