New A.M. Best Cyber QuestionnairePAMIC Western Conference

October 2015

Agenda

2

Questions The A.M. Best Cyber Risk Questions Cybersecurity Framework Guiding Principles for Boards

Cyber Security vs Information Security

Cyber Security is the use of various technologies and processes to protect networks, computers, programs and data from attack, damage or unauthorized access.

Information Security is protecting information from unauthorized access, use, disruption, modification or destruction regardless of how the information is stored – electronic or physical

4

Footer text replaced in Header/Footer area

Content of the Questionnaire

January 01, 2015 5

Cyber Risks Coverage offered

Privacy (HIPAA) violations Credit monitoring costs Cloud technologies and exposures General liability exposures

Coverage Obtained Business interruption exposures D & O risks Reconstruction costs Reputation risks

6

Information from A.M. Best Presentation*

A.M Best Survey Results Show Only 3% of companies surveyed have written over 1000 cyber risk policies Companies with larger surplus positions have experienced more cyber attacks, but

size does not eliminate risk 72% of companies report responsibility for cyber-security rests with IT Department. Most significant challenges reported by management is lack of data and

consequent oriented analytics

*A.M. Best Insurance Industry Update, IASA NY/NJ Chapter, Robert Raber, Senior Financial Analyst, A.M. Best Company, May 18, 2015

7

Information from A.M. Best Presentation*, Continued

A.M. Best added specific questions to the Supplemental Rating Questionnaire and analysts are including cyber coverage in rating meeting discussions A.M. Best Special Report “Cyber Security Presents Challenging Landscape for

Insurers and Insureds”, December 5, 2014

8

Cyber Questions Has your company been a target of a data breach/cyber-attack?

Where does the responsibility lie in your organization to manage cyber related risks?

What controls do you have in place?

Do you offer coverage as a separate policy or bundled?

What are your premium and loss expectations?

What are your costs for Crisis Services (forensics, notification)?

What is your legal defense cost?

9

Other Questions Asked What controls (internal and external) do you have in place to manage a data breach /

cyber attack (policies and procedures)? How often to you conduct penetration testing? How often do the company’s cyber security professionals receive training? During the past five years, how much have you invested in upgrading systems

(hardware and software)? How much of such investment was specifically dedicated to preventive measures on

cyber attacks and data breaches? How much are you planning to invest during the next two years? If you use TPA’s, cloud, shared devices (storage or otherwise) how are you managing

your risks? Briefly describe your efforts to ensure up to date “best practices” and latest

preventative methods are used.

Framework for Improving Critical Infrastructure Cybersecurity

Identify

Protect

DetectRespond

Recover

National Institute of Standards and Technology (NIST) Framework

Five Principles – Boards seeking to enhance oversight of cyber risks

I. Cybersecurity is an Enterprise Risk Management issue: Not just an Information Technology issue

II. Boards should understand the legal implications of cyber risks

III. Boards should access cybersecurity expertise and discuss regularly – standing agenda item

IV. Board should set expectation that management establish an ERM framework with adequate staffing & budget

V. Board & Management discussion of cyber risk strategies - avoidance, acceptance, mitigation or transfer – with specific plans

National Association of Corporate Directors + AIG + Internet Security Alliance, Five Guiding Principles

12

Contact Information

Lisa Cosentino, CPA, CIA, CFE, FLMI

Managing Director

Cell 215.300.7361

Office 267.670.7320

lcosentino@smartdevine.com