Certificate of

Insurance

Network Security

Privacy Liability

and Insurance

August 20, 2015

CERTIFICATE OF INSURANCE

1

CERTIFICATE OF INSURANCE

IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must be endorsed. If SUBROGATION IS WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s).

Date: 07/21/2015

THIS CERTIFICATE IS ISSUED AS A MATTER OF INFORMATION ONLY AND CONFERS NO RIGHTS UPONS THE CERTIFICATE HOLDER. THIS CERTIFICATE DOES NOT AFFIRMATIVELY OR NEGATIVELY AMEND, EXTEND OR ALTER THE COVERAGE AFFORDED BY THE POLICIES BELOW. THIS CERTIFICATE OF INSURANCE DOES NOT CONSTITUTE A CONTRACT BETWEEN THE ISSUING INSURER(S), AUTHORIZED REPRESENTATIVE OR PRODUCER, AND THE CERTIFICATE HOLDER.

2

PRODUCER Faulkner, Williams, & Wilson

6721 Baum Drive

Knoxville, TN 37919

Eric D. Faulkner, ARM, CIC

CONTACT NAME: Eric D. Faulkner, ARM, CIC PHONE: 865-450-9170 Fax: 865-450-9174 EMAIL ADDRESS:

INSURER(S) AFFORDING COVERAGE NAIC# INSURER A: WESTFIELD INSURANCE CO. 17558

INSURED

East Tennessee Foundation

520 W. Summit Hill Dr., Suite 1101

Knoxville, TN 37902

INSURER B:

INSURER C:

INSURER D:

INSURER E:

INSURER F:

AUTOMOBILE LIABILITY

CWP 4050419

08/15/2014

08/15/2015

COMBINED SINGLE LIMIT (EA ACCIDENT)

$1,000,000

ANY AUTO BODILY INJURY (Per Person)

ALL OWNED AUTO

SCHEDULED AUTOS

BODILY INJURY (Per Accident)

X HIRED AUTOS X NON-OWNED AUTOS

PROPERTY DAMAGE (Per Accident)

INSR LTR

TYPE OF INSURANCE ADDL INSD

SUBR WVD

POLICY NUMBER

POL EFF POLICY EXP LIMITS

A X COMMERCIAL GENERAL LIABILITY X

CWP 4050419

08/15/2014

08/15/2015

EACH OCCURENCE $1,000,000

CLAIMS MADE X OCCUR

DAMAGES TO RENTED PREMISES (EA OCCURRENCE)

500,000

MED EXP (Any one person) 5,000

PERSONAL & ADV INJURY 1,000,000

G ’ GG G M PP P GENERAL AGGREGATE 2,000,000

X POLICY PROJECT LOC PRODUCTS-COMP/OP AGG 2,000,000

OTHER: RENTED PR 500,000

X UMBRELLA LIAB X OCCUR CWP 4050419 08/15/2014 08/15/2015 EACH OCCURENCE 5,000,000

EXCESS LIAB CLAIMS-MADE AGGREGATE 5,000,000

DEDUCTIBLE X RETENTION $0

WORKERS COMPENSATION AND EMPLOYERS LIABILITY Y/N ANY PROPRIETOR/PARTNER/EXECUTIVE OFFICER/MEMBER EXCLUDED? (Mandatory in NH) If yes, describe under DESCRIPTION OF OPERATIONS below

N/A

PER STATUTE

OTHER

EL EACH ACCIDENT

EL DISEASE – EA EMPLOYEE

EL DISEASE – POLICY LIMIT

3

CERTIFICATE OF INSURANCE

CERTIFICATE OF INSURANCE

4

DESCRIPTION OF OPERATIONS / LOCATIONS / VEHICLES (ACORD 101, additional remarks schedule, may be attached if more space is required)

The City of Knoxville, its officials, officers, directors, employees and Volunteers as well as Total Race Solutions. POB 30667, Knoxville, TN 37930, Are included as Additional Insured as respects General Liability and Waiver Of Subrogation applies as respects event: 5K Road Race to Benefit the Butterfly Fund of East Tennessee Foundation; to be held August 15, 2015.

