Cyber & Data Risk Insurance

9:30 Main Conference Registration and Coffee Served

10:00 Co-Chairs’ Welcoming Remarks

Darren Bowie
Chief Privacy Officer and Assistant General Counsel AIG

Kirstin Simonson, CPCU, ARM, AU, ASLI
Underwriting Director - Global Technology
The Travelers Companies, Inc.

10:05 State of the Market: New Exposures, Coverage Options and Trends that Are Changing the Scope of Cyber Liability

Edward McGuire
Senior Vice President, Sales & Marketing
S.H. Smith & Co.

Steven H. Haase
CPCU ARM
INSUREtrust

Malcolm Randles
Underwriter, Enterprise Risks 510
R J Kiln & Co Limited

Jenny B. Bradford, J.D.
Vice President
Financial Products, Risk Management Liability
Regions Insurance

Scott N. Godes
Counsel
Dickstein Shapiro LLP

• Market overview and legal developments
  • Updates on new exposures, coverage decisions and new products to ensure coverage
  • Addressing the lack of uniformity among policies
  • Cyber risk insurance overlap with other insurance policies
  • How big is the market and how much has it grown over the past few years?
  • New clients and non-technology companies purchasing coverage: who they are and what they are looking for
• A closer look at security & privacy challenges facing small businesses
  • What considerations have been given to products that may attract small to mid-market companies?
  • How carriers are capitalizing on this
• State of the reinsurance market for cyber-risk insurance
• Clarification of comprehensive contracts and identifying key provisions

11:05 The Latest Federal Regulatory Developments and Enforcement Actions and Their Impact on Coverage and Litigation

Austin P. Berglas
Special Operations/Cyber Division
Federal Bureau of Investigation

Leonard L. Gordon
Director, Northeast Regional Office
Federal Trade Commission

Kris EasterAssistant
Director
OCIE’s Office of Chief Counsel
Securities Exchange Commission

Larry Clinton
President and CEO
Internet Security Alliance (ISA)

Darren Bowie
Chief Privacy Officer and Assistant General Counsel
AIG
(fomer legal advisor to FTC Chairman Timothy J. Muris)

DAY ONE – MONDAY, SEPTEMBER 26, 2011

9:30 Main Conference Registration and Coffee Served

10:00 Co-Chairs’ Welcoming Remarks

Darren Bowie
Chief Privacy Officer and Assistant General Counsel AIG

Kirstin Simonson, CPCU, ARM, AU, ASLI
Underwriting Director - Global Technology
The Travelers Companies, Inc.

10:05 State of the Market: New Exposures, Coverage Options and Trends that Are Changing the Scope of Cyber Liability

Edward McGuire
Senior Vice President, Sales & Marketing
S.H. Smith & Co.

Steven H. Haase
CPCU ARM
INSUREtrust

Malcolm Randles
Underwriter, Enterprise Risks 510
R J Kiln & Co Limited

Jenny B. Bradford, J.D.
Vice President
Financial Products, Risk Management Liability
Regions Insurance

Scott N. Godes
Counsel
Dickstein Shapiro LLP

• Market overview and legal developments
  • Updates on new exposures, coverage decisions and new products to ensure coverage
  • Addressing the lack of uniformity among policies
  • Cyber risk insurance overlap with other insurance policies
  • How big is the market and how much has it grown over the past few years?
  • New clients and non-technology companies purchasing coverage: who they are and what they are looking for
• A closer look at security & privacy challenges facing small businesses
  • What considerations have been given to products that may attract small to mid-market companies?
  • How carriers are capitalizing on this
• State of the reinsurance market for cyber-risk insurance
• Clarification of comprehensive contracts and identifying key provisions

11:05 The Latest Federal Regulatory Developments and Enforcement Actions and Their Impact on Coverage and Litigation

Austin P. Berglas
Special Operations/Cyber Division
Federal Bureau of Investigation

Leonard L. Gordon
Director, Northeast Regional Office
Federal Trade Commission

Kris EasterAssistant
Director
OCIE’s Office of Chief Counsel
Securities Exchange Commission

Larry Clinton
President and CEO
Internet Security Alliance (ISA

Darren Bowie
Chief Privacy Officer and Assistant General Counsel
AIG
(fomer legal advisor to FTC Chairman Timothy J. Muris)

MODERATOR:
Lori Nugent
Co-Chair, Data Security & Privacy Practice
Wilson Elser Moskowitz Edelman & Dicker LLP

Changing Regulatory Landscape: Implications for Coverage?

