Schedule/Sessions

Breakfast

Keynote

• Speakers:

• Tracie Grella, AIG

Tracie Grella is Head of Professional Liability for Global Financial Lines at AIG. In this role, Ms. Grella is responsible for establishing underwriting strategy and implementing best practices in multiple lines of business including cyber liability, reputational risk insurance, architects and engineers liability, and specialty professional liability worldwide.  
 
Most recently, Ms. Grella served as President of Professional Liability for Financial Lines in the U.S. and Canada Region. Ms. Grella began her insurance career with AIG in 1995 as a professional associate in AIG’s U.S. Executive Liability division, and subsequently held a number of positions of increasing responsibility, including President of National Accounts and Chief Underwriting Officer for Professional Liability.    
 
Ms. Grella is commonly called upon as an industry expert by insurance trade and mainstream publications on cyber liability and professional liability issues. She holds a B.S. in finance from Rutgers University and holds a CPCU designation. 

Session 1 - Cyber Masterclass: The Cutting Edge of Regulatory, Coverage and Claims Issues

• Speakers:

• Gail Arkin, Berkley Cyber Risk Solutions

• Jeffrey Batt, Self Employed

• Richard Bortnick, Wilson Elser

• Elissa Doroff, Mosaic Insurance

• Fred Karlinsky, Greenberg Traurig LLP

• Vincent Vitkowsky, Gfeller Laurie LLP

Recent cybersecurity breaches of insurance and other entities have prompted regulators step up their evaluations of insurers’ cybersecurity, issue additional guidance and create new requirements with which insurance entities must comply. This session will consider the issues associated with these enhanced enforcement activities, including the recently adopted New York cybersecurity regulation and proposed National Association of Insurance Commissioners cybersecurity model law. The panel also will address best practices for avoiding, mitigating and responding to breaches, as well as policy language considerations and coverage issues involved in a comprehensive cyber policy, with emphasis on several emerging and challenging areas of coverage.

Takeaways: 
1. Insurers and insureds are subject to evolving regulations which must be taken into account in their cybersecurity measures.
2. Insurers are developing specific new coverages to meet the risks resulting from cyber incidents.
3. The nature of claims arising from cyber risks is fluid and dynamic and requires constant attention and study.

Session 1 - Data Breach Management: Boot Camp for Rapid Response

• Speakers:

• Marcello Antonucci, Beazley

• Louise Bairnsfather, Kroll

• Dale Coddington, ProNet Group, Inc.

• Sean Hoar, Lewis Brisbois Bisgaard & Smith, LLP

Preparing for a data security incident is critical to limiting liability, but a rapid response is absolutely essential. Data breach trends in 2017 show an increased sophistication of malware, targeting of corporate human resources information and unique combinations of social engineering and technical subterfuge to acquire sensitive data for criminal monetization. It is increasingly difficult for businesses to protect their digital environment, and it is more important now than ever before to plan for the inevitable. Using practical examples and case studies reflecting best practices in data breach management, this panel of industry experts will discuss a proactive approach to data security, with all breach responders working in unison from the outset.

Break

Session 2 - Digital Disruption and the New Normal: Reducing Cyber Exposures Through Collaboration

• Speakers:

• Deuayne Crawford, AXA XL

• Elizabeth Fitch, Righi Fitch Law Group

• Theodore Schaer, Zarwin, Baum, DeVito, Kaplan, Schaer & Toddy

• Kelly Thoerig, Marsh

• Antonio Trotta, QBE Insurance

• Anne Winner, Chubb

The cyber insurance market is still in a state of relative infancy and is developing with rapid inconsistency. The speed at which cyber risk has evolved has left everyone in a state of confusion. Given the absence of predictive modeling and insurer sharing of loss information, collaboration between claims and underwriting is critical to better understand these exposures. Developing risk mitigation programs for insureds is equally critical to mitigating this evolving risk. While insurers have developed web-based risk mitigation tools, insureds have not utilized these tools. This seminar will address how brokers, insureds’ privacy counsel, claims and underwriters can collaborate drive the utilization of these important tools and adoption of risk mitigation policies, practices and procedures to reduce cyber exposures.

