Conference Details

Event Categories

Browse C5 Companies

C5 Group
www.C5groupinc.com

Canadian Institute
www.canadianinstitute.com

C5 (UK)
www.C5-online.com
ACI : Cyber & Data Risk Insurance : Agenda

American Conference Institute’s 7th National Advanced Forum on

Cyber & Data Risk Insurance

Coverage, Underwriting and Claims Strategies for Managing Privacy/Security, Data and Network Risk and Liability

Monday, September 30 to Tuesday, October 01, 2013
The Carlton Hotel on Madison Avenue, New York, NY
Day One | Monday, September 30, 2013

7:30 Pre-Conference Fundamentals Workshop

9:00 Main Conference Registration & Continental Breakfast

9:30 Co-Chairs’ Welcoming Remarks

Kirstin Simonson, CPCU, ARM, AU, ASLI
2VP, Underwriting - Global Technology
The Travelers Companies, Inc.

Richard Bortnick
Attorney
Law Offi ces of Richard Bortnick

9:35 State of the Market: New Exposures, Coverage Options, Claim Trends and Risk Evaluation, Pricing and Selling, and What Policyholders Should Now Be Looking for in a Policy

Graeme Newman
Marketing Director
CFC Underwriting

Adam Sills
Vice President
Allied World National Assurance Company

Scott N. Godes
Counsel
Dickstein Shapiro LLP

Erica Davis
Vice President – Senior Advisory Specialist
Underwriting Manager
Zurich North America, Specialty E&O

Scott Kannry
Vice President
Financial Services Group | Professional Risk Solutions
AON

Maria Treglia
Chief Sales Officer, SVP-Professional Liability
Program Brokerage Corp.

New Exposures & Coverage Options

  • How has the market evolved and how have forms changed in the last 12 months?
  • Where will the coverage head in the next 12 months and what are the most significant issues that need to be addressed?
  • Network security and privacy policies: how they are changing and what are the different carrier approaches

Insurance and Policy Forms

  • Examining the issue of lack of uniform forms
  • How more forms are offering built in media liability exposure What Policyholders Are and Should be Looking For in a Cyber Policy
  • What liability and fi rst-party coverages are desirable?
  • Identifying and understanding pitfalls in coverage
  • Reasons companies have or have not bought coverage
  • How standards are evolving in response to new technology threats
  • Consumer redress: when is it covered and when not?
  • Filling in the coverage gap: Understanding the disconnect in what is purchased and what is actually covered

Key Considerations for Cyber Liability Coverage

  • Understanding of the products and their variety in the market
  • What is the effect of expanded risk on insurance coverage?
  • Evaluating risk and how the clients wants to proceed
  • Clarifying confusion as to whether a cyber liability product should be stand alone or better built as an existing product or endorsement
Pricing, Selling and Marketing Cyber Risk Policies
  • Pricing of network security and privacy policies
  • Examining the competitive marketplace and how various types of coverage are formulated and priced
  • Where do brokers see the coverage going and what are the most significant issues that need to be addressed?
  • Tailoring the product to accommodate a buyer’s needs: privacy issues; media exposures; cyber crime; security breaches
  • Marketing and selling coverage

10:45 Examining the Latest Federal Enforcement Priorities and Initiatives and Their Impact on Coverage, Underwriting and Claims

Matthew A. Parrella
Assistant United States Attorney
Chief, Computer Hacking/Intellectual Property (CHIP) Unit
United States Attorney’s Office
Northern District of California

Bevin Murphy
Federal Trade Commission
Northeast Regional Office

Jennifer McCarthy
Assistant Director
Offi ce of Compliance Inspections and Examinations
U.S. Securities and Exchange Commission

Wesley L. Hsu
Cyber and Intellectual Property Crime Section Chief
Criminal Division
Executive Offi ce for United States Attorneys
United States Department of Justice

Donald Saxinger (invited)
Senior Exam Specialist
Technology Supervision
Federal Deposit Insurance Corporation

Kurtis Suhs
Vice President, National Practice Leader
Technology E&O & Privacy
Ironshore

