hub international nonprofit executives' workshop slides 031816 final
TRANSCRIPT
Click to edit Master title styleCyber Risk in theClick to edit Master title styleCyber Risk in theNonprofit Organization
Threats Laws and RemediesThreats, Laws, and Remedies
Nonprofit E ec ti es’ WorkshopNonprofit Executives’ WorkshopMarch 18, 2016
Agendag
• Welcome and opening remarks (Scott Konrad)• State of Cybersecurity (Mike Zusman)• Data breaches: trends, the regulatory landscape,
and incident response (John Farley & Andy Obuchowski)and incident response (John Farley & Andy Obuchowski)• BREAK• Insuring against Cyber Risk: an underwriter’s viewg g y
(Peter Castillo)• Marketplace update and Cyber insurance buyer’s guide
(Tony Giordano)(Tony Giordano)• Q&A, wrap-up and evaluations
2
Why Worry About Risk?y y
• “Fraud Alert: Criminals Test Stolen Credit Card Numbers onStolen Credit Card Numbers on Charity Websites” (09/17/15)
• “Heritage Foundation Donor Data Possibly Taken in Hack Attack”Possibly Taken in Hack Attack (09/03/15)
• “Planned Parenthood Claims Cyber Attack” (07/30/15)Cyber Attack” (07/30/15)
• “Urban Institute Hack Could Involve Nonprofits’ Tax Data” (02/20/15)(02/20/15)
• “Suspected Pro-ISIS Group Hacks Calif. Aid Charity”
3
(01/08/15)
Why Worry About Risk?y y
• “Goodwill, Feds Investigate Possible Data Breach”Possible Data Breach(07/22/14)
• “Open Records Activist Shuts Down Nonprofit Data Website inDown Nonprofit Data Website in Protest” (06/16/14)
• “Data Breach Affects 9,700 at MD Nonprofit Serving Disabled”MD Nonprofit Serving Disabled” (03/18/14)
• “Healthcare is Largest Sector T t d i C b Att k ”Targeted in Cyber Attacks” (02/20/14)
• “2 Convio Clients Hit in Security
4
Breach” (11/06/07)
Online Giving: The New Frontierg
• 1,018,464 donors• 1,845,806 donations• $212,215,508 donated• 30 948 nonprofit organizations• 30,948 nonprofit organizations• Heaviest in December• Online = 9 2% of total givingOnline 9.2% of total giving• Expanding mobile payment
capabilities• Crowdfunding projected at
$6B for social causes in 2016– Double 2014 giving
5
– Double 2014 givingSource: Chronicle of Philanthropy, January 2016
Costs of Cyber Risky
• Reputational damage• Diminished financial support• Impaired stakeholder relations• Greater scrutiny• Greater scrutiny• Direct breach response costs• Fines and penaltiesFines and penalties• Civil liability• Higher insurance costsg
– Premiums– Deductibles/self-insured retentions
6
Click to edit Master title styleClick to edit Master title style
The State of CybersecuritySo You Think You’re Bulletproof?
Mike ZusmanMike ZusmanFounder & PresidentCarve Systems, LLC
Carve Systems - Historyy y
Founded 2011
8
Carve Systems – Our Worky
• Penetration testing• Consulting (risk assessment architecture• Consulting (risk assessment, architecture
review, SDLC enhancement, training)• 70% of business is telecom related
30% d E Fi• 30% spread across Ecommerce, Finance, Non-Profit, Agriculture, Tech, etc.
• Full stack “IoT” security assessment iservices
• Embedded• OS/Platform/Cloud• Web/API/Application• Mobile• Network
9
My First Security Job - 2004y y
10
My First Security Job - 2004y y
Microsoft “PCT” Bug renders airgap useless.
11
Things Must Be Better Now…Right?g g
12
Engineers Make Mistakesg
13
Source: Jeff Williams
Third-Party Risk & Attacker Goalsy
14
My Argument for Securityy g y
• We can’t rely exclusively on d t i llour vendors to magically
provide “security.”• Organizations must take g
responsibility for assessing and managing their own risk.P f t it i ’t li ti• Perfect security isn’t realistic –nor is it required.
