hub international nonprofit executives' workshop slides 031816 final

Click to edit Master title styleCyber Risk in theClick to edit Master title styleCyber Risk in theNonprofit Organization

Threats Laws and RemediesThreats, Laws, and Remedies

Nonprofit E ec ti es’ WorkshopNonprofit Executives’ WorkshopMarch 18, 2016

Agendag

• Welcome and opening remarks (Scott Konrad)• State of Cybersecurity (Mike Zusman)• Data breaches: trends, the regulatory landscape,

and incident response (John Farley & Andy Obuchowski)and incident response (John Farley & Andy Obuchowski)• BREAK• Insuring against Cyber Risk: an underwriter’s viewg g y

(Peter Castillo)• Marketplace update and Cyber insurance buyer’s guide

(Tony Giordano)(Tony Giordano)• Q&A, wrap-up and evaluations

2

Why Worry About Risk?y y

• “Fraud Alert: Criminals Test Stolen Credit Card Numbers onStolen Credit Card Numbers on Charity Websites” (09/17/15)

• “Heritage Foundation Donor Data Possibly Taken in Hack Attack”Possibly Taken in Hack Attack (09/03/15)

• “Planned Parenthood Claims Cyber Attack” (07/30/15)Cyber Attack” (07/30/15)

• “Urban Institute Hack Could Involve Nonprofits’ Tax Data” (02/20/15)(02/20/15)

• “Suspected Pro-ISIS Group Hacks Calif. Aid Charity”

3

(01/08/15)

Why Worry About Risk?y y

• “Goodwill, Feds Investigate Possible Data Breach”Possible Data Breach(07/22/14)

• “Open Records Activist Shuts Down Nonprofit Data Website inDown Nonprofit Data Website in Protest” (06/16/14)

• “Data Breach Affects 9,700 at MD Nonprofit Serving Disabled”MD Nonprofit Serving Disabled” (03/18/14)

• “Healthcare is Largest Sector T t d i C b Att k ”Targeted in Cyber Attacks” (02/20/14)

• “2 Convio Clients Hit in Security

4

Breach” (11/06/07)

Online Giving: The New Frontierg

• 1,018,464 donors• 1,845,806 donations• $212,215,508 donated• 30 948 nonprofit organizations• 30,948 nonprofit organizations• Heaviest in December• Online = 9 2% of total givingOnline 9.2% of total giving• Expanding mobile payment

capabilities• Crowdfunding projected at

$6B for social causes in 2016– Double 2014 giving

5

– Double 2014 givingSource: Chronicle of Philanthropy, January 2016

Costs of Cyber Risky

• Reputational damage• Diminished financial support• Impaired stakeholder relations• Greater scrutiny• Greater scrutiny• Direct breach response costs• Fines and penaltiesFines and penalties• Civil liability• Higher insurance costsg

– Premiums– Deductibles/self-insured retentions

6

Click to edit Master title styleClick to edit Master title style

The State of CybersecuritySo You Think You’re Bulletproof?

Mike ZusmanMike ZusmanFounder & PresidentCarve Systems, LLC

Carve Systems - Historyy y

Founded 2011

8

Carve Systems – Our Worky

• Penetration testing• Consulting (risk assessment architecture• Consulting (risk assessment, architecture

review, SDLC enhancement, training)• 70% of business is telecom related

30% d E Fi• 30% spread across Ecommerce, Finance, Non-Profit, Agriculture, Tech, etc.

• Full stack “IoT” security assessment iservices

• Embedded• OS/Platform/Cloud• Web/API/Application• Mobile• Network

9

My First Security Job - 2004y y

10

My First Security Job - 2004y y

Microsoft “PCT” Bug renders airgap useless.

11

Things Must Be Better Now…Right?g g

12

Engineers Make Mistakesg

13

Source: Jeff Williams

Third-Party Risk & Attacker Goalsy

14

My Argument for Securityy g y

• We can’t rely exclusively on d t i llour vendors to magically

provide “security.”• Organizations must take g

responsibility for assessing and managing their own risk.P f t it i ’t li ti• Perfect security isn’t realistic –nor is it required.