Lisa Sotto
Partner
Hunton & Williams

Changing Federal Landscape and its Implication for Coverage

  • Clarifying uncertainty of current regulations
  • Determining the impact of the President’s Executive Order on Cyber liability and insurance
    - Identifying critical infrastructure
    - How effective is information sharing?
    - Implementing specifi c guidelines and rules about sharing information between critical infrastructure and the federal government
    - Taking steps to protect data security and sharing information on potential hacking
    - Compiling best practices and obtaining voluntary information from corporations
  • What should carriers and brokers be doing to ensure compliance with new laws and regulations?
  • Cyber crime trends: what the FBI is seeing and strategies to prevent and better understand cyber crime

Department of Homeland Security

  • The President’s Executive Order and identifying elements of critical infrastructure

Emerging Trends in FTC Enforcement and Litigation

  • Recent FTC investigations, enforcement actions, and settlements stemming from data privacy breaches
  • Under what circumstances will courts award money judgments for financial breaches?
SEC
  • Examining updates on the SEC guidance

12:10 Networking Lunch for Speakers and Delegates

1:10 A View from the States on Cyber and Data Risk: Emerging Regulatory and Enforcement Activities and the Growing Authority of the State AG Offices

Lyman “Chuck” Taylor, III
Section Chief, Consumer Mediation & Identity Theft
Offi ce of the Indiana Attorney General

Matthew W. Van Hise
Assistant Attorney General
Consumer Fraud Bureau
Illinois Attorney General’s Office

Sara Cable
Assistant Attorney General
Office of the Massachusetts Attorney General

Barbara Anthony
Office of the Undersecretary, Commonwealth of Massachusetts
Office of Consumer Affairs and Business Regulation

  • Balancing state breach notifi cation requirements with responsibilities arising under other federal and state laws
  • Notification guidelines: how soon a company is required to inform customers of a data breach
  • Civil or criminal penalties for failure to disclose, or for security/privacy failures discovered as a result of disclosing
  • Private right of action: whether this option exists: are plaintiffs succeeding in this area?
  • What kinds of breaches, if any, are companies exempt from reporting
  • Using cyber risk insurance most effectively to assist with related cost

2:15 The Cloud: Evaluating and Negotiating Coverage for Cyber and Traditional Risk Arising from Cloud Computing

Stuart Kohn, Esq.
Assistant Vice President, E&O
and Cyber Liability Product Manager
Hartford Financial Products

George N. Allport
Vice President & Financial Fidelity Product Manager
Chubb Specialty Insurance

Jim Charron, CPCU
Practice Leader-Technology
Zurich NA

Laurie A. Kamaiko
Partner
Edwards Wildman Palmer LLP

Dena L. Magyar
Vice President
Professional Risk Group
Wells Fargo Insurance

  • Introduction to the various types of coverage relevant to cloud computing exposures
  • Identifying and addressing problematic areas and mapping out coverage issues
  • How do you cover risk when data is stored at a third party site?
    - Coverage for risk of lost income, corrupted data and increased expenses
    - Reputational Damage
    - Cyber vs traditional property perils
    - The role of an enterprise risk management program in cyber security
    - Capacity
    - Foreign Regulatory Considerations
  • Cyber liability policies with multiple vendors in the cloud industry
    - What/Who is covered in the insurance policies in the event of breach?
    - Where does the liability start and stop?
  • How does cloud computing affect claims handling?
    - What factors do carriers consider in assessing loss exposures presented by a claim against a provider or user?
    - Examining the potential claims that can arise, and how they may impact the coverages
    - Understanding the relationship between the client and the third
  • party vendor
  • Indemnification of liability, notifi cation, and other costs
  • Determining the risk associated with transmitting or storing data in a foreign location with a third party vendor
    - Impact of potential territorial disputes on what is covered/not covered; privacy regulations; terrorism, social unrest; weather; export regulations
  • What is causing the data breach and how do the cyber policies apply?
  • Examining specialized cyber liability products to cover data loss
  • Minimizing risk on cloud computing by carefully protecting data
  • Who has the duty to notify the affected individuals when the breach is “at” the cloud provider, but the breached data belongs to their client company?
  • Examining indemnification issues and the need for E&O (versus “Cyber”) on the part of the cloud provider

3:15 Afternoon Break

3:20 Effective Cyber Risk Assessment and Remediation: Preventing Breach, Implementing Effective Protocols and Mitigating Damages Once a Breach Does Occur

Katie Timm
Counsel
Corporate Privacy Office
The Hartford

Elissa K. Doroff
Vice President
Marsh USA Inc.

