6th Annual Advanced Forum onCyber & Data Risk InsuranceThursday, September 27 to Friday, September 28, 2012
New York Marriott Downtown, New York, NY
Day One | Thursday, September 27, 2012 9:30 Main Conference Registration and Coffee Served 10:00 Co-Chairs’ Welcoming Remarks Darren A. Bowie Chief Privacy Officer and Associate General Counsel American International Group, Inc. Kirstin Simonson, CPCU, ARM, AU, ASLI Underwriting Director — Global Technology Th e Travelers Companies, Inc. 10:05 Th e Current State of the Market: New Exposures,Coverage Options, Claims Trends, Pricing and Selling, and What Policyholders Should Now Be Looking for in a Policy Oliver Brew Vice President, Specialty Casualty Liberty International Underwriters Jenny Bradford, J.D. Vice President Financial Products Regions Financial Corporation Meredith Schnur Senior Vice President, Professional Risk Group Distributed Insurance Brokerage, Wells Fargo Insurance Moderator: Nick Economidis Underwriter, Specialty Lines Beazley Group New Exposures & Coverage Options • How has the market evolved and grown? • What are the new coverage options and exposures? • Encryption, removable storage, & other tech solutions • Effective management in claims process, handling, and notification • What are the costs associated with breach? • Change in adapter rates in retail, financial, and healthcare What Policyholders Are and Should be Looking For in a Cyber Policy • What liability and first-party coverages are desirable? • Identifying and understanding pitfalls in coverage • Reasons companies have or have not bought coverage • How standards are evolving in response to new technology threats • Consumer redress: when is it covered and when not? • Filling in the coverage gap: Understanding the disconnect in what is purchased and what is actually covered Key Considerations for Cyber Liability Coverage • Understanding of the products and its varieties in the market • What is the effect of expanded risk on insurance coverage? • Whether a cyber liability product should be stand alone or better built as an existing product or as an endorsement Pricing, Selling and Marketing Cyber Risk Policies • Pricing of network security and privacy policies • Examining the competitive marketplace and how various types of coverage are formulated • Where do brokers see the coverage going and what are the most significant issues that need to be addressed? • Tailoring the product to accommodate a buyer’s needs: Privacy issues; media exposures; and security breaches • How various types of coverage are formulated and priced • Marketing and selling coverage 11:05 Th e Latest Federal Regulatory Developments and Enforcement Actions and Their Impact on Coverage and Litigation Alain Sheer Senior Attorney, Division of Privacy and Identity Protection Federal Trade Commission Austin P. Berglas Assistant Inspector, Inspection Division Federal Bureau of Investigation Debra Hampson Assistant Vice President and Assistant General Counsel Th e Hartford — Corporate Privacy Office Dawn Morgenstern, CHPC Privacy Offi cial and Financial Privacy Officer Walgreens Privacy Office Darren A. Bowie Chief Privacy Officer and Associate General Counsel American International Group, Inc. Moderator: Richard Bortnick Member Cozen O’Connor Changing Regulatory Landscape and Its Implication for Coverage • Clarifying uncertainty of current regulations • Analysis of U.S. Government’s Comprehensive National Cyber security Initiatives • What should carriers and brokers be doing to ensure compliance with new laws and regulations? • Responding to gov. agency/law enforcement request for data • Communication between private companies and government • Cyber crime trends: what the FBI is seeing and strategies to prevent and better understand cyber crime Emerging Trends in FTC Enforcement and Litigation • Recent FTC investigations, enforcement actions, and settlements stemming from data privacy breaches • Under what circumstances will courts award money judgments for financial breaches Examining the Impact of the SEC Guidance • Disclosure to shareholders on annual reports • What happens when publicly traded companies fail to properly disclose a breach? – Assessing whether there is a connection to breach and value of stock decreasing • Adhering to SEC guidance – Protecting the company’s brand or presence in the market by reporting the breach in the annual report – Assessing the company’s vulnerability to shareholder action • How does the SEC guidance affect coverage? 