• Clarifying uncertainty of current regulations: looking at the changes and new policies
• Analysis of the U.S Government’s Cybersecurity Initiatives
• What should carriers and brokers be doing to ensure compliance with new laws and regulations?
• Responding to gov. agency or law enforcement requests for data
• Setting up communication between private companies and the federal government
• Cyber crime trends: what the FBI is seeing and strategies to prevent and better understand cyber crime
• State by state issues- will Federal uniformity take over?

Emerging Trends in FTC Enforcement and Litigation

• Recent FTC investigations, enforcement actions, and settlements stemming from data privacy breaches
• Under what circumstances will courts award money judgments for financial breaches?

Updates and Impact of Other Federal Regulations

• Scope of the Red Flag Rules: Who must comply?
• Federal Privacy Act: new legislation in the works for preventing online tracking
• Combating Online Infringement and Counterfeits Act (COICA)

How Do Regulations and Regulatory Action Impact Litigation

• Regulatory investigation or fines
• Documents/communications to regulators/law enforcement
• Standards and Benchmarking
• Willful/intentional violations
• Enhanced damages

12:15 The Current State of PCI, HIPAA and HITECH Compliance and How It’s Impacting Cyber Liability Coverage and Claims

Brad Bolin
Senior Corporate Counsel
Best Buy, Inc.

Russell Schrader
Chief Privacy Officer & Associate General Counsel Global Enterprise Risk
VISA, Inc

Theodore J. Kobus III, Esq
Chair, Privacy & Data Security Practice Group
Marshall, Dennehey, Warner, Coleman & Goggin

Lisa J. Sotto
Head, Privacy and Information Management Practice
Hunton & Williams LL

Required PCI Compliance Standards

• Making PCI compliance a priority of your business
• Working with cumbersome encryption standards of different states
• PCI breach prevention
• Adequately informing and educating employees at all levels about compliance, and the consequences of non-compliance
• International concerns and outlook for PCI compliance
• PCI Compliance in the cloud

HIPAA, the HITECH Act and Privacy Compliance: Not Just for the Healthcare Industry Anymore

• What entities are most affected by the broadened reach of HIPAA and the HITECH Act?
• How new and proposed amendments to the HITECH Act and HIPAA will impact companies in various industries
• Methods for the handling of Protected Health Information (PHI)
• Managing a HITECH Act data breach
• Practical steps for compliance with the HITECH Act

1:10 Networking Luncheon for Speakers and Delegates

2:05 Complying with State Public Notification Requirements and Deadlines: Making Sense of Conflicting Priorities in the Event of a Breach

Lyman C. Taylor, III
Section Chief, Consumer Mediation & Identity Theft
Office of the Indiana Attorney General

Shannon Choy-Seymour
Assistant Attorney General
Consumer Protection Division
Office of the Massachusetts Attorney General

Christine Nielson
Assistant Attorney General
Consumer Fraud Protection Office of the Illinois Attorney General

MODERATOR:
Betty Shepherd
Assistant Vice President
Professional & Cyber Liability
RLI Insurance Company

New and Pending State Notification Laws and the Impact on Cyber Risk Insurance

Balancing state breach notification requirements with responsibilities arising under other federal and state laws

Notification guidelines: how soon is a company required to inform customers of a data breach? What should and should not be included in the consumer notification, what methods of notification are sufficient, and when should state Attorneys General be notified

Civil or criminal penalties for failure to disclose, failure to timely disclose, or for security/privacy failures discovered as a result of disclosing

Private right of action: whether this option exists; are plaintiffs succeeding in this arena?