Oliver Brew, ACII, CIPP/US
Vice President, Specialty Casualty
Liberty International Underwriters

Lori Nugent
Co-Chair, Data Security & Privacy Practice
Wilson Elser Moskowitz Edelman & Dicker LLP

Assessment and Remediation

  • Implementing surveys, protocols, and asking the right questions to figure out what risks are
  • Going through a remediation checklist
  • Evaluating and changing the protocol
    - Maintaining the plan and keeping it updated as organization changes
  • Investigating an incident and incident response plans

Mitigating Damages Once a Breach Does Occur

  • What procedures should be in place immediately following a breach?
  • How your forensics work with law enforcement
  • Having specific set of skills examiners and ethical hackers to look at breach, what information was compromised, and whether the recourse is civil or criminal
Corporate Governance

  • How the client should be managing risk
  • Who is responsible for providing the information or expanding the lines of communication?
  • Creating a risk committee to fi nd ways to obtain the right stakeholders
  • Training employees and creating discussion on prevention of cybersecurity attacks
    - Keeping networks clean (thumb drives, avoiding phishing emails, etc.)
  • Ensuring IT talks to compliance and everyone is on the same page
  • Understanding the scope, nature, and technical aspect of data breach
  • What is the role of the CIO?

4:20 Litigation Round Up: Using Recent Cases and Class Actions Claims to Assess What Breaches & Resulting Claims are Worth

Darren E. Rutledge, CPCU, MLIS, AIC
Associate Manager | Executive Risk Claims
The Cincinnati Insurance Company

Tara D. Bodden, Esq.
Senior Claims Counsel
Head of Media and Data Privacy Claims
Hiscox USA

Ronald I. Raether, Esq.
Partner
Faruki Ireland & Cox P.L.L

Miriam Smolen
Partner
Gilbert LLP

Thomas Kang
Senior Claims Specialist
ACE

The Shape of Litigation
  • Examining how policyholders impact cyber crime liability litigation; what is the type of data compromised?
  • Examining Plaintiff ’s theories and the laws they rely on
    - ABCs of a claim – UDTPA, CDA, SCA, FCRA and other statutes and common law claims
    - Claims arising from minimum standards clauses in policies
    - Claims relating to service providers, payment processors and application/point-of-sale system providers
    - Class action vs. Individual claim: When do data breaches raise the possibility of class actions?
    - Litigation stemming from wrongful collection of data
  • How the data breach response shapes the litigation field
  • How are courts interpreting older policies such as E&G and GL for cyber crime claims
  • How are courts interpreting new cyber crime policies
  • Government instituted actions and the benefits to private litigations
  • Claims for indemnification, subrogation, defense costs and related issues
  • Class certification and other defenses yet to be explored

What Claims are Really Worth

  • Determining whether Plaintiff suffered a cognizable injury
    - What kind of tangible harm is legally compensable
    - When are damages purely speculative
    - Non-financial harm and demands for non-financial remedies such as credit monitoring services
    - Difficulty of providing causation
    - Quantifying economic loss and business interruption
    - Statutory and liquidated damages
  • Impact of data breach response on damages
  • Litigation and consulting costs: how do they factor in and how can they be minimized

5:20 HIPAA, HHS, HITECH, OCR Enforcement Initiatives: The Omnibus Rule, Its Impact on Business Associates/Sub Contractors, and Other Healthcare Hot Topics

Greg Radinsky
Vice President & Chief Corporate Compliance Offi cer
North Shore - LIJ Health System

