1. Cyber and Information Security Insurance
CYBER LIABILITY
Cyber and Information Security Insurance
Bring on tomorrow

2. AGENDA Evolution of Information Security
Information Security Issues to Consider
Financial Implications to Failure to Protect Information
Claims Examples
Risk Mitigation Strategies
Insurance Solutions
Questions & Answers

3. EVOLUTION OF INFORMATION SECURITY
NETWORK SECURITY COVERAGE FIRST WRITTEN IN 1999
DEPENDENCY ON INTERNET CREATED A NEED FOR INSURANCE
PRIVACY LIABILITY COVERAGE INTRODUCED IN 2005
COVERAGE CONTINUES TO EVOLVE

4. HOW CAN A BREACH OCCUR? Employees/Vendors
INTERNALLY
Employees/Vendors
Stealing Information (Card Skimming)
Lost Resources (Laptop, Smart Phone, Tablet)
Mishandling Of Paper Files
EXTERNALLY
Individual Hackers/Organized Crime
Stealing Information
Sending Viruses/Malicious Code
Disruption Of Business (Vandalism)

5. HOW DO WE IDENTIFY EXPOSURES?
DO THEY HANDLE INFORMATION?  IF SO, WHAT KIND?
Their own company (including employees)
Their clients (Confidential - personal or commercial)
WHERE DO THEY STORE THE INFORMATION, ONLINE - OFFLINE
Computer Network - Do they operate the network themselves or outsource to a vendor?
Paper Records
DO THEY HAVE A WEBSITE? 
What is the content on the site?
Can employees or third parties upload content (e.g. blog, post pictures, post comments)?

6. SPECIFIC REGULATORY ISSUES BY INDUSTRY
All Industries – State Breach Notification Laws
Public Companies – SEC Cyber Disclosure Guidance
Retailers – PCI Data Security Standards (PCI-DSS)
Financial Institutions – Gramm Leach Bliley (GLB); Red Flag Act; Fair and Accurate Credit Transactions Act (FACTA)
Education – Child Online Privacy Protection Act (COPPA); Family Educational Rights and Privacy Act (FERPA)
Healthcare – Health Insurance Portability and Accountability Act (HIPAA); Health Information Technology for Economic and Clinical Health (HITECH)
Manufacturing – Corporate confidential information; Concerned about network interruption including system failure/cyber extortion/Trade Secrets

7. GAPS IN TRADITIONAL COVERAGE
The following coverage is confined to physical perils such as fire, flood, fraud and theft:
Commercial General Liability (CGL)
Bodily Injury Property Damage (BIPD)
Crime / Fidelity
Management Liability coverage's include:
Employment Practices Liability (EPLI)
Directors & Officers (D&O)
Insured’s intangible exposures, such as data loss due to virus, web attacks, and lost laptops are typically excluded.

8. FINANCIAL IMPLICATIONS
Breach Notification Costs:
47 states have breach notification laws
Consumer Redress / Identity Monitoring
Regulatory Actions:
Costs to respond to inquiries and requests for information from regulatory offices
Costs to defend and fines / penalties
Lawsuits & Defense Costs:
Liability for damages to 3rd parties
Management Liability Claims against D&O’s
Active Attorney Generals
Unbudgeted Expenses
Reputational Damage:
Lost customers / revenues

9. CLAIMS EXAMPLES – Rogue Employee
Insured: Multinational Bank
Paid: $20M (First Party: $1M, Third Party: $19M)
Total Loss to Insured:  >$40M
The FBI arrested a former employee in an alleged scheme which involved stealing and
selling sensitive personal information, including Social Security numbers.  The breach
occurred over a two-year period.  The insider was a senior financial analyst at the insured’s
subprime lending division.  The alleged data thief was said to have used a thumb drive to
download over two million records, accessing approximately 20,000 customer profiles each
week and selling each download for $500.  The Court required that notification be made to
everyone in the accessed database, over ten million people.  Forty two class actions
followed and the overall settlement provided the consolidated class with $25M in credit
monitoring and identity theft insurance, $5M in plaintiff attorney fees, $5M in administration
costs, and a $5M cap for proven actual loss.  Our limit was exhausted through the defense
costs and the cost of credit monitoring and identity theft insurance made available to the
class.

