| Professional Liability Renewal Proposal | Proprietary & Confidential

Table of ContentsCoverage Summary 1-6

Cyber Evaluation and Underwriting Cyber Risk 8-10

Claims 12-14

Market Update 16-20

0

1Aon Risk Services | Financial Services Group | Professional Risk SolutionsProprietary & Confidential

Cyber Coverage SummaryPrivacy Breach

(theft, loss & unauthorized disclosure of confidential information

including cyber extortion)

Security Breach(unauthorized access/use, alteration

of data, virus transmission & DoSincluding cyber extortion)

Media Injuries(content-based

injuries)

E&O(professional

services)

1st Party Loss

3rd Party Liability

Breach response expenses*

Extortion expense/payment

Damages

Defense costs

Regulatory defense and penalties

PCI fines

Damages

Defense costs

Damages

Defense costs

Breach response expenses*

Extortion expense/payment

Loss of income/extra expenses(BI and Dependent BI)

Data restoration cost

Damages

Defense costs

Regulatory defense and penalties

PCI fines

* Breach response expenses include computer forensics expenses, crisis management costs, legal costs, notification costs, consumer credit monitoring services and call center

1st Party Loss

3rd Party Liability

3rd Party Liability

3rd Party Liability

Technology, Privacy & Data Breach ExposuresMost Common Exposures

2

Professional Services

Personal Information

Corporate Information

Network Security Failure

Regulatory Proceedings

Internet Content

Cyber Extortion

Business Partner Exposures

Aon Risk Solutions Proprietary & Confidential 3

What to Consider With Cyber?

To Set a Retroactive Date– Network Connectivity is at the forefront of the developing world. Most breaches are not discovered until

months after the initial intrusion. Network Business Interruption

– As companies become more dependent on network capabilities, potential exposure related to business interruption increases:

Privacy Event Costs: – Do you carry high amounts of Personally Identifiable Information?

• Direct Sales/Retail & E-Commerce• Protected Health Information• Customer Information• Full Time Employees• Background Checks• Theft, Extortion, or Destruction of critical information assets

Reputation PR Costs: – Companies are highly dependent on Brand Recognition and Reputation. Cyber offers coverage for

Public Relations costs subsequent to a breach. . Regulatory Coverage (For Privacy Event Only)

– Federal and State Regulators frequently fine entities that have a privacy event . More activity from the FTC and SEC

Protect Financial Statements– Costly breaches create disruptions in stock value.– SEC identifies Cyber Risks as potential material for disclosure

4Aon Risk Services | Financial Services Group | Professional Risk SolutionsProprietary & Confidential

188205 206

69

0

50

100

150

200

250

Num

ber o

f Day

s

Study

Time to Identify Data Breach

Average Timeto IdentifyAverage Timeto Contain

Please Note: Trustwave data taken from the 2015

Trustwave Global Security Report (n = 574)

Mandiant data taken from the 2015 Mandiant MTrends Beyond the Breach study

Ponemon data taken from the PonemonInstitute 2015 Cost of Data Breach Study: Global Analysis (n = 350)

Average Time to Identify a Data Breach

Aon Risk Services | Financial Services Group | Professional Services GroupProprietary & Confidential | February 17, 2015 5Aon Risk Services | Financial Services Group | Professional Services GroupProprietary & Confidential | December 12, 2014

Cyber Evaluation and Underwriting Cyber Risk

Aon Risk Solutions Proprietary & Confidential 6

Cyber Threat Environment

“Our intellectual property here [US} is about $5 Trillion.  Of that, approximately $300 Billion is stolen over networks per year.”  Commission on the Theft of American Intellectual Property, page 2,  http://www.ipcommission.org/report/ip_commission_report_052213.pdf citing Keith B, Alexander, “Cybersecurity and American Power” (conference presentation hosted by the American Enterprise Institute, Washington, D.C. July 9, 2012).  