What kinds of breaches, if any, companies are exempt from reporting

Using cyber risk insurance most effectively to assist with related costs

Analyzing the Massachusetts Data Security Law

• Determining the impact of these regulations (201 CMR 17.00)
• Who is subject to the Massachusetts regulations and how best to comply?
• Has this become the national standard? Is encryption still addressable or has it become mandatory?
• The interplay with other states security regulations and notification obligations

Emerging State Enforcement Activities and Investigations and the Growing Authority of the State Attorneys General

• Recent state Attorney General actions involving notification under state breach notification laws
• Effectively Communicating with State Attorneys General and other interested regulators
• Coordinating the timing and content of notification to law enforcement, customers, credit bureaus etc…
• Handling multi-state investigations and enforcement actions when a breach spans multiple states
• Attorney General trends in remediation including credit monitoring even when not statutorily required
• How to work with state AGs without sacrificing your position

3:10 Pricing, Selling and Marketing Cyber Risk Policies in Today’s Environment

Meredith Schnur
Vice President, Professional Risk Group
Wells Fargo Insurance Services

Jason Bucher
Senior Underwriter - Professional Liability
Admiral Insurance Company / Austin Branch

Scott Kannry
Vice President
AON

Chris Cotterell
Partner
Safeonline Ltd

Ted Doolittle
Senior Vice President
Risk Placement Services - Executive Lines

David Perkins
Executive Vice President
S.H. Smith & Company, Inc.

MODERATOR:
Charles J. Caruso, CIC, CPIA
Senior Vice President
Jamison Risk Services

• Pricing of network security and privacy policies and the competitive marketplace and how various types of coverage are formulated
• Where do brokers see the coverage going and what are the most significant issues that need to be addressed?
• Dangers of not having a cyber risk policy
• Successful incident response plans in the event of a breach
• Why is it important for carriers to have experience handling these types of claims?
• Tailoring the product to accommodate a buyer’s needs
  • privacy issues
  • media exposures
  • security breaches
• How various types of coverage are formulated and priced
• Marketing and selling coverage

4:20 Afternoon Refreshment Break

4:25 The Current State of Cyber and Data Security Coverage: What Policy Holders Are and Should Be Looking for in Coverage

Nick Economidis
Underwriter, Specialty Lines
Beazley Group

Emily Freeman
Executive Director, Technology and Global Privacy Risks, Professions
Lockton Companies, LLP, London

David Lewison
Financial Services Practice Support Leader
AmWINS Brokerage Group

Charles P. Bellingrath
 Senior Broker
 S. H. Smith & Company Inc

MODERATOR:
Richard Betterley
President
Betterley Risk Consultants, Inc

• The kinds of coverage companies are buying
• Identifying and understanding pitfalls in coverage
• Coverage considerations: What liability and first-party coverages are desirable?
• Reasons companies have or have not bought coverage
• How coverages are evolving in response to new technology threats
• Filling in the coverage gap: Understanding the disconnect in what is purchased and what is actually covered
• Coverage for intentional violations and non-electronic loss
• Policy Triggers: Is there coverage when a breach is discovered through routine checks?

5:25 Key Considerations to Limit Liability When Dealing with Third-Party Vendors & Suppliers

William H. Henley, Jr.
Senior Vice President, Regulation
BITS

Jake Kouns
Director, Cyber Security and Technology Risks Underwriting
MARKEL

• Key considerations for vendor selection
• Essential elements of the business contract or insurance policy when transferring the risk from the first party to the third party
  • what controls and policies do service providers have in place to detect an incident?
• After the ink dries- vendor management and monitoring after the contract has been signed
• How to respond when a vendor/supplier experiences a breach of your data
• What processes exist to allow for the quick remediation of a security breach?
• Determining damages in the event of a vendor security breach
  • looking at when data is lost or when a hacker comes through a 3rd party source - who is responsible and who’s policy kicks in
  • making sure these 3rd parties are covering their risks