12:25 Networking Luncheon for Speakers & Delegates 1:25 The View from the States: Emerging State Regulatory and Enforcement Activities and the Growing Authority of the State AG Offices Susan E. Voss Commissioner Iowa Insurance Division Lyman C. Taylor, III Section Chief, Consumer Mediation and Identity Th eft Unit Offi ce of the Indiana Attorney General Travis LeBlanc Special Assistant Attorney General California Department of Justice Barbara Anthony Office of the Undersecretary, Commonwealth of Massachusetts Office of Consumer Affairs and Business Regulation Moderator: Scott N. Godes Counsel Dickstein Shapiro LLP • Recent state Attorney General actions involving notification under state breach notification laws • Balancing state breach notification requirements with responsibilities arising under other federal and state laws • Notification guidelines: how soon a company is required to inform customers of a data breach • Effectively communicating with State Attorneys General and other interested regulators • Coordinating the timing and content of notification to law enforcement, customers, credit bureaus etc… • Handling multi-state investigations and enforcement actions when a breach spans multiple states • How to work with state AGs without sacrificing your position • Civil or criminal penalties for failure to disclose, or for security/privacy failures discovered as a result of disclosing • Private right of action: whether this option exists; are plaintiffs succeeding in this area? • What kinds of breaches, if any, are companies exempt from reporting • Using cyber risk insurance most effectively to assist with related cost • Lessons learned from: recent fi nes for lost/breached patient healthcare records; state action against business associates under HITECH CLOUD COMPUTING AND ITS IMPACT ON CYBER LIABILITY POLICIES 2:40 A Focus on Third Party Vendors: Due Diligence on Selection and Credentialing Vendors, Implementing Effective Protocols to Access the Cloud, and Minimizing the Effects of Business Interruption When Data Is Lost/Stolen Joshua M. Ladeau Sr. Underwriter Allied World Assurance Company Lara Kehoe Hoffman Privacy and Data Security Counsel Autodesk, Inc. George R. Schalick, Jr. RPLU Assistant Vice President Philadelphia Insurance Companies • Due diligence on third party vendors and making sure vendors treat your data properly • Examining security concerns and heightened risk when data is lost, stolen, and/or damaged • Steps a business can take to secure the process to access the cloud • Outsourcing data storage to third party vendors • Drafting key terms in the contract with the third party vendor • What happens when third party vendor loses data? Who has protection? • Managing data stored with multiple third party vendors • Business interruption when the third party vendor loses data • Localizing risk and examining how your data is collected and stored in centralized locations 3:20 Afternoon Break 3:30 Negotiating and Drafting Specialized Cyber Risk Provisions and Policies to Cover Data Loss Arising from Cloud Computing Jim Charron, CPCU Practice Leader — Technology Zurich NA Laura Johnson Vice President Euclid Managers, LLC Laurie A. Kamaiko Partner Edwards Wildman Palmer LLP Kirstin Simonson, CPCU, ARM, AU, ASLI Underwriting Director — Global Technology The Travelers Companies, Inc. • Ins-and-outs of negotiating, drafting and managing claims for this highly specialized coverage • Identify and address problematic areas and map out coverage issues • How do you cover risk when data is stored at a third party site? – Coverage for risk of lost income, corrupted data and increased expenses – Cyber vs traditional property perils – The role of an enterprise risk management program in cyber security • Cyber liability policies with multiple vendors in the cloud industry – What/Who is covered in in the event of breach? – Where does the liability start and stop? • How does cloud computing affect claims handling? – What factors do carriers consider in assessing loss exposures presented by a claim against a provider or a user? – Understanding the relationship between the client and the third party vendor • Indemnification issues and the associated costs • Determining the risk associated with transmitting or storing data in a foreign location with a third party vendor – Impact of potential territorial disputes on what is covered/not covered – Privacy regulations – Terrorism, social unrest – Weather – Export regulations • What is causing the data breach and how do the cyber policies apply? • Examining specialized cyber liability products to cover data loss • Minimizing risk on cloud computing by carefully protecting data 4:25 Litigation Round Up: Using Recent Cases and Class Actions to Assess What Breaches & Resulting Claims Are Worth Ronald Raether Partner Faruki Ireland & Cox PLL Carl E. Metzger, Esq. Partner Goodwin Procter LLP Robert Parisi, Jr. Senior Vice President, National Practice Leader Tech/Telecom E&O and Network Risk, Marsh FINPRO Lori Nugent Co-Chair, Data Security & Privacy Practice Wilson Elser