Managing Your Cyber/E&O Risk with Willis FINEX

Robert Barberi, Vice President, Willis Cyber Practice

2

Quantifying The Loss: Analytics

TOTAL COST = (# PEOPLE) X $363OLD

NEW ANALYTICS & LOSS MODELING

3

Quantifying The Loss: Estimated Breach Costs

Healthcare records 1,000 10,000 100,000 500,000 1,000,000 5,000,000 10,000,000 100,000,000

Breach Expenses (Forensics/Crisis) $50,000 $160,000 $300,000 $580,000 $1,070,000 $2,100,000 $2,750,000 $3,800,000

Forensics Investigation $30,000 $100,000 $200,000 $400,000 $750,000 $1,500,000 $1,750,000 $2,000,000

Data Breach Coach $10,000 $40,000 $60,000 $100,000 $120,000 $200,000 $200,000 $300,000

Public Relations $10,000 $20,000 $40,000 $80,000 $200,000 $400,000 $800,000 $1,500,000

Breach Expenses (Notice/Credit Monitoring) $8,500 $85,000 $800,000 $3,625,000 $4,800,000 $21,175,000 $37,500,000 $287,500,000

Customer Notification $2,000 $15,000 $150,000 $625,000 $1,000,000 $5,000,000 $9,000,000 $50,000,000

Call Center $1,000 $15,000 $100,000 $500,000 $800,000 $3,500,000 $5,000,000 $20,000,000

Credit Monitoring $4,500 $45,000 $450,000 $2,250,000 $2,500,000 $11,875,000 $22,500,000 $212,500,000

Identity Fraud Remediation $1,000 $10,000 $100,000 $250,000 $500,000 $800,000 $1,000,000 $5,000,000

Breach Expense Total: $58,500 $245,000 $1,100,000 $4,205,000 $5,870,000 $23,275,000 $40,250,000 $291,300,000(Breach Expense Cost per record) $58.50 $24.50 $11.00 $8.41 $5.87 $4.66 $4.03 $2.91

Regulatory Defense/Fines $150,000 $500,000 $1,250,000 $2,000,000 $3,000,000 $7,500,000 $15,000,000 $40,000,000State Regulatory (AG) $0 $0 $250,000 $500,000 $1,000,000 $2,500,000 $5,000,000 $25,000,000

Federal Regulatory (HHS) $150,000 $500,000 $1,000,000 $1,500,000 $2,000,000 $5,000,000 $10,000,000 $15,000,000

Civil Liability $25,000 $100,000 $500,000 $2,000,000 $2,500,000 $10,000,000 $20,000,000 $75,000,000Legal Defense/Damages $25,000 $100,000 $500,000 $2,000,000 $2,500,000 $10,000,000 $20,000,000 $75,000,000

Card Reissuance Liability $0 $0 $0 $0 $0 $0 $0 $0

Privacy Liabilty Total: $175,000 $600,000 $1,750,000 $4,000,000 $5,500,000 $17,500,000 $35,000,000 $115,000,000

Total Data Breach Cost: $233,500 $845,000 $2,850,000 $8,205,000 $11,370,000 $40,775,000 $75,250,000 $406,300,000

Per Record Cost: $233.50 $84.50 $28.50 $16.41 $11.37 $8.16 $7.53 $4.06

Assumptions:

Credit Monitoring: $15 per individual (5-15% take-up rate)

Identity Fraud Remediation: $100-$500 per affected individual (less than 1% typically require fraud remediation)

Note: Healthcare Regulatory Fines can be significant ($1M) in small breaches (<1,000), which can drastically impact the calculations. Version 5.5

Willis Estimated Data Breach Costs (based on number of affected individuals compromised)

BREACH EXPENSES

PRIVACY LIABILITY

4

5

Program Considerations

A range of limit, retention and privacy breach response cost sub-limit options are available

All options have certain trade offs, which must be identified and weighed Third Party only

First and Third Party

Costs coverage options· Full limits· Per Person Coverage· Notification coverage inside or outside the Policy

Aggregate Limit· Quota Share

When considering the types of coverage that is appropriate, the organization should consider the following: Internet & Network Business Interruption. What is the impact of an interruption on the

organizations network or web-site service? What percentage of sales/customer offerings are being offered online or are network dependent?

Loss of Data through an IT security Event or Theft. What is the value of your data or programs? What would the expense of recovering your data cost your operations? What customer lists, customer preference information, supplier information, pricing information and other vital competitive information may be at risk for theft by a thief or hacker?

Liability for loss or disclosure of confidential information. What confidential information does the organization hold and what is the potential loss if a class action were to be commenced? What would be the cost of notifying and providing credit monitoring for those customers? What are the costs of defending an investigation by regulators and how much might fines be if they are imposed?

Liability of loss as a result of the acts of a third-party. What activities are third party vendors doing on your behalf? What important commercial or confidential data do they hold and what would be the loss or liability if it were to be corrupted or released?

Media Exposure. What is your exposure to potential trademark infringement from domain name, slogan or advertising message, product names, etc.; copyright violations for content on websites, brochures or elsewhere; accusations of false advertising and unfair competition; infringement of trade secrets

6

Program Considerations

Coverage Enhancements:

Privacy Expense: · Outside of liability limits options · New express coverage (e.g., ID Theft Restoration Response) · Large (Full+) Limits · Coverage for breaches in the cloud

Regulatory and/or PCI Fines/Penalties – larger limits available

Excess “Drop Down” Limits · Excess carriers can drop down over all underlying sublimits

1st Party Coverage· Administrative Error Triggers · Lower BI Waiting Periods · Cloud Failure Coverage

Examples of Coverage Issues:

Breaches or Disruptions in the Cloud

Acts of Rogue Employees

Encryption Exclusions

Credit Monitoring Coverage

Terrorism

Limited 1st Party Coverage

7

Contact Information

ROBERT O. BARBERI, JR., Vice President

WILLIS

617.351.7490

robert.barberi@willis.com

COLIN ZICKPartner and Chair, Privacy & Data Security Practice

FOLEY HOAG LLP

czick@foleyhoag.com

617.832.1275

FRED HOWELL, MBA, MSISM, CISSPManager of Security and Privacy Consulting Services

RSM LLP

Fred.Howell@RSMUS.com

617.241.1520

STEVE SCHOENBERGERVice PresidentWILLIS

617.351.7550

steve.schoenberger@willis.com