10. CLAIMS EXPAMPLES– External Hacking
Insured: Credit Card Processor
Paid: $6.5M (First Party: $2M, Third Party: $4.5M)
Total Loss to Insured: $7M
The insured experienced a breach of its merchant processing systems in Eastern
Europe.  A malware virus was introduced into the insured’s systems which
allowed the hackers to replicate credit card information. The breach affected
millions of transactions worldwide, involving approximately 15 banks as well as
all major credit card companies.  The First Party/Event Management sublimit was
exhausted through the use of a breach coach and a public relations firm, as well
as forensics.  Carrier worked with the insured to avoid litigation by coordinating with the credit card companies and banks on an investigation of losses from
fraudulent charges and the costs of card re-issuance.

11. CLAIMS EXAMPLES – Phishing
Insured: Webhost
Paid: $1M (First Party: $1M)
Total Loss to Insured: $1.6M
The insured was the victim of a phishing attack.  The phishing requested that a link
be clicked and when an employee did so a virus was launched which captured log-in
credentials of several hundred employees.  These credentials were subsequently used by
the attackers to access customer environments of 33 cloud clients of the insured and steal
their financial information.  No suit was ultimately commenced but the Insured incurred
$1.6M in first party costs, including notification and forensics. 

12. CLAIMS EXAMPLES – Web Tracking Cookies
Insured: Media Conglomerate
Paid: $5M to date
Total Loss to Insured: TBD
Class action against the insured and three other defendants alleging the defendants gained
unauthorized access to data contained on plaintiffs' computing devices (including desktop
and mobile electronic devices) by circumventing Safari browser privacy settings and placing
“cookies” on plaintiffs’ computing devices for the purpose of on-line tracking.  Lawsuits
allege violations of the Electronic Communications Privacy Act (ECPA), Stored
Communications Act (SCA), and Computer Fraud and Abuse Act.  The FTC, US House of
Representatives’ Energy and Commerce Committee, and States’ Attorneys General of FL
and NJ have each made an inquiry regarding the insured’s privacy practices; these
investigations are on-going.  Plaintiffs’ damages model includes alleged statutory violations
with respect to the ECPA (the greater of $100/day for which plaintiffs' electronic
communications were intercepted or $10,000 per violation) and SCA (statutory minimum
damages of $1,000 per person). Plaintiffs estimate millions of class members.

13. PRIOR INCIDENTS WITH SIGNIFICANT LOSSES...
Retailers
TJ Maxx (Retailer’s costly aftermath)
Hackers captured data for over 45 million credit/debit cards
resulting in estimated total losses over $250 million including
forensics cost, credit monitoring notification cost and defense cost.
Hannaford (Supermarket chain)
Hackers obtained access to over 4 million credit/debit cards from
Point of Sale (POS) systems. The retailer was PCI compliant at
the time of the breach
Source:

14. PRIOR INCIDENTS CONTINUED…
Payment Processors (cardholder data gold mine)
RBS WorldPay
Coordinated attack where hackers compromised database to obtain
cardholder data and secret PIN. Duplicate payroll ATM and prepaid gift
cards were created, thereby stealing over $9 million in a single weekend
across Europe. 1.5 million cardholders were exposed. Credit monitoring was
offered to the victims for 12 months.
Heartland Payment Systems
Hackers were able to steal cardholder data from a major payment processor with
250,000 customers. Over 100 million cards may have been exposed and 600
financial institutions were impacted by the breach. A few class action suits
already filed. Damages could include cost to reissue cards. $12.6 million in fines
and legal costs have been incurred by the firm so far.