IMPORTANT: If the certificate holder is an ADDITIONAL INSURED, the policy(ies) must be endorsed. If SUBROGATION IS

WAIVED, subject to the terms and conditions of the policy, certain policies may require an endorsement. A statement on this certificate does not confer rights to the certificate holder in lieu of such endorsement(s).

5

ENDORSEMENT

Network Security

Privacy Liability

and Insurance

7

GLOBAL PRIVACY BREACHES*

* Source: RiskBased Security -- Open Security Foundation – Data as of 12/31/2014.

What is Different Today?

8

Familiar mediums Q injections; spear phishing; malware, spyware & ransomware (“ rypto ocker”);

denial of service attacks; web site defacing

New culprits Loosely formed groups of people who are very good at hacking and work together

to do so (e.g., Anonymous, Lulzsec, Lizard Squad) tate actors ( hina, ran, , srael, ussia, orth Korea, P ’s)

New information targeted Corporate data and trade secrets; inside information; embarrassing information;

corporate weaknesses

New targets Automobile Internet of Everything Smartphones Medical Devices The Cloud

Network Security / Privacy Data Risk

What type of sensitive data do you collect?

● Personally Identifiable Information (PII)

● Name, SS#, Address, Financial

● Protected Health Information (PHI)

● Medical Information

● Employee data

● Corporate Confidential Information

Where is sensitive data stored?

How well is sensitive data protected?

How long do you store sensitive data?

What is a Data Breach Incident?

● Wrongful disclosure

● Unauthorized acquisition

● Security failure or Data compromised

9

Source of Potential Data Breach

10

● Theft of Intellectual Property ● Unwary insiders susceptible to

attacks that exploit traditional

security controls (e.g. spear

phishing)

● Intent is to disrupt and/or

embarrass a target

● Motivations are fickle and

unpredictable

● Massive DDoS attack

● Patience is a virtue. Tactics have

evolved from “hit and run” to

“infiltrate and stay.”

● Industrialization - Black markets

exist for all types of personal

information

● Proliferation of mobile platforms and

BYOD policies creates new vectors

● Security compromise –

loss of sensitive client

data

● Infrastructure downtime

may lead to Dependent

Business Interruption

claim

● Users who fail to embrace

“culture of security” will find

ways to circumvent

‘inconvenient’ security

controls

● Access controls and behavior monitoring

insufficient to detect insider threats

● Growing incentive for insiders to abuse access

to sensitive data for financial gain

● Disgruntled current and former employees

exploit back-doors Malicious Insider

Negligent Insider

Criminal Hackers

Hacktivists

Cloud or 3rd party

Compromise Exposures that

lead to a potential

Data Breach

● State Laws/Regulation

● Notification - 47 and counting

● PII – Personally Identifiable Information – SS#, Account

Numbers & PIN’s, Name, Address, DL#’s, CC#’s

● Federal

● HIPAA/HITECH

● PHI – Protected Health Information – Insurance Claim Forms,

Health Care Information, Explanation of Benefits, Notes,

Conversations

● FTC

● SEC/GLB

● EU Data Privacy Directive

● Canada

o PCI-DSS compliance with Merchant agreement

developed

Complex Regulatory Landscape

11

Third and First Party Claims

● Notification and Call Center costs

● Legal – “ reach oach”

● Computer Forensic Investigation

● Credit Monitoring & ID Theft costs

● Public Relations/Crisis Management

● Civil penalties and fines

● Class Action suits

● Legal Defence costs:

o Civil, regulatory and possibly criminal defense

o Data Privacy counsel can cost $500 per hour. A major data breach will cost millions in legal costs

● Business Interruption Costs/Data Damage

Data Breach Consequences

12

● Board/Leadership Team

● Employees

● Residents/Customers/Clients

● CIO/IT/CISO

● Attorney General/General Counsel

● Chief Financial Officer

● Risk Management

Stakeholders are Important – Why?

13

What about the Board?

14

Five Principles that the Board should consider:

1. Cyber-risk is more than just an IT issue: it is a key component of enterprise risk management, requiring board-level oversight.

2. Cyber risks have important legal ramifications, which directors need to understand.

3. Cyber-risk should be a topic of regular board discussion, and boards need access to the expertise to engage with cyber-risk issues.