Katherine M. Keefe, Esq.
Director, Breach Response Services
Beazley Group
HIPAA, HITECH

  • • Analysis of the Omnibus rule and its affect on business associates and sub contractors
    - Extending liability to business associates and sub contractors for lost/stolen data
  • Changes in breach notifi cation requirements
    - Risk of harm standard replaced with presumption of breach

OCR

  • Increased enforcement focus; recent and expected enforcement actions
  • Enforcement tools available to OCR
  • Impact of reporting data breaches to OCR

6:05 Conference Adjourns

Day 2 | Tuesday, October 1, 2013

7:30 Continental Breakfast

8:00 Selling and Pricing Cyber Policies for the Small to Middle Market

Matthew Prevost, RPLU
Assistant Vice President, Cyber & Professional Liability
Philadelphia Insurance Companies"

Robert Bianconi
Senior Underwriter
Allied World Assurance

D. Tyler O’Connor
Professional Liability Broker
CRC Insurance Services, Inc.

Mark Camillo
Senior Vice President-Information Technology
AIG

Rick Betterley
President
Betterley Risk Consultants

  • •Examining the expanding landscape of claims coverage for small businesses
    - How business such as CPA’s, law fi rms, and smaller businesses are easy targets for cyber attacks
  • Minimizing risk of data breaches for small businesses that do not have an IT department to implement security controls
  • Assessing the appropriate coverage for small business: stand alone, adding endorsements to GL, or an existing coverage
  • Small businesses that don’t have the capital or public relations campaign to respond to a data breach
  • Addressing the degree of uncertainty with small businesses and calculating losses

9:10 Social/Interactive Media and Mobile Workforces: Evaluating Risks as a Result of the Latest Cyber Threats

Laura Johnson
Vice President
Euclid Managers, LLC

David J. Molitano
Vice President
Content, Technology, and Services Liability Division
OneBeacon Professional Insurance

Michael Carr, ARM
Senior Vice President,
E&O Underwriting
Argo Pro

Jake Kouns
Director, Cyber Security
and Technology Risks Underwriting
Markel Corporation

Kirstin Simonson, CPCU, ARM, AU, ASLI
2VP, Underwriting –
Global Technology
The Travelers Companies,Inc.

Interactive Media/Social Media

  • Identifying potential pitfalls with social media
    - Reputation (customer, competition or employee complaints); Endorsements and Testimonials (ex: an employee posting positive things about its company’s product without disclosing they are an employee); Security issues (malware, virus); Brand Hijacking (fake pages, fake posts, trademark issues); Record management (discoverable, whose info is it); Compliance (complying with the terms and conditions of social media site); Confi dential Information Leaks (posts on new products, ask the expert); Employment Practice Issues; Infringement Issues (posting the content of others, or others posting content that is infringing); Contests, Sweepstakes and Lotteries; Unsolicited communications through social media site; Antitrust; Invasion of Privacy/Pubilicty; Security laws and more
  • Employment Practices and Social Media
    - Discussing the risks to employers when employees engage in social media
    - Screening job applicants on Social Media Sites
    - Requesting Employee’s personal password on Social Media sites
    - Investigating employee’s social media activities
  • Internal “social business” strategies: changes in communications, workflows and cyber-risks
  • Assessing the high risks to employers when employees post comments about employer: inappropriate response to customer complaints, disparaging a competitor, harassing a fellow employee, exposing confi dential or private information, posting inappropriate photos
  • Addressing the gap in the GL form that excludes interactive media coverage
    - Modifying the GL policy to include coverage for posts on social media and blogs; Modifying the E&O coverage; Modifying coverage on advertiser’s liability extension, e-media extension
  • Dealing with the E&O issue when the client/company sues the agent/broker for coverage they assumed existed but did not exist
    - Areas of fault in policy language, drafting, or broker’s inability to recognize it

