Wells Fargo Insurance Services USA, Inc.
Cyber Risk & Privacy Liability;
Protecting The Bank With Insurance
New York Bankers Association Meeting
Thomas Reagan, Beazley Insurance Company
John Farley, Wells Fargo Insurance
Tarrytown, NY
May 16th, 2013
©2012 Wells Fargo Bank, N.A. All rights reserved. Confidential.
Agenda
 High risk industries
 What is at risk for banks
 Causes of data breaches
 Legal and financial consequences
 Recent bank breaches
 Data breach best practices
 Insurance coverage
 State laws
 Federal laws
Wells Fargo Insurance Services USA, Inc.
1
High hazard industry classes
 Schools, colleges, and universities
 Healthcare
 Financial institutions
 Retail
 eCommerce companies
 Information and data
services companies
 Credit card processors
 Public entities
Wells Fargo Insurance Services USA, Inc. 2
Network Security / Data Risk
Data creates duties.
To protect,
preserve and
defend.
 What data do you collect, and why?
 Where is it? How well is it protected?
 Who can access it?
 When do you purge it? How do you purge it?
Causes of Data Breaches
 Decentralized IT Operations
 Hacking
 Laptop loss w/client data (very common)
 Backup tape loss (not my fault…it was the shipper)
 Staff Mistakes: Data Leaks via email, mailings or paper
disposal
 Vendor & Biz Partner Breaches (VERY COMMON!)
The $45 Million Bank Heist
 2 banks hacked in U.A.E. and Oman
 Involved counterfeit prepaid debit cards as well
as hacked bank account numbers and pins
 More than 40,000 ATM withdrawals in 27 different
countries on six different continents.
 $45,000,000 stolen from banks around the world.
Source: By Chris Isidore @CNNMoney - Last updated May 10 2013
Wells Fargo Insurance Services USA, Inc. 5
New York ATM Locations Affected
Source, Source: By Chris Isidore @CNNMoney - Last updated May 10 2013
via US Attorneys Office
Wells Fargo Insurance Inc. 6
How it works:
Data
Bank Assets
Risk
Beazley’s
Solution
Funds
Loss of
Data
Electronic
Fraud
Theft of
Funds
BBR
Computer
Crime
Policy
FI Bond
7
Will my cyber policy cover this?
8
Data Asset Coverage is like Property Insurance for Digital Information
9
Network Security Coverage is like General Liability for the Internet
10
What can be covered under a network
security and privacy policy?
 Breach of Security: Your liability to third parties arising out
of a failure of your network security that results in a
computer attack. Such failure can be caused by
unauthorized access or use, transmission of a computer virus
or a denial of service attack.
 Invasion of Privacy: Your liability arising from disclosure
and release of confidential or personally identifiable
information stored on your computer system caused by a
failure of your network security.
 Enterprise Privacy: Your liability arising from any breach of
privacy including violations of HIPAA, GLB or any state,
federal or foreign privacy protection law (including regulatory
defense expenses, notification expenses, credit monitoring,
crisis management expenses)
 Identity Theft: Your liability arising from theft of personal
information of your employees, customers or clients.
Wells Fargo Insurance Services USA, Inc.
11
What can be covered under a network
security and privacy policy?
 Cyber Extortion: Protection against threats or
demands made against you involving your computer
network.
 Internet Media: Defamation, Libel and
Slander/Personal Injury – Liability arising out of the
content disseminated on your Internet site; includes
intellectual property infringement exposures
 Business Interruption: Business Interruption losses
sustained by you arising from the interruption or
suspension of your computer network, due to failure of
security (including extra expenses)
 Data Asset Coverage: Information asset protection
for you for property losses involving data, computer
systems and information assets arising from a
computer attack.
Wells Fargo Insurance Services USA, Inc.
12
Network security and privacy GAP analysis
Property
General
Liability
Crime
K&R
E&O
Network
Security &
Privacy
Physical damage to data only






Virus/hacker damage to data only






Denial of Service (DOS) Attack






Business interruption loss from security event






Extortion or threat






Employee sabotage of data only






Theft/disclosure of private information






Confidential corporate information breach






Technology E&O






Media liability (electronic content)






Privacy breach expense and notification






Damage to 3rd party’s data only






Regulatory privacy defense and fines






Virus and malicious code transmission






1st Party Privacy and Network Risks
3rd Party Privacy and Network Risks

No coverage

Possible coverage

Coverage
Wells Fargo Insurance Services USA, Inc.
13
How Does “Cyber” Insurance Match Up Against the Universe of Risk?
Risk
Traditional
Insurance
Product
“Cyber”
Insurance
Product
Critical Challenges
Asset Protection
Property Policy
Data Asset
Coverage
Can we really destroy
electronic data?

Property Policy
Network
Business
Interruption
What are the correct
covered perils, and do
we understand how
they work?

GL, Products
Liability
Network
Security
Do we even have
obligations to other
people on the Internet?

Advertising Injury / Personal
Injury
GL / Media Liability
Website Media?
Has offline law kept up
with the online world?
Theft of Money or Securities
Fidelity Bond /
Crime
Computer
Crime
Is stealing money
electronically really an
innovation?
Liability for Loss of Private or
Confidential Information
?
Privacy Liability
Is there any historical
equivalent for this risk?

?
?
Business Interruption Loss
Liability for
3rd-Party
BI/PD
14
A Simplified View of a Data Breach
Discovery of a Data
Breach
Evaluation of
the Data
Breach
Managing the
Short-Term
Crisis
Handling the
Long-Term
Consequences
Class-Action
Lawsuits
Theft, loss, or Unauthorized
Disclosure of Personally
Identifiable Non-Public
Information or Third Party
Corporate Information that
is in the care, custody or
control of the Insured
Organization, or a third
party for whom the Insured
Organization is legally liable
Notification and
Credit Monitoring
Forensic
Investigation and
Legal Review
Regulatory Fines,
Penalties, and
Consumer Redress
Reputational
Damage
Public Relations
Income Loss
15
For Data Breaches, a Stitch in Time Saves Nine
Reputation and
Lost Income
Notification
If you wind up
having to notify
individuals, make it
timely and
comprehensive, and
get it right the first
time....
Litigation /
Regulatory
Action
Breach
Preparation
Investment in
security controls
is the best way
to prevent a
breach…
Breach Response
…but once you have a
breach, a rapid,
coordinated response
from technical and legal
experts is the best way
to control your
exposure.
…or you can
greatly increase
your risk of
litigation or
regulatory
intervention.
The ultimate goal
is to preserve
corporate
reputation and
get the business
back to normal as
quickly as
possible. The
most effective
management of
this risk comes
from effectively
handling the
earlier risks!
16
How are today’s risks addressed by
yesterday’s Computer Crime policies?
17
Questions
18
CONTACT
 John Farley
Vice President, Data Breach Consultant
Wells Fargo Insurance Services USA, Inc. , 330 Madison
Avenue, 7th Floor New York, NY 10017
Phone: 212-209-0227
Email: john.farley@wellsfargo.com
 Thomas Reagan
Underwriter
Beazley Group
1270 Avenue of the Americas
New York, NY 10020
Phone: 646-943-5902
Email: thomas.reagan@beazley.com
Wells Fargo Insurance Services USA, Inc.
19
Please evaluate this
session using our
Conference App.
Search “NYBA” in your
App Store or scan here.
Pull up the Event and
click on Rate Session.
Thanks for your input.
21