15

Who Are the Players?y

Prevent the 80% Detect the 20%Prevent the 80% Detect the 20%

Increasing level of sophisticationIncreasing level of sophistication

The 80% - Casual Attacks The 20% - Direct AttacksPrevent these attacks

“Targets of opportunity”Detect these attacks

Motivated, well-funded, patient

16

Carve’s Top 3 Security Risksp y

1. Phishing, and spear-phishing

2. Uncontrolled external network perimeter(includes applications, IoT/M2M)( pp , )

3. Insufficient internal access control

Bonus Risk: Insufficient security leadership & cultureleadership & culture

17

Phishing Simulation #1g

18

Phishing Simulation #2g

19

Phishing Simulation #3g

20

Network Perimeter Case #1

• Case Study: Fortune 50 firm demands security assurance from vendor

• Vendor: Hi-tech engineering firm g g(~150 people)– Engineers, software developers, admin

staff• High-value espionage target

– Started “caring” about security too late• Sensitive data belonging to Fortune 50 g g

client leaked accidentally– Sensitive usernames, passwords, IP

addresses ended up on the Internet

21

Network Perimeter Case #2

1. Google search: site:yourdomain.com2. Go to the last page of search results and work backwards

22

Easy Winsy

• Determine what you have on the Internet, and take down h t i ’twhat isn’t necessary

– Attack Surface Reduction

• Train your users about phishing attacks, and run y p g ,simulations– Repeatable process, easy metrics

Hi t id fi t d t i k t• Hire an outside firm to conduct a risk assessment– NIST Cybersecurity Framework

• (Maybe) Hire an outside firm to conduct penetration(Maybe) Hire an outside firm to conduct penetration testing

23

What You Need Going Forwardg

• Someone to own Information SecurityC b i– Can be a committee

– Doesn’t need to be technical– Preferably external to IT team

• Situational awareness in terms of your technology– Why and how would someone attack your organization?

What can you detect and prevent?– What can you detect and prevent?

• Incident response plan– IR firm retainer – Cyber policyy y

24

Important Conceptsp p

1. Penetration TestingTh h f i b i l d– The human act of trying to by-pass security controls and penetrate an application, network, or facility

2. Risk Assessment– A thought exercise to understand the risk potential of system

or undertaking

3 Vulnerability Scanning3. Vulnerability Scanning– The human act of pushing a button to start an automated,

software driven probing of a target system or application

25

For More Information

Mike ZusmanFounder & PresidentCarve Systems, LLC+1 (201) 916-4152 Mobile1 (201) 916 4152 Mobilemike.zusman@carvesystems.comhttp://carvesystems.com

@carvesystems@carvesystems

“S it i t t t ”“Security is a process, not a state”

26

Click to edit Master title styleData BreachesClick to edit Master title styleTrends, The Regulatory Landscape

& Incident Response

John FarleyVice President, Cyber Risk ServicesHUB I t ti l N th t Li it dHUB International Northeast Limited

Andy Obuchowski, Jr.Practice Leader | Digital Forensics & Incident Response ServicesPractice Leader | Digital Forensics & Incident Response Services

Director | Security & Privacy ConsultingRSM US LLP

Evolution of Cyber RiskyState-sponsoredattacks, “Internet f Thi ” i l

2014

“Hacktivism” and politically-motivated attacks

of Things,” national security concerns

20082011

Large-scale hacks –payment cards and identity theft Theft of intellectual

Mid-2000s

identity theft Theft of intellectual property & trade secrets; cyber espionage

Late 1990s

Viruses, network failures and Y2K

28

failures, and Y2K

Types of Datayp

• PII – Personally Identifiable InformationN i bi i i h S i l S i b d i ’– e.g., Name in combination with Social Security number, driver’s

license number, bank account information, credit card information, online/financial account username and password

• PHI – Protected Health Information– Information relating to provision of healthcare, mental/physical

condition, payment for provision of healthcare that identifies or can be used to identify individual

• PCI – Payment Card Industry Information– Cardholder data– Cardholder data

• Intellectual Property

29

How Do Incidents Occur?

30

Phishing Attacks Succeedg

31

Anatomy of a Breach Response: 1st Partyy p y• Internal Client Issues

– Internal reporting• Notice Methods

– Written– Broker involvement– Insurance & deductible management

• Experts– Breach coach

– Electronic– Substitute– Media

• DeadlinesBreach coach– Forensics– Credit monitoring– Notification firms/

Call centers

Deadlines– Can range from 15 days to

“without reasonable delay”• Inquiries

– State regulators (i e AG)Call centers– Public relations

• Investigation: internal/forensic/criminal– How did it happen

When did it happen

State regulators (i.e., AG)– Federal regulators (i.e., OCR)– Federal agencies (i.e., FTC, SEC)– Consumer reporting agencies

Plaintiffs– When did it happen– Is it still happening– Who did it happen to– What was accessed/acquired

(What wasn’t)

– Plaintiffs• Notice obligations

– State– Federal

Oth (i PCI)

32

(What wasn t)– Encrypted/protected

– Other (i.e., PCI)

State Regulatory ExposuresState level breach notice: 47 states (plus Puerto Rico

g y p

47 states (plus Puerto Rico, DC, Virgin Islands) require notice to customers after unauthorized accessunauthorized access to PII/PHI.