Although most people think in terms of ‘breach,’ events actually involve– Targeted attacks and sophisticated malware– Botnet activities– Hacktivism– Cyber espionage– Insider actions

Many forms of assets are under siege– Confidential and proprietary data; trade secrets and IP; customer information– Payment systems and data

Recent, multi-pronged attacks signal new era in cybercrime Defenses are mounting, but the bad guys are winning The objective is to mitigate; it is not possible to eliminate

Aon Risk Solutions Proprietary & Confidential 7

Other Cyber Considerations

Business structure and cyber/technologies dependencies

Strategies and operational changes (recent or near-term)

Perspectives regarding cyber and privacy exposures

Risk mitigation strategies, tools, resources, and protocols– Risk evaluation or audit– Risk quantification– Incident response planning– Employee training– Table top exercises

Event planning and resources

Risk transfer approach(es)

• By 2020, 26 Billion objects will be connected to the internet.*

• 90% of Worlds Data Generated in Last Two Years.**

• 4.4 Trillion Gigabytes of Data in the World –expected to double every two years.***

*http://www.siemens.com/innovation/en/home/pictures-of-the-future/digitalization-and-software/internet-of-things-facts-and-forecasts.html

**http://www.sciencedaily.com/releases/2013/05/130522085217.htm

***http://www.itworldcanada.com/article/the-amount-of-data-were-creating-is-out-of-this-world/91586

Aon Risk Solutions Proprietary & Confidential 8

Critical Questions in Evaluating Cyber Risk

Does your organization have an enterprise security program that meets best practices and standards? Does your security program integrate compliance requirements? Do you know where there are gaps and deficiencies as well as the priority that should be assigned to

remediation measures? What are your organization’s key vulnerabilities? What would be the financial consequences of a significant breach or cyber event? Are you prepared to manage a major event? What types of insurance is available, what limits to consider, and at what price? Are your executives and the board exercising governance over privacy and security risks?

Loss Mitigation Services

• Complimentary Services: all policyholders will have free access to ACE’s Cyber Experience, an online risk management portal, and a

free one hour educational session

• Essential Services:

• Security Ratings for Data-Driven Risk Management (Led by Bitsight)

Cyber Threat Blueprint (Led by FireEye)

Incident Response (Led by GD Fidelis)

Information Governance (Led by Huron Consulting)

Vendor Management (Led by Lewis Brisbois)

PCI Compliance Review (Led by McGladrey)

Calculating Business Interruption (Led by Navigant)

Cyber Readiness (Led by NetDiligence)

HIPAA Compliance Program Review (Led by Trustwave)

Security Awareness (Led by Wombat Securities)

Cyber Threat Health Check (Led by FireEye)

9

Aon Risk Services | Financial Services Group | Professional Services GroupProprietary & Confidential | February 17, 2015 10Aon Risk Services | Financial Services Group | Professional Services GroupProprietary & Confidential | December 12, 2014

Claims

11Aon Risk Services | Financial Services Group | Professional Risk SolutionsProprietary & Confidential

Cyber Risks – Quantification - Data Breach Severity

Response Step/Event 2014 Breach Costs*Mean/Max

First Party Loss

Business interruption or suspension of network Not enough Data Available

Crisis Management

Forensics Expenses $119,278 $1,500,000

Notification (Includes Call Center/Credit Monitoring) $175,147 $6,150,000

Legal Guidance $117,613 $2,500,000

Public Relations $4,513 $135,000

Defense + Damages

Legal Costs to defend breach-related litigation $698,797 $4,000,000

Damages sought in consumer class-action lawsuit $558,520 $2,500,000

PCI Fines Penalties for non-compliance with PCI standards/Legal $2,328,667 $6,900,000

Regulatory defense

Defense expenses for HHS, FTC, State AG, etc. $1,041,906 $5,000,000

Regulatory penalties

Resolution/Settlement and/or civil fines or penalties $937,500 $2,500,000

Total Exposure: $6M / $30M

*2014 NetDiligence Report

48%

15%

10%

10%

6%

11%

Total Claim Payouts by Type Of Cost (N=85)

Crisis Services Legal Defense

legal Settlement Regulatory Defense

Regulatory Fines PCI Fines

Aon Risk Solutions Proprietary & Confidential 12

Data Breach Timeline

Vendor Investigations

Regulatory Investigations

Notification, Credit 

Monitoring, Credit 

Restoration

Third party litigation and damages

Forensics Counsel Review

How the expenses accrue:

Detect Breach

<30 Days 365+ Days<10 Days

45% of losses paid by insurers are “Crisis Management Expenses”

15% of losses paid are Defense Costs

20% of losses paid are associated with

damages, fines, or penalties

Source: NetDiligence

ACE Claims Analysis:Privacy Claims and Industry Trends

Paper 6%

Human Error 16%

Privacy Policy 8%

Hack 27%

Rogue Employee14%

Software Error3%

Unknown 8%

Laptops13%

Hard Drives3%

Other 2%

Lost/Stolen Devices18%

Industry Breakout:• Healthcare – 30%• Technology – 12%• Professional Services – 14%• Retail – 9%• Financial Institutions – 7%

Targeted Attacks for PI:• Lost/Stolen Devices

• 2008 – 41%• 2014 – 20%• 2015 – 18%

• Hacking and Rogue Employee• 2008 – 31%• 2014 – 40%• 2015 – 41%

© Copyright 2015 This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of ACE Group.

