CAPTIVE AND CYBER A MATCH MADE IN PARADISE

Liz Limjuco, Vice President, MarshGrace M. Crickette, CGEIT, CCEP, ARM, & AVP Business Operations - SFSUTina Summers, Senior Vice President, Marsh

1October 19, 2016

Agenda

Cyber Insurance Market UpdateLiz Limjuco, Vice President - Marsh

In her role as an Advisory Specialist at Marsh,

Liz engages with clients throughout the West

Zone to advise them on their Cyber, E&O,

media and intellectual property programs.

Liz joined Marsh in 2016. Previously she

worked at AIG as the Cyber Vendor Services

Leader managing the extensive cyber

vendors’ network and coordinating cyber

partnership opportunities for client. Prior to

this, Liz was a Regional Underwriting

Manager for the Professional Liability Division

at AIG

• B.S. Business focusing on Market Research -

University of Dayton.

2

My Cyber Story Grace M. Crickette, CGEIT, CCEP, ARM, & AVP Business Operations – SFSU

Grace is passionate about creating innovative programs

that elevate the reputation of the organization, provide a

positive employee experience, and result in lasting change

and sustainable savings. She is an accomplished

Administrator and Financial Executive, CRO, CCO, and

Captive Insurance Officer, with an exceptional record of

success in leading institutional strategic business planning,

finance and budgeting, administration and operations

management, investment and business growth, large

scale information technology implementations, and

governance and risk management for a variety of

industries.

• 2011 Business Insurance's Women to Watch.• Business Insurance - 2011 Risk Management Honor

Roll. • 2011 - Treasury and Risk magazine named Grace as

one of the “100 Most Influential People in Finance”, • Grace is an alum of the University of Redlands and

Harvard Business School.

Cyber + CaptivesTina Summers, Senior Vice President – Marsh

Tina is a Consultant in Marsh’s Captive Solutions

Practice. In this role, her responsibilities include

providing consulting services in the captive and

alternative risk finance area by: assessing captive

opportunities; performing comprehensive feasibility

studies; and working with captive management on

captive formations. Tina also performs strategic

reviews for existing captives providing opportunities

for the captive to add more value to the client’s

organization.

Prior to joining Captive Solutions, Tina was an associate

client executive (ACE) in Marsh’s San Francisco Global

Risk Management Department.

• BA, University of California San Diego (UCSD)• MBA, Haas School of Business, University of

California Berkeley – Class of 2017

October 19, 2016

Cyber Insurance Market UpdateLiz Limjuco, VP, Marsh

3October 19, 2016

4

Cyber InsuranceCyber Attacks: A Growing Global Risk

• Costs businesses $400B+ per year

• The world is becoming more dependent on the internet - with the quantity of data in circulation apparently doubling each year and estimates that there will be 50 billion connected devices in the world by 2020 – 6.5 devices for every person on the planet. [1]

[1] Marsh & McLennan Companies CYBER RISK HANDBOOK 2015October 19, 2016

Source: TRustwave2015

Variables:• Credit Card

Information

• 64% of retail

breaches were

e-Commerce

• 27% were Point of

Sale

Cyber InsuranceWho is at risk?

5October 19, 2016

Source: Trustwave 2015

Are you under attack?:• 19% Self

Detection

Cyber InsuranceYou Know You are Under Attack When…

October 19, 2016 6

7 October 19, 2016

Cyber InsuranceMain Costs and Loss Items

Government Regulators

GENERAL

LIABILITY

PROPERTY

ERRORS AND

OMISSIONS

FIDELITY

AND CRIME

D&O TYPES OF POLICIES

8

Cyber InsuranceUnderstanding the Gaps in Coverage

October 19, 2016 8

9 October 19, 2016

Cyber InsuranceHow Does a Cyber Policy Fill Gaps in Traditional P&C Policies

For clients that DO NOT purchase a stand alone Cyber policy, these are likely exposures they are self-insuring.

Not typically covered Covered in some cases Typically covered

Trends & Developments

Standalone Cyber Insurance

Increasing Limits

Larger Losses

Abundant Capacity

10

Pricing Pressures

Business Interruption / Property Damage

Cyber Extortion

Social Engineering

Cyber InsuranceWhat’s happening in the insurance market today?

October 19, 2016 10

11

• Growing Market– Gross written premiums expected to increase from $2.5B in 2014 to $7.5B in 2020.

– Capacity remains steady at approximately $500M.

– New area of opportunity in otherwise soft Property and Casualty markets.

– Traditional or “legacy” Cyber insurers threatened by naïve capacity.

• Opportunity Riddled With Uncertainty– Where else (which policies) are insurers exposed to Cyber claims?

– Uncertainty in some industries is driving conservative pricing.

– Aggregation and concentration continue to be a major concern.

Cyber InsuranceCurrent State of Underwriting

October 19, 2016 11

My Cyber Story Grace M. Crickette, CGEIT, CCEP, ARM & AVP Business Operations – San Francisco State University

12October 19, 2016

• Tell my story: captive experience and cyber experience

13October 19, 201613

DISRUPTIVE INNOVATION:

Emerging technologies will be the dominant driver of disruptive

innovation, bringing significant opportunities and threats.

DISRUPTIVE INNOVATION:

How can your Captive be a dominant driver in providing cyber insurance

and address the information technology opportunities and threats

facing your organization.