• Require firms that conduct business in state to notify resident q yconsumers of security breaches of unencrypted computerized personal information

• Many require notification of state attorney general stateMany require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies

• Notice due from 15 days to “without unreasonable delay”

33

State Notification Trends

• Email & passwords = PII• Less time to notify• Credit monitoring required• Written notice to attorney general in addition to• Written notice to attorney general in addition to

individuals• Written information security plan and encryption requiredy p yp q• July 7, 2015: 47 state AGs write to Congress, urging US

to preserve state authority over data breaches

34 34

Common Causes of Action

• Fraud reimbursementC dit d l t• Credit card replacement

• Credit monitoring/repair/insurance• Civil fines/penaltiesCivil fines/penalties• Statutory damages (CMIA)• Time• Unjust enrichment• Fear of ID theft• Actual ID theftActual ID theft• Mitigation costs• Time spent monitoring

35

D&O Exposure - Allegationsp g

• Board didn’t regularly address b i k d tcyber risk or document

discussions• Security plan isn’t tailored to y p

the organization’s specific risk profileN i id t l• No incident response plan

• Failure to mitigate damages post-breachpost breach

• Failure to train staff

36

Claim Costs (NetDiligence 2014)( g )

• Average claim payout: $733 109$733,109

• Average cost per-record: $956.21$

• Average cost for Crisis Services: $366,484

• Average cost for legal defense: $698,797

37

Data Governance

Data creates legal duties• What data do you collect, and

why?• Where is it?• How well is it protected?• Who can access it?

Wh d i ?• When do you purge it?• How do you purge it?

38

Vendor Managementg

• Create a formal vendor management programprogram– Regulatory compliance– Mitigation of legal, business, and

reputational risk

• Require periodic cyber security audits• Require employee background checksRequire employee background checks• Address roles and responsibilities in

breach response• Insurance and indemnification language• Establish a contingency plan to use

alternate vendors

39

Incident Response Teamp

Roles & ResponsibilitiesId tif

Interdisciplinary ApproachI f ti T h l• Identify

• Escalate• Training/guidance

• Information Technology• Information Security• Compliance/Risk Management

• Manage/conduct investigation• Preserve documents/materials• Assist law enforcement

• Human Resources• Operations• LegalAssist law enforcement

• Submit progress reports• Recommendations to avoid

future incidents

Legal• Development/External Affairs• Finance

P ifuture incidents• Issue final report

• Privacy• Program

40

Data Breach Life Cycley

41

Best Practices Checklist

• Cybersecurity governance and risk management Boardrisk management – Board engagement

• Cybersecurity risk assessments• Technical controls• Incident response planning• Staff training• Staff training• Cyber intelligence and

information sharing• Third-party/vendor management• Cyber insurance – risk financing

tool

42

tool

For More Information

John FarleyVi P id t C b Ri k S iVice President, Cyber Risk ServicesHUB International Northeast Limited+1 (212) 338 2150 Directjohn farley@hubinternational comjohn.farley@hubinternational.com

Andy Obuchowski, Jr.Practice Leader | Digital ForensicsPractice Leader | Digital Forensics & Incident Response ServicesDirector | Security & Privacy ConsultingRSM US LLPRSM US LLP+1 (508) 922-4770 Mobileandy.obuchowski@rsmus.com

43

Insuring Cyber RiskAn Underwriter’s PerspectiveAn Underwriter s Perspective

P C illPeter CastilloVice President, Financial LinesChubb GroupChubb Group

DisclaimerThe material presented in this presentation is notintended to provide legal or other expert advice as to

f h bj i d b h i d

Chubb. Insured.any of the subjects mentioned, but rather is presentedfor general information only. You should consultknowledgeable legal counsel or other knowledgeableexperts as to any legal or technical questions you mayhave. Further, the insurance discussed is a producthave. Further, the insurance discussed is a productsummary only. For actual terms and conditions of anyinsurance product, please refer to the policy. Coveragemay not be available in all states.