4. Directors should ensure management implements an effective cyber-risk framework for the company.

5. The board and management should assess cyber-risk just like other enterprise-level risks; ensuring a specific determination is made of which aspects of cyber-risk to accept, avoid, mitigate or insure against.

NACD Report 2014

Liability Coverage

Privacy Liability

Network Security Liability

Media and Content Liability

Regulatory Liability

Technology E&O

Direct (Loss Mitigation – First Party) Coverage

Data Breach Expenses:

Notification, Forensic, Credit Monitoring/ID Theft Monitoring, Public elations expenses, egal “ reach oach”

Direct (First Party) Coverage

Business Income Loss (Network Security)

System Failure

Data Reconstruction

Extortion Costs

Privacy/Network Liability Coverage

15

16

Property General

Liability

Crime/Bond K&R E&O Cyber/

Privacy

1st Party Privacy/Network Risks

Physical damage to Data

Virus/Hacker damage to Data

Denial of Service attack

B.I. Loss from security event

Extortion or Threat

Employee sabotage

3rd Party Privacy/Network Risks

Theft/disclosure of private info

Confidential Corporate Info breach

Technology E&O

Media Liability (electronic content)

Privacy breach expense/notification

Damage to 3rd party’s data

Regulatory Privacy Defense/Fines

Virus/malicious code transmission

Coverage Provided

Limited Coverage

No Coverage

Cyber Risk Gaps in Traditional Insurance

What about D&O?

Type of Coverage

17

3rd Party Coverage

Network and Privacy Liability • Coverage for:

• Claims arising from the unauthorized access to data containing identity

information,

• Failure to protect non-public information (PII/PHI/Corporate Confidential

Information in your care, custody and control,

• Transmission of a computer virus, and Liability associated with the failure to

provide authorized users with access to the company’s website

Media Liability – Including online and offline Media • Coverage for: Claims arising online/offline content

• Libel

• Slander

• Defamation

• Emotional Distress

• Infringement of copyright/trademark/etc.

• Invasion of Privacy

Type of Coverage

18

• Technology Products/Services Errors & Omissions • Coverage for:

• Claims arising from the failure of a technology product or service to perform

as indicated.

3rd Party Coverage

• Regulatory Liability • Coverage for:

• State/Federal/International fines & penalties

• Technology Products/Services Errors & Omissions • Coverage for:

• Claims arising from the failure of a technology product or service to perform

as indicated.

3rd Party Coverage

• Regulatory Liability • Coverage for:

• State/Federal/International fines & penalties

Type of Coverage

19

1st Party Coverage

• Crisis Management/Security Breach Remediation and

Notification Expenses • Coverage for:

• Crisis Management Expenses - expenses to obtain legal assistance to

navigate the event, determine which regulatory bodies need to be notified

and which laws would apply

• Public relations services to mitigate negative publicity as a result of cyber

liability

• Forensic costs incurred to determine the scope of a failure of Network

Security and determine whose information was accessed

• Notification to those individuals of the security breach

• Credit monitoring

• Call center to handle inquiries

• Identity fraud expense reimbursement for those individuals affected by the

breach

1st Party Coverage

• Crisis Management/Security Breach Remediation and

Notification Expenses • Coverage for:

• Crisis Management Expenses - expenses to obtain legal assistance to

navigate the event, determine which regulatory bodies need to be notified

and which laws would apply

• Public relations services to mitigate negative publicity as a result of cyber

liability

• Forensic costs incurred to determine the scope of a failure of Network

Security and determine whose information was accessed

• Notification to those individuals of the security breach

• Credit monitoring

• Call center to handle inquiries

• Identity fraud expense reimbursement for those individuals affected by the

breach

Type of Coverage

20

1st Party Coverage

• Computer Program and Electronic Data Restoration Expenses

• Coverage for: • Expenses incurred to restore data lost from damage to computer systems

due to computer virus or unauthorized access

• Cyber Extortion

• Coverage for: • Money paid due to threats made regarding an intent to fraudulently transfer

funds, destroy data, introduce a virus or attack on computer system, or

disclose electronic data/information

• Business Interruption and Additional Expense

• Coverage for: • Loss of income, and the extra expense incurred to restore operations, as

result of a computer system disruption caused by a virus or other

unauthorized computer attack

Cyber Insurance Markets

• Underwriting expertise and creativity

Sample Markets: - ACE - Travelers - Navigators

- AXIS - Chubb - One Beacon

- Beazley - AEGIS - RLI

- AIG - HCC - Swiss Re

- Zurich - Torus - Hiscox

- C.N.A. - Ironshore - XL

- AWAC - Liberty - London Markets

Over 60 insurers writing coverage – a very robust market

Substantial claims paid without insurers withdrawing from market

Recognized underwriting standards

Estimated $1B premium volume moving to $5B

VALUE – EXPERTS, PROFESSIONALS, RE-ACTIVE & PRO-ACTIVE

A Maturing Market:

21

Cost per Affected Record - Breach Calculator

22

Personally Identifiable Information 1,000 10,000 100,000 500,000 1,000,000 10,000,000 100,000,000

Breach Expenses (Forensics/Crisis) $40,000 $160,000 $300,000 $580,000 $1,070,000 $2,000,000 $3,800,000

Forensics Investigation $30,000 $100,000 $200,000 $400,000 $750,000 $1,000,000 $2,000,000

Data Breach Coach $10,000 $40,000 $60,000 $100,000 $120,000 $200,000 $300,000

Public Relations $0 $20,000 $40,000 $80,000 $200,000 $800,000 $1,500,000

Breach Expenses (Notice/Credit Monitoring) $8,500 $85,000 $800,000 $3,625,000 $4,800,000 $40,000,000 $325,000,000

Customer Notification $2,000 $15,000 $150,000 $625,000 $1,000,000 $9,000,000 $50,000,000

Call Center $1,000 $15,000 $100,000 $500,000 $800,000 $5,000,000 $20,000,000

Credit Monitoring $4,500 $45,000 $450,000 $2,250,000 $2,500,000 $25,000,000 $250,000,000

Identity Fraud Remediation $1,000 $10,000 $100,000 $250,000 $500,000 $1,000,000 $5,000,000

Breach Expense Total: $48,500 $245,000 $1,100,000 $4,205,000 $5,870,000 $42,000,000 $328,800,000

(Breach Expense Cost per record) $48.50 $24.50 $11.00 $8.41 $5.87 $4.20 $3.29

Regulatory Defense/Fines $0 $10,000 $400,000 $1,750,000 $2,000,000 $6,000,000 $15,000,000

State Regulatory (AG) $0 $0 $250,000 $250,000 $500,000 $1,000,000 $5,000,000

Federal Regulatory (FTC, HHS) $0 $10,000 $150,000 $1,500,000 $1,500,000 $5,000,000 $10,000,000

PCI Fines $0 $10,000 $20,000 $100,000 $432,800 $432,800 $432,800

Civil Liability $34,000 $180,000 $1,100,000 $5,000,000 $7,164,000 $14,664,000 $54,664,000

Legal Defense/Damages $25,000 $100,000 $500,000 $2,000,000 $2,500,000 $10,000,000 $50,000,000

Card Reissuance Liability $9,000 $80,000 $600,000 $3,000,000 $4,664,000 $4,664,000 $4,664,000

Privacy Liabilty Total: $34,000 $200,000 $1,520,000 $6,850,000 $9,596,800 $21,096,800 $70,096,800

Total Data Breach Cost: $82,500 $445,000 $2,620,000 $11,055,000 $15,466,800 $63,096,800 $398,896,800

Per Record Cost: $82.50 $44.50 $26.20 $22.11 $15.47 $6.31 $3.99

Assumptions:

Credit Monitoring: $15 per individual (5-15% take-up rate)

Identity Fraud Remediation: $100-$500 per affected individual (less than 1% typically require fraud remediation)

Willis Estimated Data Breach Costs (based on number of affected individuals compromised)

PRIVACY LIABILITY

PRISM – Privacy Risk Insurance Strategy Model

- Sample

23

PRISM – Privacy Risk Insurance Strategy Model

- Sample

24

Benchmark Sample

25

Benchmark Report

Industry Retail

Product E&O

Parameters $1B - $45B

Total Limits SIR/Deductible

Average $31,153,846 Average $1,003,846

First Quartile $10,000,000 First Quartile $312,500

Median $20,000,000 Median $1,000,000

Third Quartile $40,000,000 Third Quartile $1,000,000

Maximum $150,000,000 Maximum $5,000,000

Minimum $5,000,000 Minimum $100,000

Count 26 Count 26

First Quartile - one quarter of the observations are at or below this value

Median - half the observations are less than or equal to this value, half are greater

