Technology Media Communications Industry Session

Page 1

Recording of this session via any media type is strictly prohibited.

Page 1

Technology Media Communications Industry

SessionIntroductions for Networking

Discussion: Deciphering the E&O/Cyber Policy

Download slides and handouts at www.rims.org/RIMS14 Or use the RIMS 2014 App (Session # IND021)

http://www.rims.org/RIMS14

Page 2


What to Expect Today

1. Networking & Optional Exchange of Contact Information2. Trends & Implications3. Group Challenge4. Cyber Coverage Terms5. Where is the E&O/Cyber Policy today6. Proactive Measures to Manage Risk7. RIMS 2015 – Topics for next Tech/Media/Comm Session

Takeaways: Glossary of E&O/Cyber coverage terms Sample Provision Wording

Page 3


Introductions for Networking – Speakers• Tim Burke – Marsh FINPRO

West Zone Practice Leader - Commercial Errors & Omissions

• Holly Daley – Willis San Francisco, Tech Media Telecom Practice Former Risk Manager: Hitachi Data Systems, PG&E, Park Lane Hotels

• Lora Figgat – NetApp, Risk Manager, SunnyvaleFormer Risk Manager: Symantec Corporation

• Bert Wells – Partner, Covington & Burling LLP, New YorkPolicyholder-Side Attorney – Insurance Recovery – Transactional Matters – Policy Enhancements

Page 4


Introductions for Networking – Participants

Your Name / Company / Location

Download slides and handouts at www.rims.org/RIMS14 Or use the RIMS 2014 App (Session # IND021)

http://www.rims.org/RIMS14

Page 5


Macro Trends

• High profile data breaches• Increasing centrality of privacy & IT security• Regulatory scrutiny & evolving legal landscape• Supply chain risk

Page 6


The Compliance ScrambleMismatch Implications

• Vendor scrutiny• Contractual risk transfer• Indemnification• Insurance requirements

Page 7


E&O/Cyber: Additional Insured Status

a. You as Customer perspective• Why you require AI status from your customers/partners• When your customer/partner will not meet your requirement

b. You as Vendor perspective● Why your customer requires AI status of you as their vendor/partner

● As a vendor, should you provide AI status to customers/partners

c. Additional insured endorsements

Page 8


Where Is the E&O/Cyber Policy Today? Standardization - ISO, markets E&O blend vs. stand-alone Prior acts - average discovery lag 253-days Menu of coverage pieces available:

• typically offered• by special request

Page 9


Deciphering the E&O/Cyber Policy

Network Security & Multimedia LiabilityCyber Security Liability

Computer Security Insurance Network & Information Liability

Commerce or Internet Security Insurance

Privacy & Network Security Liability

Intellectual Property Insurance Internet Security Liability

Privacy and Security InsuranceCyber & Crime Liability

Data Insurance

Page 10


Cyber Insurance OverviewCommon Insuring Agreements

Insuring Agreement ISO Description

Third Party Liability

Network Security Liability Security Breach Liability Network security failure

Privacy Liability Programming Errors and Omissions Liability Failure to safeguard confidential information

Media Liability Website Publishing Liability orMedia Liability

Advertising & Personal Injury

First Party Privacy Expenses

Breach Response Costs Security Breach Expense First party expenses to manage data breach

Privacy Regulatory Actions Not available Defense costs, fines & penalties

First Party Network Interruption

Business Interruption Not available Loss of net income from network down time

Dependent Business Interruption Not available Vendor downtime

Data Restoration Replacement or Restoration of Electronic Data Costs to replace damages information assets

Page 11


Deciphering the E&O/Cyber Policy – Glossary

Glossary of cyber insurance terms

Page 12


Role Play:What will you do differently next time?

Let’s open dialogue within the group this morning.

Chime Your CEO just sent you an email …

To open: Please turn your chairs into groups of 8-10.

Page 13


Role Play: What will you do differently next time?

Congratulations on your brand new job in the Risk Management Department of

ARROW STORES

Following a highly-publicized data breach resulting in a 40% sales decline – and attributable to a vendor’s security lapse – your CEO asks your Risk Management team to get the company back on track. Here is your new email:

Please join me for lunch today in my office at high noon. I would like hear from your team:• Hindsight – Two steps or protocols Arrow could have implemented to avoid this mess.• Lessons Learned – Two steps or protocols you propose we start developing this afternoon.

PERRY N. ARROWCEOARROW STORES, INC.

Page 14


Risk Management – Best Practices

• Create Tools to manage contract requirements Provision Templates Playbook Escalate to RM as advised (per SOW, regions, fallback/fallforward)

• Distribute to stakeholders Post on RM site Training and partnering: Legal, Procurement, Sales, Finance

• Develop response protocols Incident reporting directions (coverage assessment) Breach response plan: spokesperson, notification process, legal team identified Breach tabletop exercise

Page 15


Playbook– Prepared Responses to Your Customers’ Requirements & Requests (Hypothetical Example

Below)

Request Your Policy Coverage Limit Risk Tolerance

Carve out to limitation of liability for data security to allow for unlimited liability

Security & Privacy liability

$20M Subject to approval, up to $20M

Page 16


Sample Contract Provision for Cyber InsuranceVendor shall procure and maintain the following insurance:Errors and Omissions Liability Insurance to cover loss arising from errors and omissions in

the performance of all Services hereunder, including loss arising from destruction of data, in an amount of at least [$_______] per occurrence.

Cyber-Risk, Network Security, or other coverage (regardless of name) to cover the first-party losses and liability of Customer arising from breaches of security of data or computer networks of Vendor or Customer due to Vendor’s acts, errors and omissions, including such losses arising from [specific events or causes]; in an amount of at least [$_______] per occurrence.

[Other types and amounts of coverage as may be required.] Each such liability policy shall name Customer as an Additional Insured for such liability of

the Customer, and each such first-party policy shall name Customer as a Loss Payee. Such insurance shall be worldwide; primary and non-contributing with respect to any insurance or self-insurance of Customer, subject to the reasonable advance approval of Customer and issued by insurers having ratings reasonably satisfactory to Customer.

Page 17


Actionable Points & Issues To share with your brokers, insurers, legal teams

• Review coverage wordings• Bring key IT personnel to underwriting meetings• Discuss the reality of claims process

Page 18


Wrap Up and Q&A

• Q&A

Page 19


Our Next Session: RIMS 2015 in New Orleans

Brainstorm

Topic ideas for our next Tech Media Communications Industry Session

Thank you

Documents

Technology Media Communications Industry Session