Mobile Workforce

  • Examining the risks and rewards of a “bring your own device” policy in the workplace – how this “consumerization of IT” including the development of “shadow IT” and personal clouds impacts the traditional IT role and increases cyber-risks
    - The phone number problem when employee leaves company (competitors customers calling employee); Lost, stolen phone with company information; Games and other personal applications on devices; Security; Shadow IT vs IT department: better applications to do work
  • Dealing with off-site employees utilizing remote access points, including their mobile devices or other resources that lack sufficient security controls: Encryption, VPN enabled, Authenticiation/Identifi cation
  • Training employees on “bring your own device” policy

10:30 The Emergence of Big Data in the Cyber & Data Risk Insurance Context: Aggregating Data, Data Analytics, and Data Mining

John Coletti
Underwriting Manager
Select Professional Insurance
XL Group

Robert Parisi, Jr.
Senior Vice President, National Practice Leader
Tech/Telecom E&O and Network Risk
Marsh FINPRO

Brian Hengesbaugh
Principal
Baker & McKenzie LLP

Charles E. Leasure III
Of Counsel
Pepper Hamilton LLP

Big Data

  • What is big data and how is it being used?
  • Aggregating enormous amounts of data
  • Examining the effect of big data and privacy/security issues
  • How big data, data centers, and storage of data affects cyber policies
  • Addressing potential litigation exposure

Data Aggregation

  • Collecting enormous amounts of mined data and the associated  privacy risks
Online Business Advertising

  • Collecting information based on online activity and using it to target advertisement
  • Purchasing data from vendors
  • Selling information collected by tracking consumers to data aggregators and then using the information to re-sell

11:30 Corporate Espionage and Cyber Attacks: The Latest on Foreign and Domestic Agents Gaining Sensitive Corporate Data/IP and Access/Control Over Network Systems

Brad Gow
Professional Lines
Endurance Pro

Christopher Novak
Global Managing Principal, Investigative Response
Verizon RISK Team

  • Learning from the recent reports on the alleged cyber attacks from China
  • Assessing the sophistication or limitations of malware protection
  • Examining recent cyber attacks from Eastern Europe and China
    - Determining potential targets
    - How the growth of this market affects cyber security
    - How recent cyber attacks affected the President’s Executive Order
  • Addressing cyber or other policies that exclude theft of intellectual property
    - Going beyond run of the mill coverage for pure data breach and moving towards coverage for theft of corporate secrets, sensitive information, and intellectual property
  • Identifying the liability issues
  • Creating cyber policies

12:15 The Global Impact of Cyber Attacks: the EU Directive, Risk Assessment, Understanding and Complying with International Privacy and Data Protection Laws/Legislation, and Addressing Special Concerns Regarding Cross-Border Transfers and Security Breaches for Multinational Companies

Mark Faber
Vice President
Corporate Counsel
Prudential Financial

Richard Bortnick
Attorney
Law Offices of Richard
Botnick

Lara Kehoe Hoffman
Privacy and Data Security Counsel
Autodesk, Inc.

Tim Stapleton, CIPP/US
Deputy Global Head of
Professional Liability
Zurich General Insurance

  • Understanding and complying with new developments in international privacy and data protection laws and regulations
  • How to conduct e-business activities around the world?
  • Analysis of the EU Directive on Cyber Security
  • Special concerns regarding compliance and liability for multinational companies
  • Rights under international data protection laws
  • Analysis of EU Data Protection Regulation and other new international privacy laws
    - Requiring companies/entities in member states to adopt notification standards
    - Member states passing additional requirements and notifying individuals, which triggers a whole host of different requirements
    - Achieving IT standards to comply with the EU directive or risk fines/penalties
  • Handling multi-national data breaches
  • Effectively managing cross border data transfers in compliance with the various differing legal and regulatory requirements around the world

1:15 U.S. Department of Commerce Special Address: Privacy and Security Developments in Europe and Asia and Their Impact on Mulitnational Companies Doing Business Abroad

Joshua Harris
Office of Technology & Electronic Commerce (OTEC)
International Trade Administration
U.S. Department of Commerce

1:45 Conference Ends; Lunch for Workshop B Attendees