Moskowitz Edelman & Dicker LLP The Shape of Litigation • Why am I being sued? Publicity, industry and data type, other factors that lead to lawsuits and government investigations: Bank and credit card cases; Healthcare; Retailers • Not all claims are alike: Examining Plaintiff ’s theories and the laws they rely on – ABCs of a claim — UDTPA, CDA, SCA, FCRA and other statutes and common law claims – Claims arising from minimum standards clauses in policies – Claims relating to service providers, payment processors, and application/point-of-sale system providers • Class actions vs. Individual claims: how companies may be found liable for a data breach that may trigger class action • What else do they want? Damages and other relief sought by plaintiffs Recent Litigation Trends • No harm, no foul: Determining whether Plaintiff suffered a cognizable injury – What kinds of tangible harm is legally compensable? – Dismissing cases on speculative damages – Plaintiff ’s attorneys pleading around damage issue by arguing plaintiff s must worry about reputation, change in credit card numbers, SS#, and are entitled to credit and monitoring services – Difficulty of proving causation • Government instituted actions and the benefits to private litigants • So why settle? Lessons from the latest litigation and settlements – Addressing quantifiable damage and the economic loss doctrine What Claims Are Really Worth • The true cost of resolution: settlements, damages & remediation • Business interference, public relations issues and other factors • Litigation and consulting costs: how do they factor in and how can they be minimized? • Lessons learned from future product development and underwriting • Responding to entities seeking defense and indemnification 5:20 Healthcare Highlights: HIPAA, HHS, HITECH, EMR, OCR Enforcements, Initiatives, and Investigations in the Cyber & Data Risk Insurance Context John F. Mullen Partner Nelson Levine de Luca & Horst, LLC Kimberly B. Holmes Assistant VP, Health Care, CSI Deputy Product Manager Chubb Specialty Insurance EMR, HIPAA • Impact of HIPAA pushing healthcare entities to EMR • Problems associated with EMR and lack of electronic security • Aggregated exposure when patient’s file exposed • Training healthcare entities to use EMR and implementing proper controls and procedures • Impact of state attorney generals bringing actions under federal law • Understanding goals in using EMR HIPAA, HHS • Protecting and encrypting health records until 2014 • HHS imposing fines for violating regulation • Reporting lost information to HIPAA or HHS HITECH • How HITECH is expanding its reach to business associates • Moving data across several parties and exposing PHI to hackers/criminals OCR • Enforcing HITECH as part of federal regulatory enforcement • Bringing action for failing to protect healthcare information Class Action Claims • Defense of class action claims • Countering and minimizing the effects of the Plaintiff ’s bar when they track and monitor websites that report data breaches within healthcare facilities • How do you respond to damage mitigation requests? • Reporting data breaches to HHS 6:00 Conference Adjourns Day Two | Friday, September 28, 2012 7:30 Continental Breakfast 8:00 Privacy Liability Exposures and Liability for Overseas Data Breaches: Th e EU Data Protection Directive, Risk Assessment, and Harmonizing International Regulations With Domestic Standards for Multinational Companies Lori Bailey Global Head of Professional Liability Zurich General Insurance Allen Cross Cyber Risk Management Consultant & Producer INSUREtrust Dan Trueman Underwriting ANV • Changes in international legislation/regulations and how to comply, and harmonize them with domestic notification standards • How could a company’s e-business activities harm innocent users? • Special concerns regarding compliance and liability for companies with overseas breaches • How to resolve differences when dealing with multinationals • Rights under international data protection laws • Analysis of EU Data Protection Directive – Member states passing additional requirements and notifying individuals, which triggers a whole host of different requirements – Achieving IT standards to comply with the EU Directive 8:55 Reasonable and Prudent Breach Control Measures, Standards and Safeguards: Preventing Breach, Implementing Effective Breach Protocols, and Examining Procedures to Mitigate Damages If a Breach Does Occur Jake Kouns Director, Cyber Security and Technology Risks Underwriting Markel Corporation Asim Khan Counsel Samsung Electronics America Katie Timm Counsel, Corporate Privacy Office The Hartford Russell Schrader Chief Privacy Officer, Associate General Counsel Global Enterprise Risk, Visa Inc. Lisa J. Sotto Partner Hunton & Williams LLP Effective