Non Physical Business Interruption Malcolm Randles, Underwriter, Kiln Syndicate 510 01 February 2011 Network Security Threats Severity/Probability Matrix Financial Loss Information Warfare Cyber Terrorism Cyber Crime Malicious Hacking Vandalism Experimentation Event Probability 2 First Party Technology/Network Risks Direct physical loss - property policy Extortion Direct non-physical damage Software failures Operational mistakes Malicious Code (viruses) Denial of Service Vandalism/Malicious Acts Terrorism Contingent Business Interruption Upstream/downstream - suppliers, chief customers Co-dependency on Other Vendors Infrastructure (BPO and IT) 3 Context of risk 4 Hum an Error Disgruntled Em ployees/ Contractors System Failures Cyber Terrorism Extortion Property Policy: Natural Disasters Cyber First Party Coverages Data/Electronic Information Loss • Covers the cost of recollecting or retrieving data destroyed, • damaged or corrupted due to a computer attack Business Interruption or Network Failure Expenses • Covers cost of lost net revenue and extra expense arising from a computer attack and other human-related perils. Especially valuable for computer networks with high availability needs. Cyber-extortion • Covers both the cost of investigation and the extortion demand amount related a threat to commit a computer attack, implant a virus, etc. 5 Key Kiln Differentiators Coverage includes administrative or operational mistakes as defined and aspects of accidental damage or destruction, not just computer attacks No small internal indemnity limits per hour No sub-limit for virus exposure Outsourcing/offshoring risks – contingent business interruption and data damage – full policy limits Ability to endorse agreed amount for BI/EE with peak season adjustment (for example, retailers) and asset value of data 6 Key Kiln Differentiators Minimum 4 hour waiting period, 10% coinsurance Reimbursement for employee working time to replace, restore or recreate electronic data (endorsement on predefined billable hrs) Expanded coverage and limits for Special Expenses - $500,000 or 25% of loss, whichever is greater. Within special expenses, sublimits for $250,000 Customer Notification Expenses and $250,000 Public Relations Expenses Rogue employee coverage for computer attacks No “shortcomings in security” or similar exclusions – “computer system is protected by security practices and system maintenance procedures that are equal to or superior to those disclosed in the proposal [application]” 7 Key Industry Groups Financial services Health care Hospitality/Travel Retail Technology/Telecom Media Services Manufacturers 8 Summary 9 Threat is real. High value class actions and regulatory enforcements Tailored products Balance of intangible v tangible is changing It’s a board room/D&O issue – network availability and digital assets are critical to infrastructure and revenues. Many clients think they have coverage under traditional policies or purchased first generation cyber products with major limitations.