March 18, 2016

2016 Threat PredictionsFrom Cyber Security Leadership

“ a trusted name in security will be utterly and embarrassingly hacked in “…a trusted name in security will be utterly and embarrassingly hacked in 2016...” –Hackett, Fortune Tech

“ the year of online extortion Cyber extortionists will devise new ways to target …the year of online extortion. Cyber extortionists will devise new ways to target its victim’s psyche to make each attack personal..”-Trend Micro

“Organizations need to realize that financial gain is no longer the only or even Organizations need to realize that financial gain is no longer the only or even the biggest driver of some of their adversaries.” Amit Yoran, RSA

“ the pressure to do something at the federal level will provide politicians an …the pressure to do something at the federal level will provide politicians an attractive issue in an election year…”-Hill, STEALTHbits Technologies

HUB Nonprofit Executives’ Workshop 46

March 18, 2016

“We’ve noticed patterns of (claims) trends that would b i li if better suit our clients if we were transparent and if we showed them where incidents went awry…”— Michael Tanenbaum, Chubb Professional Risk

Wall Street Journal, April 2015

47HUB Nonprofit Executives’ Workshop

March 18, 2016

Cyber Claims and Industry Trends (last 3 years)Triggers and Industry Trends (as of 10/2015)

Rogue Employee13% Software Error

3%

Other 9%

Industry Breakout 2013-2015:• Healthcare – 31%• Technology – 9%• Professional Services – 15%

Hack 34%

Laptops11%Lost/Stolen 

• Professional Services – 15%• Retail – 9%• Financial Institutions – 6%

Targeted Attacks for PI:• Lost/Stolen Devices

• 2013 – 17%/Devices13%

Hard Drive 1%

• 2014 – 12%• 2015 – 11%

• Hack• 2013 – 29%• 2014 – 27%• 2015 – 43%

Rogue EmployeePaper 5%

Human Error 16%Privacy Policy 7%

Other 1%

Hard Drive 1% • Rogue Employee• 2013 – 14%• 2014 – 16%• 2015 – 11%

48HUB Nonprofit Executives’ Workshop

March 18, 2016

Cyber Claims and Industry Trends (10 years)Triggers by Industry Segment (as of 10/2015)

Retail

20%

25%

25%

18%21%

10%

Healthcare

40%

50%

50%Retail

0%

5%

10%

15%

H k R L t/St l H P i

7%10%

0%

10%

20%

30%

H k R L t/St l H P i

11% 11%3%

14%

Hack Rogue Employee

Lost/Stolen Devices

Human Error

Privacy Policy

35%40%

36%

TechnologyHack Rogue

EmployeeLost/Stolen

DevicesHuman Error

Privacy Policy

2 %30% 23%

26%

20%

Professional Services

5%10%15%20%25%30%35%

8%

21%

10%12%

5%10%15%20%25%

10%

20%

5%

49

0%5%

Hack Rogue Employee

Lost/Stolen Devices

Human Error

Privacy Policy

0%Hack Rogue

EmployeeLost/Stolen

DevicesHuman Error

Privacy Policy

HUB Nonprofit Executives’ Workshop

March 18, 2016

Cyber Claims and Industry Trends (10 years)Triggers by Industry Segment (as of 10/2015)Financial Institutions Public Entity

20%25%30%35%40%

37%

19%

13%40%50%60%70%

64%

0%5%

10%15%20%

Hack Rogue Employee

Lost/Stolen Devices

Human Error

Privacy Policy

7%13%

6%

0%10%20%30%

Hack Paper Human Error

Unknown

7% 11% 7%

40%

50%

36%Education

p y y

50%

60%51%

Travel & Hospitality

0%

10%

20%

30%

8%

21%10%

12%

0%

10%

20%

30%

40%

10% 7%10% 14%

50

Hack Rogue Employee

Lost/Stolen Devices

Human Error

Paper 0%Hack Rogue

EmployeeLost/Stolen

DeviceHuman Error

Unknown

HUB Nonprofit Executives’ Workshop

March 18, 2016

Cyber Claims Overview (10 years)Number of Records Compromised

Percentage of Claims based on Known* Number of Records

Compromised0 records

54%36%

8% 2%

1-100 records

100-100 000 100-100,000 records

100,000+ records

*unknown: oftentimes it is never determined the exact number of how many records have been compromised in both large and small incidents.

