What do you want? What do you need? What’s available? How much can you actually get? How much does it really cost?

Kimberly K. Ferenchak, Vice-PresidentOswald Companies

Robert A. Cutbirth, Esq.Tucker Ellis LLP

Insurance – Buying the Right Coverage

OSWALD LOGO

Insurance … The Trends

Justifications for Not Buying

• “Our company isn’t large enough to be a target for hackers and data thieves.”

• Disgruntled Employees/Accidental Disclosures

• “We have (or believe we have) coverage through CGL/E&O/D&O Policy”

• New Data Breach Exclusions for CGL• Limited Scope

• “We outsource data functions to third party vendors; this is their problem”

• Nondelegable Duty/Contractual and Coverage Limitations

“Incentives” to Promote Change?

• Contractual Requirements– New Client/Vendor Requirements

• Major Financial Risks– The Risk Exposures are Significant

• New Standards of Liability– New Laws and Regulations

• New Levels of Board Awareness/Corporate Governance Standards

First Party Insurance ElementsFirst Party Coverages (Losses/expenses incurred by insured)• Event Management Expense: Coverage for notification costs, credit

monitoring/restoration services, legal assistance, forensic investigation costs, and costs to hire PR firm to minimize harm

• Cyber Extortion: Costs incurred to investigate and terminate an extortion threat to commit an intentional computer attack against the insured

• Information Asset: Covers replacement costs as a result of damage to or theft of insured’s information assets due to a covered computer attack (Data Restoration)

• Business Interruption: Coverage for loss (costs and lost income) in the wake of a computer attack that interrupts or suspends your business

Third Party Insurance ElementsThird Party Liability (Defense of Claims/Damages Owed To Others)

• Network Security Liability: Coverage for damages and defense costs resulting from breaches in network security; i.e., computer virus, unauthorized access, denial-of service, identity theft

• Privacy Liability: Coverage for failure to protect or wrongful disclosure of PI or PHI, whether or not due to failure of network security

• Privacy Regulatory Proceeding Coverage: Covers costs resulting from civil, administrative or regulatory proceedings alleging violation of privacy laws

• Electronic (Website) Media Liability Coverage: Coverage for content-based injuries such as libel, slander, defamation, copyright

Gaps in Traditional Coverage

D&O Property/GL Crime/Bond

Privacy & Security

Claim ScenarioPersonal Injury Coverage for defined

acts, including libel, slander, or publication of material in violation of a persons right to privacy

Legal liability only; Electronic platforms (i.e.: Internet, chat rooms, blogs, etc.) are typically excluded

No coverage Can offer defense and damages for libel, slander, disparagement, invasion of privacy (including electronic platforms)

Intellectual Property

No exclusion for individual insureds; Entity exclusion may provide carve-back for “publisher wrongful acts”

Must be in the course of advertising; No coverage for patent or trade secrets

No coverage Coverage available for trade secrets and other intellectual property exposures

Gaps in Traditional CoverageD&O Property/GL Crime/

BondPrivacy & Security

Claim ScenarioNotification of Security Breach

No coverage No coverage No coverage Coverage available (subject to carrier differentiators)

Credit Monitoring Fees

No coverage No coverage No coverage Coverage available (subject to carrier differentiators)

Crisis Management

No coverage No coverage No coverage Coverage available (subject to carrier differentiators)

Gaps in Traditional CoverageD&O Property/GL Crime/

BondPrivacy & Security

Claim ScenarioRegulatory Proceedings/ Fines/Penalties

Fines/penalties generally excluded; HIPAA sublimit provided

No coverage No coverage Coverage available for privacy-related regulatory actions, defense costs, fines & penalties

Theft of Client Money, Securities, or Property

No coverage No coverage Coverage available for assets only; No coverage for liabilities resulting from ID theft

Coverage available for liabilities resulting from ID theft

Business Interruption / Extra Expense

No coverage Coverage available for non-network/ privacy losses

No coverage Coverage available for network/privacy losses

The Costs and Underwriting Requirements• Costs

– Generally run 1% to 5% of the Limit of Liabilitydepending on: • Scope of Coverage• Business Risk (e.g., Medical vs. Mfrg. vs. Law Firm, etc.)• Risk Management Assessments and Preventative Measures

• Underwriting Requirements and Standards– Must Usually Demonstrate “Prudent Risk Management”– Underwriting Questions/Investigations are Becoming

More Significant and Sophisticated

Underwriting Reviews• Current and Complete Business Policies (Employee

Confidentiality/IT Acceptable Use Policies/Social Media Policies)

• Contracts – Internal and External Reviews• IT Systems Review (Updates/Passwords/PDA Standards/Data

Encryption/“Cloud” Storage)

• Physical Location Inspections (Physical Access/Natural Risks)

• HIPAA/HITECH, etc., Compliance (Updated Bus. Assoc. Agmts; Equipment Reviews)

• Personnel Records Management (Access/Storage)

• Employee Training/Standards of Education

Brokers and Counsel – “Risk Management”/“Underwriting Reviews”

• Contract Reviews– Proper Indemnity & Insurance Provisions– Security/Data Protection Standards

• Policy Reviews and Development– Updated and Appropriate Policies– Clear and Enforceable (Personnel and Defense Standards)

• Process & Procedure Reviews – the “How Do I …”– Negotiate Contract Terms– Train Employees– Maintain Quality Control/Checks and Balances

This presentation is not intended to give legal or regulatory advice. The information presented in this Presentation is for

preliminary information purposes only; it is not intended to be a complete description of all legal risks or exposures , or potential

insurance solutions.. Any coverage actually afforded by potential polices described herein is subject to, and governed by, the terms

and conditions of each policy that may be issued, with different insurers providing different coverage terms.

Kimberly K. FerenchakVice PresidentPractice Leader, P&C Executive Risk216.367.4942 kferenchak@oswaldcompanies.com

Oswald Companies1100 Superior Avenue, Suite 1500 Cleveland, OH  44114

Robert A. CutbirthAttorney, Insurance, Labor and Data Security/Privacy415.617.2235 Robert.cutbirth@tuckerellis.com

Tucker Ellis LLPOne Market PlazaSteuart Tower, Suite 700San Francisco, CA 94105

QUESTIONS?