15. BREACH RESPONSE TIMELINE

16. RISK MITIGATION
Commitment at the C-Suite (CEO, CFO, General Counsel, Risk Manager)
Information Technology
Legal
Vendor / Vendor Management
Human Resources
Data Retention
Risk Control
Education

17. THIRD PARTY LIABILITY COVERAGE – Security & Privacy
SECURITY FAILURE
A Failure of The Insured’s Network Security
Virus, Malicious Code, Malware Attacks
PRIVACY EVENT
A Failure to Protect Confidential Information
Personal or Corporate
Online or Offline
Violation of any Federal, State or Local Privacy Statute
Failure to Comply with PCI-DSS Standards

18. THIRD PARTY LIABILITY COVERAGE – Security & Privacy
ALLEGATIONS CAN BE BROUGHT BY
Individuals, Businesses, Administrative or Government Agencies
Duty-to-Defend coverage
Broad definition of “confidential information” and “computer system”
Coverage extends to information held by “Information Holders”
Coverage for regulatory fines/penalties and PCI assessments

19. FIRST PARTY COVERAGE – Event Management – Breach Response
Responds to the costs to retain services to assist in managing and
mitigating a covered privacy or network security incident
Includes costs to notify consumers of a release of private information
Costs of credit-monitoring or other remediation services to help minimize damages. Credit monitoring not limited to 12 months
Forensic Investigation Coverage
Public Relations/Legal Assistance Expense Coverage
Call Center Services
Goodwill notification – not limited to state notification or legal requirements
Can be offered on a Monetary (Insured uses own vendors) or Number of
Affected Persons (Insurer handles) basis
Includes costs associated with losses to information assets such as
customer databases

20. FIRST PARTY COVERAGE – Network Interruption
Network Business Interruption: Insurance responds to an
insured’s loss of income and operating expenses when
business operations are interrupted or suspended due
to a failure of network security
Broad definition of loss includes lost business income, normal operation expenses (including ––payroll) and those costs that would not have been incurred but for the interruption
System Failure can be added by endorsement
Limited coverage for outsource provider - $100,000
Waiting hour period applies

21. FIRST PARTY COVERAGE –Cyber Extortion
CYBER EXTORTION: Insurance pays to settle network
security related extortion demands made against the
insured
Network security related extortion demands made against the insured
Kidnap & ransom insurance for a computer network
Triggers when there is a threat to commit a computer attack against the insured and a demand for money to terminate the threat
Includes the costs of investigations to determine the cause of the security threat and to settle the extortion demand

22. THIRD PARTY COVERAGE – Media Content Liability
Liabilities Faced By Companies Have Published Content:
Website, Print, Broadcast, etc
Responds to claims arising out of all media distributed by the insured (Website Only, Online and/or Offline)
Typical Types Of Claims:
Trademark Infringement; Copyright Infringement;
Defamation; False Light; False Imprisonment;
Product Disparagement; Infliction of Emotional Distress;

23. PRODUCT EVOLUTION PROACTIVE TOOLS Vulnerability Scans IT Audits
Table Top Exercises
Security Hardware/Software
Consultation
Training
Compliance

24. Android and Google Play are trademarks of Google Inc.
Bridget Sakach – Cyber Specialist – Midwest Region - Cyber Liability
Tel | Cell |
American International Group, Inc. (AIG) is a leading international insurance organization serving customers in more than 130 countries.. AIG companies serve commercial, institutional, and individual customers through one of the most extensive worldwide property-casualty networks of any insurer. In addition, AIG companies are leading providers of life insurance and retirement services in the United States. AIG common stock is listed on the New York Stock Exchange and the Tokyo Stock Exchange.
Additional information about AIG can be found at | YouTube: | | LinkedIn:
AIG is the marketing name for the worldwide property-casualty, life and retirement, and general insurance operations of American International Group, Inc. For additional information, please visit our website at All products and services are written or provided by subsidiaries or affiliates of American International Group, Inc. Products or services may not be available in all countries, and coverage is subject to actual policy language. Non-insurance products and services may be provided by independent third parties. Certain property-casualty coverage's may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds, and insured's are therefore not protected by such funds.
Apple, the Apple logo, iPhone and iPad are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc.
Android and Google Play are trademarks of Google Inc.