RISK CONFERENCE

Beyond Cyber Liability Risk E€1ward Chang Travelers Indemnity Co.

Disc aimer • This presentation is for general informational purposes only. This presentation

does not amend, or otherwise affect, the terms, conditions or coverages of any insurance policy issued by Travelers. This presentation is not a representation that coverage does or does not exist for any particular claim or loss under any insurance policy. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy provisions, and any applicable law.

• This presentation is not intended as legal advice. A company should always seek the advice of a qualified attorney when evaluating legal or statutory considerations.

• This presentation is not intended as insurance advice. A company should always seek the advice of a qualified insurance agent or broker when considering their • insurance coverage.

Cyber risk is constantly evolving

Technology Law

Insurance

96% of businesses us one or more cloud services

use public clouds use private clouds

~ ~

use both

Cloud security

Cloud challenge 77% of respondents consider cloud security to be challenging

Source: RightScale® , "2018 State of the Cloud Report"

Evolution of computing leads to the cloud

Internet access

• 11111 IIIIII I I 1111111111111111111 IIIIII I lllll 111111111111111 •

Web & email hosting

. ............................................... .

.................................................

Infrastructure hosting

• • • • • • • • • •

• • • • • • • • • •

• • • • • • • • • •

Application services

------------

Cloud • services

Saas PaaS laaS

Types of cloud services

• Software as a Service

• 1111 II IIIIII I II II IIII II II IIII II 1111111111111111 •

-

a 11111111111111111 IIIIIII IIIIIIIIIII IIIIIIIIIIII •

Use it

~ Access to user applications

~ E.g., accounting system

Platform as a Service

• --------------------- - -- -- - -- -- -- -- -- -- -- -- -- -- -- -- -

Build on it

~ Development environment

~ E.g., machine learning tools

Infrastructure as a Service

• • • • • • .... I 11111111111 I I .... - • • • • • • -- -- -- -- -- - - -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- • • • -• 1111111111111111111 1111111111111111111 • • • •

-

Migrate to it

~ Raw computer resources

~ E.g., storage or processing

Are cloud services secure?

GREATER

focus on security

AVAILABLE

resources and expertise

FEWER

vulnerabilities AUDI+

requirements

•

One fish, two fish, old fish, new ph ish ... Sign in - Google Accounts - Mozilla Firefox

[ CD a https://accounts google.com/s1gnin/oauth/oauthchooseacc

Go gle

Choose an account to continue to M p f tS y er ec canner

e e

John Doe john. doe@gmail.com

Use another account

English (United States) • Help

X

... "ti] =

Privacy Terms

Sign in - Google Accounts - Mozilla Firefox

CD a https://accounts google.comls1gnin/oauth/consent? authus

Go gle

Hi John e john.doe@gmail.com

MyPerfectScanner wants to M Read, send, delete, and manage your email

••• C, ti

CD

Allow MvPerfect~canner to do this? Yo1.. ri- av re 1ew tlti s c::pp.; terms o service ana privacy poTfcies ~ou .,an remove this or any other app with access to your account ir My Account

CANCEL ALLOW

English (United States) .,,. Help Privacy Terms

X

What is multifactor authentication?

SOMETHING YOU KNOW

username

******

SOMETHING YOU HAVE

(962561]

[ 962561 ]

SOMETHING YOU ARE

I

Top security issues in the cloud 1

Data breach

0 of cloud storage 0 reviewed allowed

unrestricted access 0 Insecure APls 0 were unencrypted2

Weak access management

0 of companies have user 0 accounts that are

potentially compromised

0 of companies have been 0 victims of cryptojacking3

1 Source: Cloud Security Alliance, {(The Treacherous 12: Top Threats to Cloud Computing" 2 Source: McAfee™, {(Two Easy Steps to Prevent AWS S3 Leaks" 3 Source: Red Lock, {(Cloud Security Trends," May 2018

Credentia I stuffing and other cloud vu I nera bi I ities

Company A "On prem"

Credentia I stuffing and other cloud vu I nera bi I ities

Company A ~..::t:! pre m"

Company B Cloud-based

Cloud security .,. Develop a cloud strategy

• Prevent shadow IT

• Manage 3rd and 4th-party vendors

.,. Understand security responsibilities

.,. Properly configure cloud services

• Access controls

• Encryption

• Logging

.,. Test and audit cloud security

Vendor supply chain vu I nera bi I ities

0 of financial institutions do not hold their vendors O to the same cyber security standards they use 1

o increase in supply chain attacks,2

0 which can lead to: a.,. Network compromise

a.,. "Formjacking"

a.,. Trojanized updates

a.,. System outages

1 Source: Accenture, From Insecurity to Resiliency, 2018. 2 Source: Symantec™, Internet Security Threat Report, 2019.

City of Bakersfield cyber hack . announces system in on/ine Payment

----------L. ______ _

Security Issues with Online Water Bill Payment System

Ransomware update Malware incidents involving ransomware

40°/o

30°/o en +-' C (1)

'"O ·c:; 20°/o C -

10°/o

0% L__~~----------------2012 2013 2014 2015 2016 2017

Ill

o Increase in ransomware 0 attacks on businesses

In ransom collected by "Boss Spider"

o Of cyber victims are 0 s

. ·th the interne

virus in orang

( !il)j

I ~ 1-

11 i

\\

r-

t •

,II~

. I

Y'

I~

:r:

\ \lj\

\} ~ .. ~·

·· JI

l•x

,J

0 . (;

) J1

~

u)

' ~

OJ

l ~

0 (0

~

(D

en

~

~

~

~

0 C: ..,

OJ

(i

(1) . .