Cyber Risk Assessment and Remediation • Implementing surveys, protocols, and asking the right questions • Going through a remediation checklist • Evaluating and changing the protocol – Maintaining the plan and keeping it updated • Investigating an incident and incident response plans Mitigating Damages Once a Breach Does Occur • What procedures should be in place immediately following a breach? • How your forensics work with law enforcement • Having specific set of skills examiners and ethical hackers to look at breach, what information was compromised, and whether the recourse is civil or criminal Corporate Governance • How the client should be managing risk • Who is responsible for providing the information or expanding the lines of communication? • Creating a risk committee to find ways to obtain the right stakeholders • Ensuring IT talks to compliance and everyone is on the same page • Understanding the scope, nature, and technical aspect of data breach • What is the role of the CIO? 9:55 Morning Break A FOCUS ON ONLINE RISK, EXPOSURE, AND DATA BREACH 10:05 Evaluating Risks as a Result of the Latest Cyber Threats: Social/Interactive Media, and Mobile Workforces Michael Dockery, CISSP CISA, CISO AVP Information Security Office Cincinnati Insurance Companies Orrie Dinstein Chief Privacy Leader and Senior Counsel — IT & IP GE Capital Jon Neiditz Partner Nelson Mullins Riley & Scarborough LLP Larry Collins Vice President E-Solutions Zurich Services Corporation Leigh McMullan Vice President — Management and Professional Services Division (MAPS) Crum & Forster Insurance Company Social Media • Identifying potential opportunities and pitfalls • Assessing the risks to employers when employees post comments about employer on social media sites, and the NLRB views on the matter • Internal “social business” strategies: changes in communications,workflows and cyber-risks • Addressing the gap in the GL form that excludes interactive media coverage – Modifying the GL policy to include coverage for posts on LinkedIn, Twitter, Facebook, Blogs – Modifying the E&O coverage – Modifying coverage on advertiser’s liability extension, e-media extension • Dealing with the E&O issue when the client/company sues the agent/broker for coverage they assumed existed but did not exist – Areas of fault in policy language, drafting, or broker’s inability to recognize it • How does interactive media coverage affect risk managers? • Addressing privacy concerns when employers ask employees for their Facebook password – Addressing concerns with social media investigation services – Hiring consultants/risk mangers to investigate Mobile Workforce • Examining the risks and rewards of a “bring your own device” policy in the workplace – how this “consumerization of IT” including the development of “shadow IT” and personal clouds impacts the traditional IT role and increases cyber-risks • Dealing with off -site employees utilizing remote access points, including their mobile devices or other resources that lack sufficient security controls 11:05 Responding to Stepped up Regulation and Enforcement of Online Tracking, Data Collection, and Issues Related to Digital Identity Brad Bolin Senior Corporate Counsel Best Buy Legal Michael T. Spadea Director Promontory Financial Group, LLC Brian L. Hengesbaugh Partner Baker & McKenzie LLP Online Tracking and the Regulatory Initiatives • Addressing statutes that prohibit online tracking • How the FTC and the Attorney Generals have taken a proactive role in ensuring companies protect the privacy rights of citizens – Addressing federal legislation and FTC guidance on privacy rights and how the states are responding – Guidance on uniform breach notification requirements – Who is responsible aft er the data is breached? – States that require the company to notify the victim who resides in the state of the breach • Th e expanding definition of what is “protected information” • How company self-regulation can help protect the security of consumers at the same time • What is the FTC guideline on GeoLocation and privacy including mobile devices, tracking, and downloading applications? Collecting Data • Assessing the litigation eff orts taken against organizations improperly collecting information on customers • Addressing California zip code cases • Providing proper notice and the ability to opt out if you collect information from customers • Determining whether data collection is a violation of a person’s privacy Online Business Advertising • Collecting information based on online activity and using it to target advertisement • Purchasing data from vendors • Selling information collected by tracking consumers to data aggregators and then using the information to re-sell • Increasing importance of mobile apps Digital Identity • Who will have access to digital identity and what are the legal ramifications? • Managing online presence with numerous accounts • What is the responsibility of companies to protect individuals? – Assessing whether self-regulation in this industry is starting to show cracks – Will the federal government step in once the breaches get bigger and bigger? 