51HUB Nonprofit Executives’ Workshop

March 18, 2016

Cyber Claims Overview (10 years)Types of Data Involved

52HUB Nonprofit Executives’ Workshop

March 18, 2016

Cyber Claims Overview (10 years)Average Cost of First Party Expenses (as of 10/2015)

Every Breach Response is Unique

$185,600 

$140 000

$160,000 

$180,000 

$200,000 Cost Range of Each Service

Legal Fees:Under $5,000 up to about $50,000

Forensics:

$81,600 $80,000 

$100,000 

$120,000 

$140,000  Forensics:About $10,000 to Seven Figures

Notification & Call Center: up to $80,000 Credit Monitoring:

Payment per Enrollee or Restoration Service

$51,600 $59,150 

$44,500 

$20,000 

$40,000 

$60,000 

$ , Minimal Crisis Management Costs

Frequency of Each Service?

$‐Legal Fees Forensics Notification & 

Call CenterCredit 

MonitoringCrisis 

Management

53HUB Nonprofit Executives’ Workshop

March 18, 2016

Cyber Claims Overview (10 years)Bad Actor Activity increase Forensic Costs

54HUB Nonprofit Executives’ Workshop

March 18, 2016

Understanding the Exposures and Risks

55HUB Nonprofit Executives’ Workshop

March 18, 2016

Oversight

56HUB Nonprofit Executives’ Workshop

March 18, 2016

Vendor Management

57HUB Nonprofit Executives’ Workshop

March 18, 2016

Cyber Risk Mitigation ServicesPre-Incident Strategy

CORE TACTICAL CULTURAL

Huron Consulting:Information Governance:

Know Where and What Data to Protect

Navigant:Business Impact

Calculation:Determine How Much Outages

Actually Cost

Wombat Security:Security Awareness:

Elevate Employee Awareness for Protecting Information

FireEye:

Net Diligence: Cyber Readiness:

Compare Your Company Against Security Standards

McGladrey:PCI Compliance

Assessment:Comply with Credit Card Security Requirements

FireEye:Cyber Threat Blueprint:Gain New Insight on Current

Cyber Threats

BitSight Technologies:Security Performance:

Fidelis Cybersecurity: Incident Response:Evaluate your Incident

Response Plan and Capabilities

Security Requirements

Trustwave:HIPAA Compliance

Assessment:Comply with U.S. Healthcare

Security Performance:Ongoing Security Ratings of

Your Company

Lewis Brisbois:Vendor Management:

Determine Contractual Privacy

58

Response Plan and Capabilities p yRegulations

Determine Contractual Privacy and Security Exposures

HUB Nonprofit Executives’ Workshop

Chubb Cyber Risk Management Program

March 18, 2016

y g gA Three-Pronged Approach to Policyholder Cyber Risk Management

Loss Mitigation Servicesg• Risk management services designed with our claims data in a menu-style approach at time of

proposal Offered to all potential/current Chubb Technology/ Privacy and Network Security policyholders

• External distribution of claims trends (information sharing is absolutely necessary)• Negotiated price points designed for middle market segment but applicable to all segments(SME &

Fortune 100)

MITIGATE

Fortune 100)• Chubb’s Cyber Experience, powered by eRisk Hub® online risk management portal

Cyber Response Team fka Data Breach Team• Options at time of proposal and at time of incident

( d ’ di li h ld b bl h k i f d d i i )RESPOND (we don’t dictate to our policyholders but enable them to make informed decisions)• Independent Data Breach Team is key element of coverage (typically $0 retention)

RESPOND

Risk Transfer Solutions• Coverage capabilities and limit capacity focused on all sizes and industries• Highly specialized underwriters to personalize the coverage to policyholder needs• Experienced claims staff to handle highly complex claims

TRANSFER

59HUB Nonprofit Executives’ Workshop

F M I f tiFor More Information

Peter Castillo

Chubb. Insured.

Peter CastilloVice President, Financial LinesChubb Group of Insurance Companies+1 (212) 642-7896 Direct

t till @ h bb peter.castillo@chubb.com

Click to edit Master title styleClick to edit Master title style

Marketplace Update & Cyber Insurance Buyer’s Guide

Anthony GiordanoAnthony GiordanoFirst Vice President, Management & Professional Lines

HUB International Northeast Limited

Risk Transfer: A Modular Approachpp

Protection Available Against a Variety of Threats

62

Insuring Agreements: Third-Party Riskg g y

• Privacy LiabilityC d f d d– Covers defense and damages for liability arising out of an organization’s failure to protect personal identifiable personalpersonal identifiable, personal health or corporate confidential information.