()

C

....,

:J

:J

-·

(I)

(D

(i

CD

0

:J

0 0

en

3 l

(1)

en

' I

' I

(i

rl

C: .., ~

C

CD

....,

• V

>

;a

CD

:J

(1)

CT

a

. (I

)

<

::r

(1)

3 Q

)

en

.., •

CD

(i

Q.)

OJ

-=,-

' I

- )>

Q.)

' I

CD

en

::l

:::,

:::,

CD

C:

:J

a.

' I

Q)

Cl..

-

• ()

' I

a.

• c.c

'<

Q

.) O

" •

(1)

Q.)

Q.)

(D

.., '

I (I

) (1

)

' I

CD

' I

(i

Cl..

C

:

CD

CD

.., ~

a.

·-U

;a

a

. a

. (1

) "'C

0 ~

- I\.)

0 ~

<»

Do you have the controls you need?

Fundamental controls: Advanced controls:

User education & training Sand boxing

Patch management Virtualization

Multi-factor authentication User behavior analytics

Incident response Threat hunting

Secure backups Secure, strategic cloud

Privacy-related legal developments 000.L

•0010 .. 00111,

oor ,11

_____ 101n101 ______________ _

'101010 01010101010010001 ,~,,110~~10~~~,~~,~,~,~1010

State Laws

All 50 states now have laws addressing data privacy events

South • Alabama • . • • Dakota

01

01( 10,

00(" ,10 r

0101or .0001 •0010 00111 )1010 OOlOC LOlOl )1010

.OOlOt 01] ,10~

10] llt

Federal Law

,.)10

,

1 0 IJ a

OOt 100

111 11

--001 110

JO 1, 111

)01 10]

'01 ~ , 111..

11~ oo~ 111 '0 l ~ \01

SEC joins other federal regulators in privacy enforcement

- - - :a

00011

tll

. 0 C .LO l

________ o 010111011

001111101 101001000

..-10010001111 ..... o 00110100001,

And ...

1.. .LOOOOC.. l._ vOOOOOO•

lOvSJ .. vlOlOOOlll. '1010101000111 .. ...

J.010 .0001 •0010 00111

'1111010111011 ... ~01010101~

~ Significant settlements in breach-related securities litigation

)1010 OOlOC LOlOl )1010

~~~~vvvv~v~OOOlv~~~v~~~~vv-~ PCI publishes software security standards 111000010100010101011110011~ .............................................................................. 101000000000111101010100100.

- .JIii',. "ii .,.

1010101001001010101010010001111~ 00001111010101001001010101010010t

0100000000011110101010010010101010 000000001111010101001001010101010~

The new wave of privacy laws

*** * * *GDPR* * * ***

CCPA

+ Effective as of May 25, 2018 + $57M fine against Google by French DPA + Other active DPAs include UK, Germany, Austria, and Portugal

+ Effective as of January 1, 2019 + Focus on data subject rights: notice, opt-out, data portability, etc. + Provides for statutory damages in the event of a breach

FFI EC guidance on cyber • insurance + Involve multiple stakeholders in the cyber

insurance decision

+ Perform proper due diligence to understand • available cybe r insurance coverage

+ Evaluate cyber insurance in the annual insurance review and budgeting process

"[C]yber insurance may be an effective tool for mitigating financial risk

asso ciated w ith cyber incidents."

Federal Financial Institutions Examination Council

3501 Fairfax Drive• Room B7081a • Arlington, VA 22226-3550 • (703) 516-5588 •FAX (703)562-6446

• hnp://www.ffiec.gov

Joint Statement

Cyber Insurance and Its Potential Role in Risk Management Programs

The Federal Financial Institutions Examination Council (FFIBC) mem bers 1 developed th is statement to provide awareness of the potential role of cyber insurance in financial institutions ' risk management programs. This statement does not contain any new regulato1y expectations. Use of cyber insurance may offset financial losses resulting from cyber incidents; however, it is not required by the agencies. Financial institutions should refer to the FFJEC Jrformation Technology (11) Examination Handbook booklets referenced in this statement for information on regulatory expectations regarding IT risk management.

BACK GROUND

The increasing number and sophistication of cyber incidents affect financial institutions of all sizes, and remediation of cyber incidents can be costly_ Traditional insurance policies for general liability or basic business interruption coverage may not fully cover cyber risk exposures without special endorsement or by exclusion not cover them at all. Coverage may also be limited and not cover incidents caused by or tracked to outside vendors. Cyber insurance may offset financial losses from a variety of exposures, such as data breaches resulting in the loss of sensitive customer information.

The cyber insurance marketplace is growing and evolving in response to the increasing cyber­attack frequency, severity, and related losses. Many aspects of the cyber insurance marketplace, such as terminology, claims history, legal precedents, and risk modeling continue to evolve and are shaping the nature and scope of cyber insurance.

Cyber insurance coverage options vary greatly and may be offered on a stand-alone basis or as additional coverage endorsed to existing insurance policies, such as general liability, business interruption, errors and omissions, or directors' and officers' policies. Further, cyber coverage options may be structured as first-party or third-party coverage. First-party coverage insures against direct expenses incurred by the insured party and may address costs related to customer notification, event management, business interruption, and cyber extortion. Third-party coverage

1 The FFIEC comprises the principals of the following: the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee.

Page 1 of3

Cyber insurance: Helping to manage evolving risks First party coverages

.._ Crisis management

.._ Remediation and notification

.._ Fraud

• Computer fraud

• Funds transfer fraud

• Social engineering fraud

.._ Extortion (ransomware)

.._ Business interruption

• Contingent Bl

• System failure

• Reputational harm

Third party coverages

.._ Network and information security liability

.._ Content and media liability

.._ Regulatory liability

···- I I ----L _J

--, ' I \

.....------...---. I \ I '-~

+ +

II