Takeaways: 
1. Collaboration between claims and underwriting is critical to better understand the exposures for individual insureds and sectoral markets in light of the absence of predictive modeling and the failure or refusal of insurers to share loss information.  
2.Collaboration among underwriters, brokers, and privacy counsel, will help to drive insured to better utilize available insurer risk mitigation tools as well as adopt risk mitigation policies, practices, and procedures. 
3. Collaboration among underwriters, claims professionals, brokers, and privacy counsel at the insurance procurement, renewal, and post-breach claim stages can reduce life of claim and cyber exposures. 

Session 2 - The Post-Spokeo World of Article III Standing: Where are the Courts Headed, and What are the Implications for Insurers?

• Speakers:

• Daniel Hecht, Sompo International Insurance

• Jason Meshekow, inTouch Insurance Services

• Hillard Sterling, Self Employed

• Alex Tievsky, Self Employed

The Supreme Court's decision in Spokeo has had rippling effects on standing jurisprudence in federal courts across the country. The court made clear that plaintiffs must have suffered concrete harm to pursue data-breach cases. But the decision was muddled, as the court also held that intangible harm may be concrete in certain instances. The result has been a tidal wave of cases addressing whether plaintiffs' harm was sufficiently concrete. The decisions often have been contradictory and difficult to reconcile. This panel will present varied perspectives on these cases: A claims representative and a broker will address the implications for insurers and insureds, while counsel for plaintiffs and defendants will give their views on the case law and where it is headed.  All of the panelists will address the potential litigation scenarios in light of Spokeo, including the possibility of prevailing on standing, yet ending up in a less-hospitable state court forum.

Break

Session 3 - Increasing Cyber Savvy to Increase Cybersecurity

• Speakers:

• Judith Cranberg, Froedtert Health

• Jason Krauss, Willis Towers Watson

• John Loyal, Cipriani & Werner, PC

• Gil Vega, CME Group

A careless vendor. A misplaced laptop. An employee who’s been phished. A recent study shows that human error is to blame for almost 90% of cybersecurity breaches. How does it happen? Why does it happen? And how can organizations mitigate this risk? One thing is for certain– cyber risk is not just an IT issue; it permeates entire organizations. Firms need a fully integrated, comprehensive plan for managing people, capital and technology risks across the enterprise. In this session, risk managers, HR managers and CISO will discuss how to create a cyber-smart workforce and build a comprehensive risk management strategy to guard against catastrophic cyber events.

Session 3 - Why ADR for Cyber Coverage Disputes Makes Sense for Both Sides

• Speakers:

• Christopher Carroll, Kennedys

• Lance Ewing, Cotton Holdings, Inc.

• Jonathan Meer, Wilson Elser

• Andrew Nadolna, JAMS - Nadolna

The panel will examine cyber coverage issues that have resulted in coverage litigation. The panel will discuss why cyber coverage disputes are good candidates for mediation and arbitration and why cyber coverage disputes weigh heavily in favor of confidential and unreported resolutions. The panel will also provide tips on how to mediate and arbitrate cyber coverage claims as well as the insertion of ADR provisions in cyber insurance policies.

Takeaways:
1. The number of cyber coverage disputes is growing rapidly and has the potential to grow even faster as the market continues to expand. 
2. Mediation and Arbitration provide advantages to policyholders and insurers when dealing with cyber coverage disputes including confidentiality, outcomes that do not have precedential force, efficiency, better understanding of the other sides’ position and significant party autonomy as to process and/or outcome. 
3. ADR should be approached with the same kind and level of strategic sophistication as litigation. Such an approach will generate benefits.

Lunch

Session 4 - Unique Cyber Risks and Coverage Challenges from the Industrial Internet of Things

• Speakers:

• Scott Corzine, Self Employed

• John Farley, HUB International

• Joshua Gold, Anderson Kill P.C.

