Cyber, Computer Fraud &

Electronics Funds Transfer

Exposures
A detailed look at hacking, bank
accounts, stolen funds & recovery
 Speakers

Matt Prevost, RPLU

AVP, Underwriting
D&O, E&O, Cyber Products-Western Territory

Eric Zehnpfennig, CPCU, RPLU

Underwriting Supervisor, Underwriting
D&O,E&O, Cyber Products-Pacific Northwest and Rocky Mountain Regions

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Purpose

Increase Awareness w/information sharing

“Organizations may choose to handle the risk in different

ways, including mitigating the risk, transferring the risk,
avoiding the risk, or accepting the risk…”
Framework for Improving Critical Infastructure Cybersecurity
Version 1.0 National Institute of Standards and Technology
Released 2/12/2014

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Today’s Agenda

15 Minutes How(and why) is this happening…

15 Minutes Who is responsible/exposed…

20 Minutes Insurance Coverage Impact…

5 Minutes Questions/Answers

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Intro to Tech Terms

Hack: computer based intrusion

Mule: entity(ies) or individuals used as middleman in fraudulent
transactions
Phishing: masquerading as a trustworthy entity in an electronic
communication to obtain data
PCI DSS: Payment Card Industry Data Security Standard
Skimming: using electronic device to swipe CC numbers
Compromised: unauthorized point of entry

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Why is this happening?

2012 Business Banking Trust Trends Survey(Ponemon Institute August 2012):

- 48% of respondents say their business conduct at least 50% of their banking online(increasing from 29% and
39% in previous years.
- 43% say their bank take appropriate steps to proactively limit risky banking transactions
- 42% agree that their bank makes it too difficult to access bank accounts and conduct online transactions
- businesses are basically keeping the same technologies in place despite the increased scale and
sophistication of fraud attacks

“Any financial institution can put all of the controls they want in place, but if their client isn’t following the instructions or
doing things properly, there are certain challenges,” Robbins said. “We do look for all of our clients to use dual controls.
and we want to make sure there are multiple points of control. Because what we’re seeing today is that a malware
compromise can happen at a single point in the system, and so there have to be multiple controls in place on the
customer’s side.” –Virginia Robbins, CAO California Bank of commerce*

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 ‘The Smartest Ways to Get Paid’
Inc. Magazine November 2013

A bank is no longer just ‘a bank’…

Examples of different payment methods:

Name of Mobile “We like” “not so much” Cost

Payment App

Speedy: You’ll get access to your Seller Beware: If you process more
PayPal Here funds within minutes of swiping a than $2,500 within a 7 day period, 2.7% per
Processes cards and checks…and
paypal
card you might not receive the funds for
up to 30 days
transaction
Safe: BofA transactions are Printing receipts directly from the
Mobile Pay on ultrasecure. app is not yet available. 2.7% per
Demand Best for high dollar transactions.
transaction
A big bank is less likely to freak out
over big charges and is equipped
for fast growth businesses.
Its personal. Because customers You are reliant on customers
Paydiant register with you, you are able to downloading your app and Variable.
You put your own brand on it. collect valuable data on them as associating their cards with it.
they use the app.
Handy. Spot pay can take photos Spotpay’s reader is bulky.
SpotPay of the buyer or the purchases. 1.99% to 3.19%.
Easy Set up, a free reader and all
the basics. Voice is 3.19%.

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 How it happens every time…

http://www.youtube.com/watch?v=HHXYCPNJtvw

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 How is this happening?

*Graphic provided by the FBI

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.
 Incident Examples

Marketing Firm Example:

http://krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss

Plumbing Supply Company Example:

Cyber-crooks stole $1.2 million from Unique Industrial Product Co., a Sugar Land, Texas-based plumbing equipment
supply company. The company's operations manager said a forensic analysis showed the attackers used malware
planted on its computers to initiate 43 transfers out of the company's account within 30 minutes.