6:05 Conference Adjourns

DAY TWO – TUESDAY, SEPTEMBER 27, 2011

7:30 Continental Breakfast

8:00 Assessing the Impact of Recent Litigation over Privacy/Security Breaches: Current Theories of Liability and Claims

Antonio Trotta
Claims Consulting Director
CNA Insurance

Anthony Greene - CRM, CIC
Director
Herbert L. Jamison & Co. LLC

Robert Parisi, Jr.
Senior Vice President
National Practice Leader for Tech/Telecom E&O and Network Risk
Marsh FINPRO

Carl E. Metzger, Esq.
Partner
Goodwin Procter LLP

• What are the most common causes of action, and which ones have been successful?
• What are the best theories for the defense, and how effective have they been?
• Who has standing to bring a cause of action?
• How do defendants keep up with the changing laws between state borders?
• What litigation has come from minimum standards clauses in insurance policies?
• Lessons from the latest litigation and settlements resulting from a breach:
  • impact of Pineda v. Williams-Sonoma Stores, Inc: California Zip Code Collection case
  • addressing quantifiable damages and the economic loss doctrine
• Potential increase in lawsuits by merchants against service providers, payment processors, and application/point-of-sale system providers
• What litigation trends in this arena are on the horizon?

9:00 Assessing and Responding to a Data Breach: From Start to Finish

Mark Camillo
Vice President-Professional Liability
Chartis Insurance

Oliver Brew
VP, Technology, Media, Telecom Underwriting
Hiscox USA

John F Mullen Sr.
Chair Complex Litigation Department
Nelson Levine de Luca and Horst

Crafting, Implementing and Testing an Incident Response Plan: Before a Breach Occurs

• Anticipating and handling the varying state and federal notification
• Industry specific obligations
• How to respond to a breach event (and how to define an event… breach or not) appropriately and cost efficiently
• Putting together an effective breach response plan

Closer Look at the Process of Effectively Filing Claims

• What procedures should be and must be place in the event of a breach?
• Breach response relationships to leverage
• Keeping relevant parties informed
• Analysis of actual claims (breaches and litigation)
• Number of claims submitted, industries most impacted, industries most exposed and claim values

Gauging the True Cost of Resolution: Breach Response Costs, Settlements, Damages & Remediation for Breaches

• Addressing the main areas of concern for insurers with respect to costs
• Assessment of recent 1st and 3rd party losses
• Responding to entities seeking defense and indemnification from insurers
• Litigation and consulting costs: how do they factor in and how can they be minimized?
• Lessons learned for future product development and underwriting
• What claims are being paid by insurance companies - at what pace and what rate?

9:50 Morning Coffee Break

John Merchant
Assistant Vice President
The Hartford

Gary Everekyan
Vice President, Information Security
Experian

Christopher Pierson
Senior Vice President, Chief Privacy Officer
Citizens Financial Group, Inc.

Jon A. Neiditz
Partner & Information Management Practice Leader
Nelson Mullins Riley & Scarborough LLP

Steven C. Bennett
Partner
Jones Day

Threats Posed to Your Employees, Including Mobile Workforces

• Protecting against breaches when dealing with off-site workers utilizing remote access points
• Educating employees on the consequences of misplaced or stolen laptop, camera, Blackberry, iPhone, and USB drive
• GeoLocation and GeoTracking updates
• Protecting against illegal downloads to company servers
• Mobile Devices

Data Theft and Malicious Attackers

• Learning from the past – pinpointing the causes of the most recent and high profile data breaches
• Defending against hackers and malicious employees
• Keeping employees and customers aware of the latest schemes and tactics used to gain access to sensitive data, including spyware, phishing and pharming
• Criminal enterprise and cyber-espionage threats
• Advanced Persistent Threats (APT)
• Defending against “zombies” and “bots”

Cloud Computing

- Actions -

- Share -