• Joseph Weiss, Self Employed

As industrial control systems that manage equipment and processes in manufacturing, utilities, transportation, energy and hospitals become increasingly Internet-connected, the risk of cyber incidents to critical infrastructure is becoming profound. Estimates are that by 2020 the “industrial internet of things” (IIOT) may include over 11 billion industrial control components installed in the field that are increasingly connected to networks. These are components that measure and control mixtures, heat, and levels, open and shut valves and circuits, and sense production problems. Should these addressable components be successfully hacked or otherwise disabled, potential impacts include black-outs, production disruptions and process safety risk, threats to widespread public safety, and environmental consequences that were once thought of as "black swans."  This session will examine how real these risks are, how companies are beginning to address industrial control systems cyber risk, and the challenges to the insurance sector to develop products that cover and price this risk effectively.

Takeaways:
1. Understand the fundamental differences between cybersecurity risk, impact, and loss implications that arise from compromises to information technology (IT) assets and compromises to operating technology (OT) assets.
2. Appreciate why addressing the insurance and risk management issues at the “point of purchase” is more economically appealing than addressing these issues at the “point of claim.”
3. Identify the multiple types of insurance coverage that may come into play (for incident response, damage to physical assets, contingent impacts, operational disruption, errors and omissions, litigation, liability, pollution, event cancellation, disruption, directors and officers), and gain an appreciation for which policies may respond to a cybersecurity breach of industrial control systems that generates complex impacts to multiple parties and asset classes.

Session 4 - What U.S. Businesses Need to Know About International Privacy Regulations

• Speakers:

• Sean Letz, Marsh

• Charles Pruzinsky, Beazley

• Richard Reiter, Self Employed

• Richard Sheridan, Berkley Cyber Risk Solutions

U.S. businesses are focused on complying with federal regulations, state breach response laws and recently promulgated state privacy regulations. However, their obligations likely transcend these requirements. Many U.S. businesses are unaware that international privacy regulations also impact how they conduct business. This session will discuss the risks posed by these international regulations, options available to mitigate the risk and the penalties associated with non-compliance.

Takeaways: 
1. Promulgation of new foreign data protection requirements and the need for compliance. 
2. New exposures created as a result of the passage of privacy regulations (e.g., increased fines/penalties, shorter breach notification obligations).
3. Successful risk mitigation strategies and best practices to manage these new obligations.

Break

Session 5 - Data Analytics: A Weapon for Cyber Security

• Speakers:

• James Coyle, Willis Towers Watson

• Joan D'Ambrosio, Self Employed

• Roxane Divol, Symantec

• Kevin Kalinich, Aon

With cyber risk named a top board room concern, many organizations are increasingly under pressure to quantify their exposures for both internal and external stakeholders. The combination of diverse forms of data along with increasingly sophisticated analytics can enable organizations to proactively measure and manage this crucial exposure. This session will cover the key areas for consideration when using analytics to diagnose cyber exposures such as data privacy and business interruption, as well as how to leverage that data to customize risk-financing and risk-transfer strategies.

Session 5 - What Cyber Cover WannaCry Makes U.S. Companies Wanna Buy

• Speakers:

• Anthony Dolce, The Hartford

• Jay Kramer, Lewis Brisbois Bisgaard & Smith, LLP

• Michael McGlone , Self Employed

The May 2017 WannaCry ransomware attack targeted the Microsoft Windows operating systems of more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages. The February 2017 Amazon cloud-computing division outage had a cascading effect on businesses using it for cloud-based data storage and web services, disrupting their online services. The 2016 Dyn denial of service attack disrupted websites of Dyn’s business customers relying on it to connect users to their sites. Is there coverage for businesses interruption losses under cyber or other insurance policies when Internet access is disrupted? This session will explore how current cyber risk policies would respond to such massive attacks; what types and limits of coverage U.S.-based companies should buy to shield themselves from business interruption and other losses stemming from cyberattacks in other parts of the world; and what risk management steps companies can take to guard against such malicious intrusions.

Takeaways: 
1. To avoid many damaging encryption and ransomware attacks, it is critical for organizations to review and strengthen patching and data backup policies and procedures.
2. Organizations should plan for data security incidents, since it is unrealistic to operate under an assumption that all incidents can be avoided. Proper planning is a continuous and multi-layered effort, and it includes: the development of a robust incident response plan; employee training; and the rigorous testing of incident response capabilities through periodic tabletop exercises.
3. A well-informed insurance broker is a vital resource in obtaining the most appropriate combination of insurance products to shift some risk regarding many emerging cyber threats.