13

0%

5%

10%

15%

20%

25%

Hack RogueEmployee

Lost/StolenDevices

HumanError

PrivacyPolicy

7%

24%

19% 21%

10%

Healthcare

0%

10%

20%

30%

40%

50%

Hack RogueEmployee

Lost/StolenDevices

HumanError

PrivacyPolicy

46%

14%11%

4%

14%

Retail

0%

5%

10%

15%

20%

25%

Hack RogueEmployee

Lost/StolenDevices

HumanError

PrivacyPolicy

19%

12%

25%

20%

5%

Professional Services

ACE Claims Analysis:Triggers by Industry Segment

0%5%

10%15%20%25%30%35%

Hack RogueEmployee

Lost/StolenDevices

HumanError

PrivacyPolicy

33%

9%

22%

11%13%

Technology

© Copyright 2015 This presentation is solely for informational purposes. It is not intended as legal advice. It may not be copied or disseminated in any way without the written permission of a member of ACE Group.

14

15

Changing Triggers and Increasing Forensic Costs

Loss Trends and DevelopmentClass Action Filings

16

© Copyright, 2011

ies.

Organization Records/Stores

Target 110M Records/1,900 stores

Neiman Marcus 1.1M Records

Michael’s 2.6M Records

Mt. Gox 774,000 Bitcoins ($409.2M)

Ebay 145M Records

PF Changs 33 Stores

Albertson’s 700 Stores

Supervalu 209 Stores

Anthem 80,000,000 customers

Organization Records/StoresCommunity Health Systems

4.5M Records

Premera 11,000,000 customers

JP Morgan Chase 76M Households

Home Depot 56M Records

Adult Friend Finder 3.9M records

Adobe 152M Records

Aaron Brothers 54 Stores

Carefirst 1.1M customers

Sony $70M-$100M Cyber Expenses Predicted

Charge Anywhere 5 Years of Malware

• 2013/2014/2015 Major Breaches

17

Loss Trends and DevelopmentBalance Sheet Losses from Data Breaches

© Copyright, 2011

Anthem Inc.

Hackers breached the computer system of Anthem, the second largest health insurer in the U.S. and stole the PII of up to 80 million people.

The database containing the PII was not fully encrypted and the hackers were able to access customer’s names, date of births, Social Security numbers, addresses, phone numbers and more.

It is reported the breach will cost beyond $100,000,000 and will exhaust the insurance tower.

Sony

There is evidence that the intrusion had been occurring for more than a year, prior to its discovery in November of 2014. It is reported that over 100 terabytes of data from Sony was taken, including PII of employees, emails between employees, copies of unreleased films, etc.

The hackers also installed destructive malware that resulted in employees’ computers becoming inoperable.

It is reported that the damage will range anywhere from $70,000,000-$100,000,000 and exhaust the insurance tower as well.

Home Depot

The hack may cost between $30,000,000-$50,000,000 and will lead to up to 3 billion dollars in fake charges.

Point of sales malware targeted outdated and unpatched Windows XP.

Data Breach Expenses – 1st Party

18

Forensics

Public Relations/Crisis Management Services

Legal Services including but not limited to determining compliance with Privacy Regulations, drafting

notification letters and indemnification rights

Notification/Credit Monitoring Services

Call Center Services

Fraud Consultation services provided through a licensed investigator or credit specialist

Identity Restoration Services

19

Loss Trends and DevelopmentSurveys/Studies

Mandiant 2014

33% of victims discover the breach internally, 67% of victims were notified by an external entity

229 Days – Median number of days that threat groups were present on a victim’s network before detection

44% of Phishing Emails were IT related – Often attempting to impersonate the targeted company’s IT Department.