Third Quartile - three quarters of the observations are at or below this value

$0

$200,000

$400,000

$600,000

$800,000

$1,000,000

$1,200,000

$0

$5,000,000

$10,000,000

$15,000,000

$20,000,000

$25,000,000

$30,000,000

$35,000,000

$40,000,000

$45,000,000

Case Studies

26

Data Breach Case Study #1

Company: Target*

Date: Nov. 27 – Dec. 15., 2013

40 million Number of Credit and Debit Cards

Stolen

70 million Number of Records Stolen with

Personally Identifiable Information

(PII)

46% % Drop in Profit in 4th Qrt

$200 million Cost to Financial Institutions to

Reissue Stolen Cards

$100 million Amount Earmarked for new POS

terminals with Chip and PIN

technology

$88 million Total Losses, including expenses, net

insurance recoveries

* Source: Published May 6, 2014, The Target Breach by the Numbers, Krebs on

Security

Data Breach Case Study #2

Company: Home Depot

Date: April – Sept. 2014

56 million Number of Credit and Debit Cards

Stolen as well as 53 million email

addresses

TBD % Drop in Profit – This is NOT

expected to be significant

$90 million Cost to community banks to Reissue

Stolen Cards

$43 million Spent to mitigate the event that has

been disclosed

$100 million Est. expenses, net insurance

recoveries

Best Practices

• Maintain a Risk Transfer Instrument

• Have a Proper Background Screening Program for new hires and vendors.

• Pre-Arrange a Breach Service Providers, Outside Counsel and Reputational Risk

Advisor

• All specializing in Privacy Law and Breach Crisis Management

• Provide “Certification” through e-Learning to employee base on safeguarding data

• Develop an Incident Response Plan

• Encryption

• Conduct annual Risk Assessments and Tabletop Exercises.

• Hold an internal “Privacy Summit” to identify vulnerabilities

• Risk Management, Compliance and Privacy, HR, Legal, IT, Administration, CFO

27

Best Practices, Cont.

• Keep General Counsel’s office current to state disclosure laws, federal regulations,

foreign requirements and updates

• Maintain an Effective Vendor Security Management Program

• Utilize Data Encryption in Appropriate Sensitive Data Settings

• Ensure that User Access Controls are Current, Effective, and Audited Regularly

• Utilize Effective Vulnerability Scanning and Penetration Testing Capabilities to Detect

Potential Exploit/Compromise Possibilities Ahead of Actual Attempts

• Employ Layered and/or Multi-Vendor Solutions Where Feasible

• If Original Application Development Exists, Ensure that it Occurs Within Compliance

with Secure Coding Practices (OWASP)

• If Bring-Your-Own-Device (BYOD) in place, Ensure Effective Use of a Contemporary

Mobile Device Management (MDM) Solution

28

Our Differentiators

29

• INSURANCE PROGRAM

GAP ANALYSIS

• Assess and outline the gaps or deficiencies in your traditional insurance policy, highlighting those areas potentially addressed in a cyber policy

• ANALYTICS TRIFECTA

• DATA BREACH CALCULATION • Using Willis Data Breach calculator, we

assess your potential breach costs

• PEER GROUP BENCHMARK

• Utilizing basic placement details we are able

to provide you with a comparison of basic

program features against relative peer

companies

• Conduct analytics based on Monte Carlo

Simulation to model loss probability and

program comparisons. This help clients

decide how much cyber insurance would

provide value for the premium spent

• PRISM ANALYSIS –

PRIVACY RISK INSURANCE

STRATEGY MODEL USING

CCOR

Willis is focused on being the broker authority in the Cyber space

Team of 20 professionals within the U.S. focused on cyber

Developed proprietary models to assess privacy risk & limit adequacy

Dedicated cyber claim professionals that work with you to ensure your event is being handled properly

Proactive assistance in evaluating your individual needs, risks and exposures

Collaborate with your team on manuscript language to ensure your specific operations, risks and exposures are covered properly

Provide contractual advise and guidance related to cyber issues with customers, partners and vendors