11:55 “Hacktivism” by Outside Agents: Th e Scope of the Problem and How to Prevent and Respond to Incidents and Compromised Records Tim Stapleton, CIPP/US Global Deputy Head of Professional Liability Zurich General Insurance Christopher Novak Managing Principal Verizon Business Investigative Response Toby Merrill Vice President ACE Professional Risk, ACE USA • Examining the brief history of internet activism and its impact on modern society • Hacktivism — what is it, and how can it impact an organization? • Who is targeted — common characteristics of victim organizations • Identifying the common methods of attack used in hacktivism • Examining website defacement • Targeting emails, online banking, prepaid credit cards, online stores, etc. for fraudulent purposes • What is the financial impact? 12:40 Networking Luncheon for Speakers and Delegates 1:40 How the Broker, Underwriter, and the Client Can Stay on the Same Page and Effectively Communicate and Address Issues, Concerns, and Requirements in the Cyber Liability Policy Adam Sills Vice President Allied World National Assurance Company David Molitano Vice President, Content, Technology and Services Division Leader OneBeacon Professional Insurance Tyler O’Connor Professional Liability Broker CRC Insurance Services, Inc. Nancy Edwards Vice President and Chief Security Officer State Auto Insurance Companies Moderator: Richard Betterley President Betterley Risk Consultants, Inc. Brokers • Selling coverage with adequate education, training • Challenge of selling coverage in smaller space relative to other types of coverage • Demonstrating exposures & requirements for clients and understanding how the product works from risk to risk • Differentiating between cyber & data risk coverage v. technology coverage Client • Ensuring the client understands and appreciates that the system is subject to breach • How can the client implement a dedicated IT compliance office and employee training to ensure security is effective • Walking through with the client for a first party privacy event whether it is a data loss, hack of records, process notification, and/or getting involved with service providers • What does the client do when they first speak to attorney and what will attorney say to the client? Underwriters • What exclusions do you foresee and what do we not already have? • Understanding coverage is a moving target • Assessing the claims that are coming in now that underwriters are arguing that is not covered 2:35 Notification & Crisis Management Services Coverage Under a Cyber Policy George N. Allport Vice President & Financial Fidelity Product Manager, Chubb Specialty Insurance Mark Camillo Vice President — Professional Liability Chartis Insurance Notification and Crisis management expenses are a fundamental coverage within Cyber policies. What any particular Insured may need may depend on the nature of their operations, the types of data they store and the level of services they want to off er to affected individuals. This session will review how modern Cyber policies are addressing current and evolving levels of service, including: • The pros and cons of covering notification and crisis management expenses based on a per person basis versus a dollar limit • Evaluating the reasoning behind the insurer’s response to a breach: cover the cost, split the cost from notifying affected parties, or combine costs • The value versus the cost of providing credit or other “monitoring” services • Strategies on take-up-rate vs. Improvements. 3:15 Selling and Pricing Cyber Liability Policies for Small Businesses David Lewison GST — Financial Services Practice Support Leader AmWINS Brokerage Group Eric Cernak Vice President, Strategic Products Division Hartford Steam Boiler Inspection & Insurance Co. Kelly Geary Sr. Vice President, Legal Counsel & Head of Claims HCC Specialty Tracie Grella Global Head of Professional Liability Chartis Insurance • Examining data breach exposures for small businesses • Minimizing risk of data breaches for small businesses • Assessing the appropriate coverage for small business: mono-line coverage vs. endorsements to various commercial lines policies • How the expenses associated with cost of breach motivate buyers to purchase products 4:00 Conference Ends — Workshop B Begins |
Brochure
![]() - click image for pdf - Dates: Thu, Sep 27, 2012 Fri, Sep 28, 2012 Location:
New York Marriott Downtown New York, NY |
|

Browse C5 Companies