Identity Theft Resource Center 2014 Data Breach Category Summary

Healthcare led all industries with 333 breaches confirmed

Healthcare was second in terms of industries with over 8M records exposed

Major healthcare breaches include Premera Blue Cross, Anthem Inc., CareFirst

© Copyright, 2011

Aon Risk Services | Financial Services Group | Professional Services GroupProprietary & Confidential | February 17, 2015 20Aon Risk Services | Financial Services Group | Professional Services GroupProprietary & Confidential | December 12, 2014

Market Update

21Aon Risk Services | Financial Services Group | Professional Risk SolutionsProprietary & Confidential

Market Update and Development

Capacity for coverage continues to grow both domestically and abroad for middle market risks, but not for large risks

- There are approximately 35-67 unique markets that can provide Cyber capacity, with new entrants each year, but some leaving in the wake of the Home Depot, Target, SONY, etc. breaches

- Markets exist domestically (primary and excess), the UK (primary and excess) and Bermuda (excess only)- Of the available markets, there continue to be 3-4 Tier I markets capable of writing primary

Capacity

Coverage

Retentions

Pricing

Coverage continues to expand- Insurers continue to differentiate their offerings with new/enhanced coverage components, specifically

focused on Cyber Liability coverage (Goodwill Coupon, Breach Response Services, PCI Coverage, etc.) with renewed focus on network interruption

- Breach mitigation coverages continue to expand to meet clients’ needs, including higher limits of coverage and the availability of coverage through a tower

- Despite market conditions, insurers are still willing to provide comprehensive terms & conditions specific to unique exposures faced by individual insureds

Stronger data is being gathered as more breaches are reported- There continues to be numerous breaches reported with additional reports tracking costs of the breaches- Policies are responding, particularly to the breach mitigation, allowing better tracking of “claims” payments- Much more focus on IT security calls and IT systems relating to Point of Sale (“POS”) systems

Retentions remain stable and varied for middle market accounts, but some material increases for large accounts- Retentions of all levels are available in the market, but vary based on industry class, revenue and unique

exposures, with recent market pressure to increase retentions, sometimes significantly- Adjusting retentions can lead to more coverage/sublimit flexibility

Pricing continues to trend upwards- Pricing continues to rise in the wake of significant breaches, particularly in the affected industries – increases of

100% - 400% over expiring are not uncommon - Renewal premiums continue to increase even for insureds with no change in exposure profile

Claims & Losses

The Current Cyber Insurance Marketplace

22

•Market estimated at $1.0B to $1.8B…*•Market penetration: varies from 3% for SMEs to 25% for National Accounts*•35+ insurance carriers offer cyber•5 largest players(AIG/Beazley/ACE) are generally primary leads on dedicated cyber towered programs•Other 30 markets also competing on SME, Middle-Market and Excess positions•Typical limit capacity of $1M to $25M

−Blocks of capacity built in $10M & $5mm layers in addition to quota-share layers−Towers layered as high as $350M and higher

*Betterley Report 2014 & Advisen Statistics 2014

Aon Risk Solutions | Professional Risk SolutionsProprietary & Confidential

Cyber Insurance: Major Exclusions Breach of contract (unless liable in absence of a

contract) Patent/Trade Secret Return of Fees or Recall Expense Direct Bodily Injury or Property Damage False/Deceptive Advertising Known network security vulnerabilities Unsolicited communication and wrongful collection

not excluded Breaches or security failures that began prior to retro

date Intentional acts or fraud by management Liquidated damages Coupons, discounts, or incentives to Insured’s

customers System upgrades or repairs Unencrypted Devices/Information Performance Guarantees/Express Warranties Cyber War (but cyber terrorism carve back for

coverage)

24

5 Predictions for 2015…

1. Increase in RAM scraping malware on PoS systems before the liability shift to EMV chip and pin technology.

2. Increase in attacks on payment systems (NFC, Mobile Wallets, Apple Pay) and an increase in attacks against banks/virtual currency operators.

3. Internet of Things exposed (networked/connected devices such as smart fridges, smart thermostat, etc.)

4. Phishing threats increase in sophistication (bank accounts, login information needing to be reset, etc.)

5. Mobile devices will become a larger target (apps gathering more data resulting in more phishing attacks and malware to steal credentials)

5 Predictions for 2015…

Risk. Reinsurance. Human Resources.

Aon Risk Solutions | Aon Risk Services Central

Additional Questions?