– Does NOT have to be a result of a failure of network security

• Lost/stolen laptops• Back-up tapes• Paper records

– Covers regulatory proceedings and penalties brought by a

63

government agency

Insuring Agreements: Third-Party Riskg g y

• Network Security LiabilityC d f d d f– Covers defense and damages for liability arising out of an organization’s failure to protect personal identifiable or corporatepersonal identifiable or corporate confidential information.

– Covers defense and damages for liability arising out of a failure ofliability arising out of a failure of network security.

– Coverages include:• DOS (denial of service)OS (de a o se ce)• Transmission of virus or malicious

code• Unauthorized access or use of

64

corporate systems

Insuring Agreements: Third-Party Riskg g y

• Media LiabilityD f d d i i– Defense costs and damages arising out of content on an insured’s website which can extend to social mediamedia

• Infringement of copyright or trademark

• Libel/ slander/ plagiarism• Libel/ slander/ plagiarism• Invasion of privacy• Negligence due to content housed

on websiteon website– Coverage can be extended to

encompass all matter: broadcast, audio, video, printed

65

audio, video, printed

Insuring Agreements: First-Party Riskg g y

• Data Breach Assessment, I ti ti d RInvestigation and Response Expenses– Expert legal counsel fees– Forensic investigation costs– Notification Costs

Public relations fees– Public relations fees– Identity restoration fees

66

Market Overview

• Significant and growing interest i C b d tin Cyber product

• Demand met by expanding number of insurers

• Constantly-evolving coverage terms, firming rates

• Point-of-sale (POS) retailers finding coverage harder to obtain, seeing large premium increasesseeing large premium increases

67

Today’s Market Conditionsy

• Recent high-profile breaches have heightened f b i d d f fi i lawareness of cybercrime and need for financial

protection• Many first-time buyers entering markety y g• Significant change in underwriting for retail risks, with

heavy focus on POS technology• Expansion of coverage terms continues

– Removal of coverage sublimits (caps)– Enhanced loss control servicesEnhanced loss control services– Costs covered outside aggregate limit of liability– Broadened protection for first-party business interruption risk

68

Today’s Market Capacityy p y

• Over 60 primary network it d i li bilitsecurity and privacy liability

writers in mid-market– Less interest in ‘jumbo’ risks

• US cyber market generated $2B+ gross written premiums in 20142014– Potential to grow to $5B by 2018,

$7.5B by 2020

• Industry experts predict large rate hikes for business segments hit hard by breaches

69

g y

Topical Issuesp

• Movement toward cloud ti t i icomputing now triggering

aggregation concerns– What happens if cloud provider is

breached?– How many customers/users could be

affected?

• Consumer protection litigation over business practices and privacy issuesprivacy issues– Allegations of wrongful data

collection, sharing of data, eavesdropping and opt in/opt out

70

eavesdropping, and opt-in/opt-out preferences

2016 Forecast

• Market capacity will remain t bl l ’ i hi hstable unless you’re in a high-

risk segment (e.g., Healthcare, Higher Ed, etc.)

• Competitive pricing environment for mid-market

Rates will remain flat– Rates will remain flat

• Retail risk underwriting scrutiny will continue

• Insurers will increase scope of pre-breach services to differentiate from competitors

71

differentiate from competitors

Cyber Buyer’s Guidey y

• Get expert help to assess your risk landscape and vulnerabilitieslandscape and vulnerabilities

• Obtain ‘nose’ (retroactive) coverage for unknown events predating inception

• Beware of exclusions – e g unencryptedBeware of exclusions e.g., unencrypted devices/data

• Consider protection against acts of third partiesparties

• Take advantage of risk management services

• Don’t scrimp on policy limitsDon t scrimp on policy limits• Understand the claim ‘trigger’

(Occurrence vs. Claims-Made)• Don’t buy off-the-rack– tailor the product

72

Don t buy off the rack tailor the product to your needs and circumstances

For More Information

Anthony GiordanoFirst Vice President – Management & Professional LinesHUB International Northeast LimitedHUB International Northeast Limited+1 (212) 338-2354 Directanthony.giordano@hubinternational.com

73

Open Q&Ap

74

Our Nonprofit Thought Leadershipp g p

Scott R. KonradSenior Vice President & Not-for-Profit Business Practice LeaderHUB International Northeast LimitedHUB International Northeast Limited+1 (212) 338-2295 Directscott.konrad@hubinternational.com

Specializing in Nonprofit risk, insurance, and employee benefits

l isolutions

75