Cyber + Captive =

14October 19, 2016

CAPTIVE CAPABILITY

• Help manage volatility in retained risk positions between silo’d infrastructure

• Provide coverage to stakeholders who don’t fit in self-insured trust mechanisms

• Support development of revenue generating insurance activities

• Support enterprise risk management efforts by building mutually beneficial insurance infrastructures for various stakeholders

• Capitalize on enterprise risk management expertise

CISO’S PAIN

• The Insurance Program is not aligned with the improvements that need to be made

• The Insurance Program coverage is limiting

• The Business Partners that will bring innovation to our IT Architecture don’t meet our insuring requirements, impeding progress

• Vendor Management capabilities are insufficient

• Difficulty communicating the Risk Environment and ROI on security measures to Leadership and the Board

What Information Technology Operational or Strategic Challenges are you able to solve leveraging the Captive?.

15October 19, 2016

A Match Made in Paradise?

16

• Leverage your Captive to provide insurance coverage that provides a holistic cover for Information Technology

• Leverage your Captive to address issues associated with information Technology Partners

• Leverage your Captive to drive the Governance of Enterprise Information Technology

October 19, 2016 16

How to Find Cyber Insurance for the Uninsurable

HOW TO FIND CYBER INSURANCE FOR THE UNINSURABLE

When the University of California sought cyber liability insurance, it found no one

wanted to write the coverage. Chief Risk Officer Grace Crickette shares how her two

years of persistence paid off in finding a Lloyd’s syndicate that reverse underwrote the

coverage — paying claims only as long they meet certain standards.

http://www.insurancejournal.tv/videos/5186/

(handout to be provided)

17October 19, 2016

Opportunity: Your Computer on WheelsHere are some things connected cars can do now—or will be able to do in a few years

18October 19, 2016

Outside the Firewall

19

October 19, 2016 19

IT Risk Mitigation

20

• Frameworks (risk assessments)

• Vulnerability analysis

• Penetration and Controls testing

• Internal corporate processes and culture:

o IT Risk committee

o Training and awareness

o Contractual risk transfer

o Financial risk transfer

o Incident response plan

o Claims process

o IT and Security protection (encryption, device tracking)

October 19, 2016

21

October 19, 2016 21

SERMP

22October 19, 2016

Appetite and Tolerance

Develop Risk

Appetite & Tolerance

Statements

• Technology

• Appetite Statement: We have a low risk appetite for continuing with outdated and legacy systems, we have a high tolerance for moving forward with new systems even with some element of risk in execution and performance.

• Tolerance: We evaluate new systems for potential “bugs” and disruption and we will not tolerate launching a system that is known to cause disruption for more than 4% of our Customers.

• Action: On systems where the review indicates a known disruption of more than 4% of Customers, we will delay deployment.

23October 19, 2016

Appetite and Tolerance

• Safeguarding Information

• Appetite Statement: We have a very low Risk Appetite for privacy or security breach of Protected Information, balanced with a need to have timely and accurate Customer information in order to better serve our Customers.

• Tolerance: We will ensure over the next year that all of our systems and process (cyber or non-cyber) and 3rd Party providers have the appropriate safeguards in place.

• Action: Compliance reports will be monitored by executive Team and progress will be reported to the Board.

24

Develop Risk

Appetite & Tolerance

Statements

October 19, 2016

25

Metric Target Actual

PCI Compliance % of Compliance 100% 86.9%

Security Risk Management Program % of Completion 100% 40%

ISO Compliance % of compliance with ISO 27001 / 27002 95% Not Available

Score 63%

Data / Systems Security: Ability to safeguard data and critical operational data.

Management Mitigation Plan: The execution of a 27-point plan to lock down intrusion detection and protection is underway; The Security Risk Management Framework is underway and will be updated quarterly; Assess systems against ISO 27001/27002.Accountable Executive: CIO

Sample Board Report

Data / Systems Security

Monitoring & Reporting

October 19, 2016

Where to Learn More

• http://www.microsoft.com/atwork/security/

• http://www.insurancejournal.tv/videos/8466/

• http://privacyguidance.com/myblog.html The Privacy Professor Blog

• http://www.ponemon.org/ Ponemon Institute

• http://www.wileyrein.com/professionals.cfm?sp=bio&id=145#pub Kirk Nahra

26October 19, 2016

Cyber + Captive Tina Summers, Senior Vice PresidentMarsh Captive Solutions

27October 19, 2016

28 October 19, 2016

Cyber InsuranceHow Can a Client Use a Captive for Cyber Risk?

Retention/ Deductible

1st and 3rd Party Cyber Liability

Insurance Risk Transfer Program

1. Captive• Reimbursement Policy for

SIR/Deductible

Excess CAT Limits

Uninsurable Risks

Self Insured Risk Transfer 3. Captive

• Policy for Excess Limits• Possible access to

reinsurance capacity

2. Captive• Policy for exposures

insurer will not cover• Possible access to

reinsurance markets

Ventilated Layer Limit

Fronted Program with Commercial Carrier6. Captive

• Reinsures front

1st Party OR 3rd Party Exposure Self-insured

4. Captive• Quota Share or Limit for

layer within risk transfer program

5. Captive• Quota Share or Limit for

layer within risk transfer program

28

BENEFITS OF USING CAPTIVE FOR CYBER

• Market pricing is cost prohibitive and company feels retaining risk is a more efficient use of capital

• Smooths the volatility of retained losses and dampens balance sheet impact by segregating funds in the form of premiums to pay potential losses

• Captive captures and quantifies all loss costs versus expenses within the retention being siloed among the various claim stakeholders (i.e. IT, legal, PR, risk, finance, customer service, etc.)

• Access reinsurance for potentially broader coverage

• Write coverage for gaps in risk transfer policy (some risks are uninsurable in the current market place)

• Utilize captive surplus for Cyber Business Interruption Quantification (CBIQ) analysis

• Solve operational issues: coverage for 3rd party providers & align insurance underwriting with IT Governance and Strategy

29 October 19, 2016 29