15
Who Are the Players?y
Prevent the 80% Detect the 20%Prevent the 80% Detect the 20%
Increasing level of sophisticationIncreasing level of sophistication
The 80% - Casual Attacks The 20% - Direct AttacksPrevent these attacks
“Targets of opportunity”Detect these attacks
Motivated, well-funded, patient
16
Carve’s Top 3 Security Risksp y
1. Phishing, and spear-phishing
2. Uncontrolled external network perimeter(includes applications, IoT/M2M)( pp , )
3. Insufficient internal access control
Bonus Risk: Insufficient security leadership & cultureleadership & culture
17
Phishing Simulation #1g
18
Phishing Simulation #2g
19
Phishing Simulation #3g
20
Network Perimeter Case #1
• Case Study: Fortune 50 firm demands security assurance from vendor
• Vendor: Hi-tech engineering firm g g(~150 people)– Engineers, software developers, admin
staff• High-value espionage target
– Started “caring” about security too late• Sensitive data belonging to Fortune 50 g g
client leaked accidentally– Sensitive usernames, passwords, IP
addresses ended up on the Internet
21
Network Perimeter Case #2
1. Google search: site:yourdomain.com2. Go to the last page of search results and work backwards
22
Easy Winsy
• Determine what you have on the Internet, and take down h t i ’twhat isn’t necessary
– Attack Surface Reduction
• Train your users about phishing attacks, and run y p g ,simulations– Repeatable process, easy metrics
Hi t id fi t d t i k t• Hire an outside firm to conduct a risk assessment– NIST Cybersecurity Framework
• (Maybe) Hire an outside firm to conduct penetration(Maybe) Hire an outside firm to conduct penetration testing
23
What You Need Going Forwardg
• Someone to own Information SecurityC b i– Can be a committee
– Doesn’t need to be technical– Preferably external to IT team
• Situational awareness in terms of your technology– Why and how would someone attack your organization?
What can you detect and prevent?– What can you detect and prevent?
• Incident response plan– IR firm retainer – Cyber policyy y
24
Important Conceptsp p
1. Penetration TestingTh h f i b i l d– The human act of trying to by-pass security controls and penetrate an application, network, or facility
2. Risk Assessment– A thought exercise to understand the risk potential of system
or undertaking
3 Vulnerability Scanning3. Vulnerability Scanning– The human act of pushing a button to start an automated,
software driven probing of a target system or application
25
For More Information
Mike ZusmanFounder & PresidentCarve Systems, LLC+1 (201) 916-4152 Mobile1 (201) 916 4152 [email protected]://carvesystems.com
@carvesystems@carvesystems
“S it i t t t ”“Security is a process, not a state”
26
Click to edit Master title styleData BreachesClick to edit Master title styleTrends, The Regulatory Landscape
& Incident Response
John FarleyVice President, Cyber Risk ServicesHUB I t ti l N th t Li it dHUB International Northeast Limited
Andy Obuchowski, Jr.Practice Leader | Digital Forensics & Incident Response ServicesPractice Leader | Digital Forensics & Incident Response Services
Director | Security & Privacy ConsultingRSM US LLP
Evolution of Cyber RiskyState-sponsoredattacks, “Internet f Thi ” i l
2014
“Hacktivism” and politically-motivated attacks
of Things,” national security concerns
20082011
Large-scale hacks –payment cards and identity theft Theft of intellectual
Mid-2000s
identity theft Theft of intellectual property & trade secrets; cyber espionage
Late 1990s
Viruses, network failures and Y2K
28
failures, and Y2K
Types of Datayp
• PII – Personally Identifiable InformationN i bi i i h S i l S i b d i ’– e.g., Name in combination with Social Security number, driver’s
license number, bank account information, credit card information, online/financial account username and password
• PHI – Protected Health Information– Information relating to provision of healthcare, mental/physical
condition, payment for provision of healthcare that identifies or can be used to identify individual
• PCI – Payment Card Industry Information– Cardholder data– Cardholder data
• Intellectual Property
29
How Do Incidents Occur?
30
Phishing Attacks Succeedg
31
Anatomy of a Breach Response: 1st Partyy p y• Internal Client Issues
– Internal reporting• Notice Methods
– Written– Broker involvement– Insurance & deductible management
• Experts– Breach coach
– Electronic– Substitute– Media
• DeadlinesBreach coach– Forensics– Credit monitoring– Notification firms/
Call centers
Deadlines– Can range from 15 days to
“without reasonable delay”• Inquiries
– State regulators (i e AG)Call centers– Public relations
• Investigation: internal/forensic/criminal– How did it happen
When did it happen
State regulators (i.e., AG)– Federal regulators (i.e., OCR)– Federal agencies (i.e., FTC, SEC)– Consumer reporting agencies
Plaintiffs– When did it happen– Is it still happening– Who did it happen to– What was accessed/acquired
(What wasn’t)
– Plaintiffs• Notice obligations
– State– Federal
Oth (i PCI)
32
(What wasn t)– Encrypted/protected
– Other (i.e., PCI)
State Regulatory ExposuresState level breach notice: 47 states (plus Puerto Rico
g y p
47 states (plus Puerto Rico, DC, Virgin Islands) require notice to customers after unauthorized accessunauthorized access to PII/PHI.
• Require firms that conduct business in state to notify resident q yconsumers of security breaches of unencrypted computerized personal information
• Many require notification of state attorney general stateMany require notification of state attorney general, state consumer protection agencies, and credit monitoring agencies
• Notice due from 15 days to “without unreasonable delay”
33
State Notification Trends
• Email & passwords = PII• Less time to notify• Credit monitoring required• Written notice to attorney general in addition to• Written notice to attorney general in addition to
individuals• Written information security plan and encryption requiredy p yp q• July 7, 2015: 47 state AGs write to Congress, urging US
to preserve state authority over data breaches
34 34
Common Causes of Action
• Fraud reimbursementC dit d l t• Credit card replacement
• Credit monitoring/repair/insurance• Civil fines/penaltiesCivil fines/penalties• Statutory damages (CMIA)• Time• Unjust enrichment• Fear of ID theft• Actual ID theftActual ID theft• Mitigation costs• Time spent monitoring
35
D&O Exposure - Allegationsp g
• Board didn’t regularly address b i k d tcyber risk or document
discussions• Security plan isn’t tailored to y p
the organization’s specific risk profileN i id t l• No incident response plan
• Failure to mitigate damages post-breachpost breach
• Failure to train staff
36
Claim Costs (NetDiligence 2014)( g )
• Average claim payout: $733 109$733,109
• Average cost per-record: $956.21$
• Average cost for Crisis Services: $366,484
• Average cost for legal defense: $698,797
37
Data Governance
Data creates legal duties• What data do you collect, and
why?• Where is it?• How well is it protected?• Who can access it?
Wh d i ?• When do you purge it?• How do you purge it?
38
Vendor Managementg
• Create a formal vendor management programprogram– Regulatory compliance– Mitigation of legal, business, and
reputational risk
• Require periodic cyber security audits• Require employee background checksRequire employee background checks• Address roles and responsibilities in
breach response• Insurance and indemnification language• Establish a contingency plan to use
alternate vendors
39
Incident Response Teamp
Roles & ResponsibilitiesId tif
Interdisciplinary ApproachI f ti T h l• Identify
• Escalate• Training/guidance
• Information Technology• Information Security• Compliance/Risk Management
• Manage/conduct investigation• Preserve documents/materials• Assist law enforcement
• Human Resources• Operations• LegalAssist law enforcement
• Submit progress reports• Recommendations to avoid
future incidents
Legal• Development/External Affairs• Finance
P ifuture incidents• Issue final report
• Privacy• Program
40
Data Breach Life Cycley
41
Best Practices Checklist
• Cybersecurity governance and risk management Boardrisk management – Board engagement
• Cybersecurity risk assessments• Technical controls• Incident response planning• Staff training• Staff training• Cyber intelligence and
information sharing• Third-party/vendor management• Cyber insurance – risk financing
tool
42
tool
For More Information
John FarleyVi P id t C b Ri k S iVice President, Cyber Risk ServicesHUB International Northeast Limited+1 (212) 338 2150 Directjohn farley@hubinternational [email protected]
Andy Obuchowski, Jr.Practice Leader | Digital ForensicsPractice Leader | Digital Forensics & Incident Response ServicesDirector | Security & Privacy ConsultingRSM US LLPRSM US LLP+1 (508) 922-4770 [email protected]
43
Insuring Cyber RiskAn Underwriter’s PerspectiveAn Underwriter s Perspective
P C illPeter CastilloVice President, Financial LinesChubb GroupChubb Group
DisclaimerThe material presented in this presentation is notintended to provide legal or other expert advice as to
f h bj i d b h i d
Chubb. Insured.any of the subjects mentioned, but rather is presentedfor general information only. You should consultknowledgeable legal counsel or other knowledgeableexperts as to any legal or technical questions you mayhave. Further, the insurance discussed is a producthave. Further, the insurance discussed is a productsummary only. For actual terms and conditions of anyinsurance product, please refer to the policy. Coveragemay not be available in all states.
March 18, 2016
2016 Threat PredictionsFrom Cyber Security Leadership
“ a trusted name in security will be utterly and embarrassingly hacked in “…a trusted name in security will be utterly and embarrassingly hacked in 2016...” –Hackett, Fortune Tech
“ the year of online extortion Cyber extortionists will devise new ways to target …the year of online extortion. Cyber extortionists will devise new ways to target its victim’s psyche to make each attack personal..”-Trend Micro
“Organizations need to realize that financial gain is no longer the only or even Organizations need to realize that financial gain is no longer the only or even the biggest driver of some of their adversaries.” Amit Yoran, RSA
“ the pressure to do something at the federal level will provide politicians an …the pressure to do something at the federal level will provide politicians an attractive issue in an election year…”-Hill, STEALTHbits Technologies
HUB Nonprofit Executives’ Workshop 46
March 18, 2016
“We’ve noticed patterns of (claims) trends that would b i li if better suit our clients if we were transparent and if we showed them where incidents went awry…”— Michael Tanenbaum, Chubb Professional Risk
Wall Street Journal, April 2015
47HUB Nonprofit Executives’ Workshop
March 18, 2016
Cyber Claims and Industry Trends (last 3 years)Triggers and Industry Trends (as of 10/2015)
Rogue Employee13% Software Error
3%
Other 9%
Industry Breakout 2013-2015:• Healthcare – 31%• Technology – 9%• Professional Services – 15%
Hack 34%
Laptops11%Lost/Stolen
• Professional Services – 15%• Retail – 9%• Financial Institutions – 6%
Targeted Attacks for PI:• Lost/Stolen Devices
• 2013 – 17%/Devices13%
Hard Drive 1%
• 2014 – 12%• 2015 – 11%
• Hack• 2013 – 29%• 2014 – 27%• 2015 – 43%
Rogue EmployeePaper 5%
Human Error 16%Privacy Policy 7%
Other 1%
Hard Drive 1% • Rogue Employee• 2013 – 14%• 2014 – 16%• 2015 – 11%
48HUB Nonprofit Executives’ Workshop
March 18, 2016
Cyber Claims and Industry Trends (10 years)Triggers by Industry Segment (as of 10/2015)
Retail
20%
25%
25%
18%21%
10%
Healthcare
40%
50%
50%Retail
0%
5%
10%
15%
H k R L t/St l H P i
7%10%
0%
10%
20%
30%
H k R L t/St l H P i
11% 11%3%
14%
Hack Rogue Employee
Lost/Stolen Devices
Human Error
Privacy Policy
35%40%
36%
TechnologyHack Rogue
EmployeeLost/Stolen
DevicesHuman Error
Privacy Policy
2 %30% 23%
26%
20%
Professional Services
5%10%15%20%25%30%35%
8%
21%
10%12%
5%10%15%20%25%
10%
20%
5%
49
0%5%
Hack Rogue Employee
Lost/Stolen Devices
Human Error
Privacy Policy
0%Hack Rogue
EmployeeLost/Stolen
DevicesHuman Error
Privacy Policy
HUB Nonprofit Executives’ Workshop
March 18, 2016
Cyber Claims and Industry Trends (10 years)Triggers by Industry Segment (as of 10/2015)Financial Institutions Public Entity
20%25%30%35%40%
37%
19%
13%40%50%60%70%
64%
0%5%
10%15%20%
Hack Rogue Employee
Lost/Stolen Devices
Human Error
Privacy Policy
7%13%
6%
0%10%20%30%
Hack Paper Human Error
Unknown
7% 11% 7%
40%
50%
36%Education
p y y
50%
60%51%
Travel & Hospitality
0%
10%
20%
30%
8%
21%10%
12%
0%
10%
20%
30%
40%
10% 7%10% 14%
50
Hack Rogue Employee
Lost/Stolen Devices
Human Error
Paper 0%Hack Rogue
EmployeeLost/Stolen
DeviceHuman Error
Unknown
HUB Nonprofit Executives’ Workshop
March 18, 2016
Cyber Claims Overview (10 years)Number of Records Compromised
Percentage of Claims based on Known* Number of Records
Compromised0 records
54%36%
8% 2%
1-100 records
100-100 000 100-100,000 records
100,000+ records
*unknown: oftentimes it is never determined the exact number of how many records have been compromised in both large and small incidents.
51HUB Nonprofit Executives’ Workshop
March 18, 2016
Cyber Claims Overview (10 years)Types of Data Involved
52HUB Nonprofit Executives’ Workshop
March 18, 2016
Cyber Claims Overview (10 years)Average Cost of First Party Expenses (as of 10/2015)
Every Breach Response is Unique
$185,600
$140 000
$160,000
$180,000
$200,000 Cost Range of Each Service
Legal Fees:Under $5,000 up to about $50,000
Forensics:
$81,600 $80,000
$100,000
$120,000
$140,000 Forensics:About $10,000 to Seven Figures
Notification & Call Center: up to $80,000 Credit Monitoring:
Payment per Enrollee or Restoration Service
$51,600 $59,150
$44,500
$20,000
$40,000
$60,000
$ , Minimal Crisis Management Costs
Frequency of Each Service?
$‐Legal Fees Forensics Notification &
Call CenterCredit
MonitoringCrisis
Management
53HUB Nonprofit Executives’ Workshop
March 18, 2016
Cyber Claims Overview (10 years)Bad Actor Activity increase Forensic Costs
54HUB Nonprofit Executives’ Workshop
March 18, 2016
Understanding the Exposures and Risks
55HUB Nonprofit Executives’ Workshop
March 18, 2016
Oversight
56HUB Nonprofit Executives’ Workshop
March 18, 2016
Vendor Management
57HUB Nonprofit Executives’ Workshop
March 18, 2016
Cyber Risk Mitigation ServicesPre-Incident Strategy
CORE TACTICAL CULTURAL
Huron Consulting:Information Governance:
Know Where and What Data to Protect
Navigant:Business Impact
Calculation:Determine How Much Outages
Actually Cost
Wombat Security:Security Awareness:
Elevate Employee Awareness for Protecting Information
FireEye:
Net Diligence: Cyber Readiness:
Compare Your Company Against Security Standards
McGladrey:PCI Compliance
Assessment:Comply with Credit Card Security Requirements
FireEye:Cyber Threat Blueprint:Gain New Insight on Current
Cyber Threats
BitSight Technologies:Security Performance:
Fidelis Cybersecurity: Incident Response:Evaluate your Incident
Response Plan and Capabilities
Security Requirements
Trustwave:HIPAA Compliance
Assessment:Comply with U.S. Healthcare
Security Performance:Ongoing Security Ratings of
Your Company
Lewis Brisbois:Vendor Management:
Determine Contractual Privacy
58
Response Plan and Capabilities p yRegulations
Determine Contractual Privacy and Security Exposures
HUB Nonprofit Executives’ Workshop
Chubb Cyber Risk Management Program
March 18, 2016
y g gA Three-Pronged Approach to Policyholder Cyber Risk Management
Loss Mitigation Servicesg• Risk management services designed with our claims data in a menu-style approach at time of
proposal Offered to all potential/current Chubb Technology/ Privacy and Network Security policyholders
• External distribution of claims trends (information sharing is absolutely necessary)• Negotiated price points designed for middle market segment but applicable to all segments(SME &
Fortune 100)
MITIGATE
Fortune 100)• Chubb’s Cyber Experience, powered by eRisk Hub® online risk management portal
Cyber Response Team fka Data Breach Team• Options at time of proposal and at time of incident
( d ’ di li h ld b bl h k i f d d i i )RESPOND (we don’t dictate to our policyholders but enable them to make informed decisions)• Independent Data Breach Team is key element of coverage (typically $0 retention)
RESPOND
Risk Transfer Solutions• Coverage capabilities and limit capacity focused on all sizes and industries• Highly specialized underwriters to personalize the coverage to policyholder needs• Experienced claims staff to handle highly complex claims
TRANSFER
59HUB Nonprofit Executives’ Workshop
F M I f tiFor More Information
Peter Castillo
Chubb. Insured.
Peter CastilloVice President, Financial LinesChubb Group of Insurance Companies+1 (212) 642-7896 Direct
t till @ h bb [email protected]
Click to edit Master title styleClick to edit Master title style
Marketplace Update & Cyber Insurance Buyer’s Guide
Anthony GiordanoAnthony GiordanoFirst Vice President, Management & Professional Lines
HUB International Northeast Limited
Risk Transfer: A Modular Approachpp
Protection Available Against a Variety of Threats
62
Insuring Agreements: Third-Party Riskg g y
• Privacy LiabilityC d f d d– Covers defense and damages for liability arising out of an organization’s failure to protect personal identifiable personalpersonal identifiable, personal health or corporate confidential information.
– Does NOT have to be a result of a failure of network security
• Lost/stolen laptops• Back-up tapes• Paper records
– Covers regulatory proceedings and penalties brought by a
63
government agency
Insuring Agreements: Third-Party Riskg g y
• Network Security LiabilityC d f d d f– Covers defense and damages for liability arising out of an organization’s failure to protect personal identifiable or corporatepersonal identifiable or corporate confidential information.
– Covers defense and damages for liability arising out of a failure ofliability arising out of a failure of network security.
– Coverages include:• DOS (denial of service)OS (de a o se ce)• Transmission of virus or malicious
code• Unauthorized access or use of
64
corporate systems
Insuring Agreements: Third-Party Riskg g y
• Media LiabilityD f d d i i– Defense costs and damages arising out of content on an insured’s website which can extend to social mediamedia
• Infringement of copyright or trademark
• Libel/ slander/ plagiarism• Libel/ slander/ plagiarism• Invasion of privacy• Negligence due to content housed
on websiteon website– Coverage can be extended to
encompass all matter: broadcast, audio, video, printed
65
audio, video, printed
Insuring Agreements: First-Party Riskg g y
• Data Breach Assessment, I ti ti d RInvestigation and Response Expenses– Expert legal counsel fees– Forensic investigation costs– Notification Costs
Public relations fees– Public relations fees– Identity restoration fees
66
Market Overview
• Significant and growing interest i C b d tin Cyber product
• Demand met by expanding number of insurers
• Constantly-evolving coverage terms, firming rates
• Point-of-sale (POS) retailers finding coverage harder to obtain, seeing large premium increasesseeing large premium increases
67
Today’s Market Conditionsy
• Recent high-profile breaches have heightened f b i d d f fi i lawareness of cybercrime and need for financial
protection• Many first-time buyers entering markety y g• Significant change in underwriting for retail risks, with
heavy focus on POS technology• Expansion of coverage terms continues
– Removal of coverage sublimits (caps)– Enhanced loss control servicesEnhanced loss control services– Costs covered outside aggregate limit of liability– Broadened protection for first-party business interruption risk
68
Today’s Market Capacityy p y
• Over 60 primary network it d i li bilitsecurity and privacy liability
writers in mid-market– Less interest in ‘jumbo’ risks
• US cyber market generated $2B+ gross written premiums in 20142014– Potential to grow to $5B by 2018,
$7.5B by 2020
• Industry experts predict large rate hikes for business segments hit hard by breaches
69
g y
Topical Issuesp
• Movement toward cloud ti t i icomputing now triggering
aggregation concerns– What happens if cloud provider is
breached?– How many customers/users could be
affected?
• Consumer protection litigation over business practices and privacy issuesprivacy issues– Allegations of wrongful data
collection, sharing of data, eavesdropping and opt in/opt out
70
eavesdropping, and opt-in/opt-out preferences
2016 Forecast
• Market capacity will remain t bl l ’ i hi hstable unless you’re in a high-
risk segment (e.g., Healthcare, Higher Ed, etc.)
• Competitive pricing environment for mid-market
Rates will remain flat– Rates will remain flat
• Retail risk underwriting scrutiny will continue
• Insurers will increase scope of pre-breach services to differentiate from competitors
71
differentiate from competitors
Cyber Buyer’s Guidey y
• Get expert help to assess your risk landscape and vulnerabilitieslandscape and vulnerabilities
• Obtain ‘nose’ (retroactive) coverage for unknown events predating inception
• Beware of exclusions – e g unencryptedBeware of exclusions e.g., unencrypted devices/data
• Consider protection against acts of third partiesparties
• Take advantage of risk management services
• Don’t scrimp on policy limitsDon t scrimp on policy limits• Understand the claim ‘trigger’
(Occurrence vs. Claims-Made)• Don’t buy off-the-rack– tailor the product
72
Don t buy off the rack tailor the product to your needs and circumstances
For More Information
Anthony GiordanoFirst Vice President – Management & Professional LinesHUB International Northeast LimitedHUB International Northeast Limited+1 (212) 338-2354 [email protected]
73
Open Q&Ap
74
Our Nonprofit Thought Leadershipp g p
Scott R. KonradSenior Vice President & Not-for-Profit Business Practice LeaderHUB International Northeast LimitedHUB International Northeast Limited+1 (212) 338-2295 [email protected]
Specializing in Nonprofit risk, insurance, and employee benefits
l isolutions
75