Experi-Metal, Inc.
http://www.yourmoneyisnotsafeinthebank.org/bank_v_customer.php

http://krebsonsecurity.com/2010/06/the-case-for-cybersecurity-insurance-part-i/

Mt. Gox Example:

Bitcoin exchange that was hacked faced 150,000 hack attacks every second. During a DDOS attack, which lasted for
several days an estimated $575mm was stolen from the firm. The Tokyo-based exchange, which filed for bankruptcy
protection in February 2014, has been sued by a British law firm in a class action suit.

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Who is responsible?

Marketing Firm Example:

‘We don’t see the error on our side.’-TD Bank in response to Little & King, LLC etheft loss
http://krebsonsecurity.com/2010/02/n-y-firm-faces-bankruptcy-from-164000-e-banking-loss/

“They feel that because [the thieves] compromised my computer that it’s my responsibility and that I should look into
my insurance, but I don’t have insurance”- Little & King President

Utah Pizza Place Example:

Cisero’s Pizza Sues US BANK(1st such suit in the US; 2011)

http://www.wired.com/images_blogs/threatlevel/2012/01/Cisero-PCI-Countersuit.pdf

“the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided
contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on
merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful
opportunity to dispute claims before money is seized.”

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Coverages potentially ‘in play’

Impacted Entity:

Commercial Crime
Stand alone Cyber Products
Commercial General Liability
D&O(failure to maintain or SH/derivative claims)
Cyber endorsements

Other(potentially responsible parties):

Technology providers(E&O)
Banks’ Financial Institution Coverage
General E&O policies of others
Certification Entities
Lawyers E&O(drafting contractual language)

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Detailed Look at Crime

EE Theft(rogue employee)

Computer Fraud

Electronic Funds Transfer Coverage

Exclusions

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Detailed Look at Stand Alone Cyber

Chubb Cybersecurity Policy Definitions

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Detailed Look at Cyber

CFC C&P

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Detailed Look at Cyber Exclusions

R. For, arising out of or resulting from any of the following: (1) trading losses, trading liabilities or change in value of
accounts; any loss, transfer or theft of monies, securities or tangible property of others in the care, custody or control
of the Insured Organization; (2) the monetary value of any transactions or electronic fund transfers by or on behalf
of the Insured which is lost, diminished, or damaged during transfer from, into or between accounts; or (3) the value
of coupons, price discounts, prizes, awards, or any other valuable consideration given in excess of the total
contracted or expected amount;

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Impact on Claims handling

1.Various levels of urgency

2.Who is primary?
3.Contractual needs/requirements
4.Third party contracts and information hoarding
5.Allocation
6.Case-law is constantly changing
7.Experience of E&O/CGL adjusters with cyber-related events when
cyber coverage is present
8.Separation of responsbilities(breach coach versus defense attorney)
9.PCI fines and penalties; but aren’t regulatory fines uninsurable?
10.Subrogation opportunity?

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Who (8wns) this exposure?

Underwriting
standpoint…

Agent standpoint…

Entity standpoint…

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Why ‘what if’ coverage scenarios are relevant…

Start to gather a list of ideas from the technology team, legal team, CFO’s
biggest concern and see how the coverage(s) interact.

If your CTO asked you…

If your CMO asked you…
If your CEO’s son wants to use his computer…
If your CMO thinks he can build revenue by accepting Bitcoins as
payment…

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Where to learn more…

Conferences:
Netdiligence Cyber Conference(East and West Coast)
PLUS
RIMS

Websites:
www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf
www.netdiligence.com
www.datalossdb.com

Other:
Cyber underwriters
Crime underwriters
Agents/Brokers
Case Law

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.

 Questions?

This material does not amend, or otherwise affect, the provisions or coverages of any insurance policy issued by
the Philadelphia Insurance Companies. It is not a representation that coverage does or does not exist for any
particular claim or loss under any such policy. 

Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy provisions,
and any applicable law.

Availability of coverage referenced in this document can depend on underwriting qualifications and state
regulations.

© 2013 Philadelphia Consolidated Holding Corp., All Rights Reserved.