Assist with Executive and Board presentations

Our Differentiators

30

Our Differentiators – We HAVE handled Cyber

Claims

31

Number of claims

We have handled 360 Cyber claims

Responses varied from full limits loss coverage to outright denials

Number of covered claims has far outweighed those where coverage was denied either wholly or substantially

In short, the coverage works

Claim success involving various Types of Cyber Exposure/Loss

Legal liability to others for computer security breaches

Legal liability to others for privacy breaches

Legal liability from systems errors

Notification, monitoring costs in response to a systems breach

Privacy regulatory actions and scrutiny

Loss or damage to data/information

Loss of revenue due to a computer attack

Loss of revenue due to programming or systems errors

Extra expense to recover/respond to a computer attack

Loss or damage to reputation

Cyber-terrorism

Our Differentiators – We HAVE handled Cyber

Claims

32

Continued:

Known claims or prior acts before policy inception

Items intended to be covered by other traditional policies

ircumstances that fall outside the definitions of “Privacy vent” and “ onfidential nformation”

Patent/Trade Secret violations

Insured v. Insured Exclusion

Claims process related defense (late notice, lack of cooperation, failure to use panel counsel, etc.)

Narrow scope of coverage for PCI fines and penalties

Breach involved a third party system

What we have learned:

Policy wording is critical

Forms vary on key coverage terms

Early involvement of the insurer is critical

Insurers usually must provide consent to any privacy or breach notification counsel and consent to the retention of a forensic IT vendor to investigate the facts of the breach/loss

Insurers frequently have panels or lists of pre-approved breach counsel and IT vendors who can provide a prompt response, usually at preferred rates

All avenues of coverage must be explored, as an incident frequently will involve first party loss, actual or potential third-party loss, crisis loss and regulatory investigations

Insurer notifications must be tailored accordingly

If there is an incident that is highly confidential and non-public, there are certain steps we can take when providing notice to narrow the circle of knowledge

Our Differentiators – Adding Value Pre/Post Claim

33

What is the Application Process?

Completing applications will require gathering information from many parts of your

organization:

In addition to Risk Management

• IT and Network Security teams

• Information about the types of technology your organization uses

• Outside vendors and cloud providers that touch your networks

• Details on your monitoring capabilities and third-party audits.

• Finance

• Revenues

• Customers, demographics

• Other organizational issues.

• Input into your desired program structure as you evaluate the different levels of risk transfer

(premium, limits, deductibles and scope of coverage).

• Legal

• Information on contractual protections

• What your customers are demanding from you, and what you are demanding of your

vendors in your contracts.

• Underwriters are very focused on how successful companies are in limiting their liability,

and how aggressively they are seeking indemnity from vendors.

• Information on your privacy policies, relationships with privacy counsel, and any breach

response planning that has happened to this point.

34

The Willis Advantage - We Are The Industry Leader

Globally

E&O and Information Risk Product Team of 20 specialists in the US and 25 outside the US focused on Privacy, Network Security, Media, Technology, E&O and Intellectual Property risk and insurance

• Multidisciplinary experience including broking, underwriting, law, IT, claims, alternative risk transfer and finance.

• 20 years average experience

35

Restaurants – Darden

Hotels – Radisson

Retail – TJX, Staples, Best Buy, Polo

Pharmacies – Rite Aid

Exchanges – NYSE

Financial Services– American Express, Discover

Card Processing – Global Payments

Securities Dealers – Schwab

Airlines – US Airways

Investment Banks – Morgan Stanley

Banks – Citizens Financial

Law Firms – Baker & McKenzie

Insurance – ACE, Hartford, Tokio Marine

Software – BMC

Hardware - TruePosition, Amkor

Manufacturing – 3M

Media – Hachette

Advertising – Publicis

Higher Education – Emory University

Title Insurance – Fidelity National Financial (FNF)

Consumer Goods – Kimberly Clark

Managed Care – Humana

Hospitals – Kaiser Permanente

Casinos – Wynn Resorts

ISP – Time Warner Cable

Consulting – Boston Consulting

For More Information

Dee Anderson

Client Advocate

(865) 583 3740

dee.anderson@willis.com

Steven McGhee

Client Advocate

(865) 583 3752

steven.mcghee@willis.com

36

Contacts: