Lucas Tanglen, Sam Reger, Reymond Yammine - Our Insurance Covers That, Right?

so Lucas's work for AOL gates he's a short cover lawyer including practice in silence Lucas assists clients in purchasing sirens warrants and it evens hostage learning to seek the most favorable coverage possible Brandon is also an attorney McHale Bates broad-ranging experience including the focus and cyber insurance with Lucas so

thank you for that introduction as I said my name is Lucas Pinklon I'm a lawyer at the Kentucky's law firm in Pittsburgh I am an insurance coverage square of which means I represent companies and disputes with their assurance company and insurers so the my goal and my law practice date today is extracting as much money as we can from insurance companies to make certain our clients get good value for the insurance that they purchase including cyber insurance policies so of my experience includes day to day reviewing the terms of cyber insurance policies to make sure that business is the best possible terms and the broadest possible coverage for their cyber related risks just like in a sense of the audience day

how many people are cyber risk practitioners cyber security practitioners in some way ok a good number how many how many people have some type of risk management or insurance related responsibilities also a decent number and it looks like some overlap which is not surprising because it's been our experience not for the there is a overlapping involvement of the technical experts with the instruments of mismanagement experts in cybersecurity which is good in the way it needs to be done to ensure that the correct coverage is placed so we're going to talk about cyber risk management in general and then specifically we're going to get into cyber insurance and more than anything what I want to impart today is

some practical tips so that you who are involved in cyber insurance and or even you are not like the involve in cyber experience can go back to your companies how to discuss in a CFO or written manager about cyber deterrence and say are we sure that our cyber policy covers the GDP are are we sure that it's done our cyber policies Naumann in a way that's going to wipe out coverage for an international cyber attackers like not tetanus which is the main reason how cyber insurance would be so that Beach and it broad coverage for these catastrophic cyber type of events so sigh here is the general causes of cyber risk the few practitioners know this

stuff and sure feather the night but this is just a selection that the type of things rather than I have cyber risks and debug ensuring cyber risks the type of causes that were looking at malicious attacks unauthorized access by hackers or with spider disgruntled employees that means more takings formation off computer systems that they're not supposed to negligence like phishing schemes that we've talked about already today in a sense of mistakes in which is not raised their second result in a interruption of your business and potential multi-million dollar losses and or just garden-variety simple mishaps like losses little devices or laptops these are all in the broad category of cyber risks that we think about insuring y-you CEOs and CFOs and

people like that care about cyber this obviously is because it can have a significant impact on bottom lines this is just one recent statistic from the plenty Men Institute average cost of a data breach in 2018 three point eight six billion dollars anything in the million sounds like a lot but this obviously includes a lot of sort of smaller card variety data breaches and the expenses for a really significant cyber incident that were less significant cyber attack cameras or with its number how do these risks manifest how do they turn into a problem that does affect the vector company's bottom line well that does it data bleach a company might incur substantial expenses or notification cost to the customers or

vendors whose information was compromised there are public relations public company is associated with a cyber incident and expenses to manage the public relations and to manage a crisis computer forensics to get experts to come in and figure out what went wrong credit monitoring services that the company might have to pay for and the list goes on and on business interruption is one of the most significant that I talked about earlier if a company's computer system is down for days just the logistics the loss of opportunities can be truly massive other effects of cyber list there can be natural physical injury to the computer hardware there can be injury to other property there's any loss of valuable IP

there can be expensive lawsuits that are brought by customers seeking to hold the company liable for other cybermats them to happen you can have regulatory proceedings in the initiative against you by the Securities Exchange Commission or any other any number of other government entities that will come asking what happened how did the company allow this to happen and of course there are legal fees to pay you overpriced lawyers who come in and get get involved whatever there is a significant cyber event with legal ramifications to it

this is a little more discussing some of the consequences that but I think we've basically covered the types of costs that arise to a company that underscore the seriousness of the financial risks that are involved in managing cyber risks so some general comments cyber assistant management of the company of the enterprise whether it does it or not is engaged in cyber of this management the way that I think about it is four general categories of cyber risk management you can avoid a cyber visit you can mitigate a cyber risk you can try to transfer a cyber risk to a third party like an insurance company or you can accept for the cyber risks and be

prepared to deal with the financial consequences not of the company's treasurer in any event the idea of a fire risk management is protecting at the perimeter it's the company's obligation and responsibility in the first instance to have its cybersecurity control because the company is the first line of defense against cyber attacks so a little bit on avoiding cyber risks what does it mean to avoid the cyber risk that could mean you simply pass on opportunity that you might otherwise involve in it because you see a cyber risk that you can't accept it could mean you choose not to do business with a vendor profuse cyber practices aren't up to par and which you can't control and

are not acceptable to you so you simply choose not to deal with with that entity complete avoidance of cyber risk in the real world generally is not an option so there may be places where you pick and choose cyber risks that aren't acceptable opportunities that you're going to pass out but no company can realistically avoid all cyber risks I have someone asked me in a discussion about these different approaches to cyber risks this was around the time when information was coming up about Facebook and people's personal information being used in ways that they probably did not intend and how do we individually manage that cyber risk avoidance is one option some people simply output Facebook just as an example other people

don't find that that's not an acceptable solution and then there are some other ways to manage that cyber risk a little later mitigating cyber risk and this might be an area where some of you have your careers based in and have a great deal of expertise in involves using technical tools to limit the possibility of a cyber incident expect an expensive cyber incident happening things like data encryption and cyber security penetration when cyber security audits all of the type of tools that companies use to limit the chances of suffering a cyber loss human resources tools like training corporate governance tools like Wreckers that's investing in cybersecurity how menu mitigate the cyber risk in the Facebook example maybe

maybe you limit the types of things that you post them on Facebook and that's why you've chosen to mitigate that cyber risk maybe you have decided not to accept friend requests for people you don't know and that's a way that you can mitigate the cyber risk associated with Facebook just to give a personal or more personal example of how mitigating the risk might work transferring your wrist and this is what we will be talking about in more detail the maintenance way of transferring or risk is through insurance so you have decided that you can't avoid certain cyber risks you can't completely avoid the possibility of the data breach or cyber attack you've tried to mitigate it the best we

can but there still risk there you might want you don't want to be on the hook for all the costs when one of these events happen so another possible part of the approach to by birth management is transferring veterans buying cyber insurance that you hope we don't respond and step in to pay University that your company is a result of a cyber incident there may be other types of insurance that can be relevant more traditional types of insurance policies that almost all major companies have and there are also other contractual possibilities for transmitting cyber risks if you are dealing with a vendor and the orchid have concerns about their site where cactuses come that might

affect you you might be able to have your contract that the vendor will be on the hook for any cyber blowback that comes to you as a result of your dealings with them I'm not sure of a way to transfer our cyber risks resulting from our Facebook use but maybe someone will invent a Facebook insurance policy and then you can see coverage when something bad happens with your your social media experience and then accepting cyber risk is the fourth big picture approach support piece of the puzzle accepting cyber distant can take different forms a passive cyber risk this is what I was alluding to when I said every company weather or not is managing it cyber risks in one

way or another if it's doing nothing if it's not mitigating if it's not avoiding and it's not seeking to transfer a cyber risks that is simply accepted them and it's going to be who is on the book in the end for the costs and the consequences of a cyber attack exactly cyber risk doesn't have to have that negative connotation though except your cyber risk and simply mean that you've done what you can to avoid done what you can to mitigate and to transfer but at the end of the day there is some remainder that the company is be prepared to accept it will be on the sport if it suffers a cyber attack

and just one thing to keep in mind as we talk about cyber risk management strategies and this is a big-picture thing for the company to think about it's also something for practitioners to think about in their roles within the company is who owns the problem of cyber risk management of cyber risk response within the company it might be if the board of directors is taking a proactive approach to making sure that it has policies in place a training inflation insurance in place to make sure that the company can have an appropriate response to a cyber risk but could be a CEO it could be the lawyers the general counselor an off-site lawyer it could be

the information officers information security officers the CFO of the risk manager ideally it's all of these different pieces working in concert understanding who's responsible for calling law enforcement to give back to the cyber Incident who's responsible for notifying the event of a Cyberman and who's responsible for training the idea it is everyone every one of these groups should have some role in owning the cyber risk problem so we're going to be talking especially about the transfer part of the cyber risk management strategy the insurance policies and just just to give a little of my background again we do insurance coverage law and updates on the side of companies not on the side of an insurance companies so

I'm going to be later in the presentation going into some detail about cyber insurance policies or their features how they work that's not because I'm an insurance salesman I am most definitely not I am generally my career adverse to insurance companies but because cyber insurance is such an important part of the cyber risk management strategy it it should be feeling important for our clients to understand how these policies work and how to get the broadest possible coverage so however they might give us fire insurance policies there are other types types of insurance policies that likely can come into play into play in a cyber incident traditional property insurance policies traditional general liability insurance policies and the

list goes on but we will avenge get around to a focus in our talk here about cyber insurance policies and just achieve that a little bit here is just some basic information about cyber insurance and many of you may already know of the fundamental that makes you know in detail how cyber insurance works but it's in the insurance world and the long history of the insurance industry cyber insurance is a relatively new product it came about around the year 2000 and it really has exploded in recent years with more of our companies of all sizes investing in cyber insurance policies reading a cyber policy has anyone here read the cyber insurance policy some of you have got

the pleasure in might experience that they are even for insurance policies they can be very dense and not invited to read depending on which eternity the policy they can attempt to have very technical definitions that are incorporated into the policy they can fit it might have the policy might not 8 or 10 different forms of all collectively form what it's called the cyber policy to cover different aspects of the cyber risk it's not the most inviting thing to sit down to read but the only way for us and what is it isn't covered is unfortunately faculty actually be through a cyber policy and possibly to have assistance of looking through those terms to figure out what will and will

not actually be covered just the high-level basics of what's it what's a cyber policy what it does insurance can be understood as protecting two main categories of risks first party risks and third party risks so the first party risks is the cost that the company itself incurs for damage out of the cyber incident so the first party coverage will be those notification cost that you have to pay the cost to repair replace computer equipment the cost to repair and replace your paper that was damaged and then third party coverages refers to good loss that someone else occurs because of your cyber incident this is the lawsuits from customers it also generally includes the government proceedings that might be initiated the

M stick with their company rising out of the cyber work event there's no standard form so it's hard to talk and a lot of generalizations about a cyber policy looks like what about 70 different insurance companies offering what they call a cyber insurance these days and the terms and the pricing of cyber insurance there's a bit of good news because of the computation competition in the market it is a relatively negotiable type of insurance especially for large companies but also perhaps remittance insights in smaller companies as well and buying and the viewing cyber policies we found that it's absolutely worthwhile to negotiate wording with insurers to go back to them and say we're not crazy about this

wording this coverage can be broader meaning this exclusion to be deleted from the policy you don't get everything that you want but you can't get real movement and real value in doing some negotiation with insurers on a cyber policy so we're going to talk in detail today about a couple of hot issues in the world of cyber insurance the first of them is the GDP are I expect many of you maybe all of you have heard or read about the GDP rz2 came into effect last year and one final thing many of our clients that have in terms of the garage is we have so massive fines that European governments can impose on us for

violating the GDP are is that going to be covered under our cyber insurance we've looked at different cyber policies to try to figure this out the answer is it's complicated but I want to turn the program over to layman now he's going to give some basics of the GTR and how it works and then we'll get into talking about some of the insurance and the patience

and on that thank you with this for that introduction hi everyone and in screaming you mean I'm also an associate panel Katie and Lucas in the area of cyber insurance now if we get started on the GDP are just want to see a show of hands how many of you have heard of the TPR for today most of peppers how many of you know that the regulation promises millions of dollars with it as well how many would say to say you know the the GD government's the spawns for companies that may not be neither a union and already us show up and scream so that's gonna start this I want to ask you my point today this presentation is

being answered the people to ask a few questions for you one in a very broad way what is the GTR to why should you care might as a matter of the companies that are not in your community and three and lastly what can we do about it and that's the topic of Louisville touch upon which is what's the cyber insurance side to TPP are now the first point the GDR has generally a protection regulation came into effect in May 25th 2018 replacing the previous directive 976 DC or the data parser that was in place in the mid nineteen nineties the GDP our stated goal is the protection of individuals rights and freedoms with regards to

their own personal thinking and I'll pologize now as attorneys were all above the long sentences and what the courts eat and so if we take a closer look at the GTR some of their chapters for example chapter 101 says that the regulation based on rules related to the protection of natural persons with regard to the processing of personal data and rules related to the free movement of personal data it'll select that the regulation protects the fundamental rights and freedoms of natural persons and in particular to write to the protection of personal data yeah what's interesting about the GDP are some of you mentioned that you know is the heavy financial liabilities that promises to impose we're talking of up

to 20 million euros for non-compliance or even for four percent of the companies and worldwide and already and so the numbers this high it's always important text actually says and sort of what sort of implication diamonds into a company's operations first important what's the territorial scope and that is the fancy word or how does it apply at companies and when the regulation of device companies antidotes that are established in the u s-- and those that are not as that much to you for companies that establishing the EU the regulation applies with other data processing operations whether or not those in place in the European Union for companies that are not is not misleading you the regulation will only apply

through the processing of personal data as long as it relates to the provision of services or goods facilities and services members and leader pinion for the monitoring of their behavior as far as a big place in the European Union and one currently behavior for example say a company that is engaging in sort of marketing analysis and by using wireless data it max where customers to Noah in the building during a mall walk around the place and once we're sourcing this is sort of that map it comes to Tuesday analysis of the vigils behavior which could fall under the the regulation of the GDR now processing of data sounds like a very very specific sort of activity and if we

take a closer look at what the regulation actually says the term is actually quite broad as to what processing of personal data needs we know one enemy a question via which is to find me really any information relating to by a violent person and follow persons one can be identified by our personal identifier so like at number anonymize summer on the other end of the process what is the processing of data the processing is defined as any operation and per set of operations which is for more than personal data whether or not by automated means and the the regulation provides a number of activities that constitute costs you know some of them are a collection of

the reporting organization structuring storage adaptation consultation transmission and really it's a very broad list of the sort of activities that would constitute processing the personal data on the regulation what's been most interesting about ter is that it promises a number of rights for individuals warrants and some of those rights most probably - for everything for me so grants individuals the right to know what has been done with their information who's doing what and information who which means for what purpose the right to be informed when their information is modified rectified or raised secondly half right of access ranks individuals to write to Lassiter and the being able to tell what is being kept about the right to rectify that

information the right to rectify any errors of an existing information kept alone the right to be forgotten which as it sounds is the right without all information that a company organization might have about you believe it and that comes with certain cabinets not an absolute right there are some restrictions the registry processing or the right to discrete automated which is basically the right to tell the company how you'd like to move your information can be managed the right time data portability which is basically the right without intervention with a certain attention to another and ultimately the right to prepare the right to attack the way your DSP use being kept or being collected now there are no free lunches

so what what is rights on one side is obligations on the other side and so some of these writers do translate into the applications for organizations that are keeping personally and some of those obligations for example include the requirement that companies implement the appropriate technical organization measures we started be able to demonstrate that the processing is uh part of the regulation for the regulation required and so one particular example that you can see is the regulation applies to data breeches for example GDR requires that companies that are subject within a region or some authoritative region provide certain information to users and register rewards and for example requires that at least within 72 hours of suffering they

reach that come form the regulators that any data breach has occurred and so it's a similar requirement on individuals important individuals that a data breach have occurred

now sort of mentioned before in your process two ways of enforcement one is the private private actions so in the business can't seem to enforce the regulation and it's been about eight years as the law came into effect we haven't seen much action on that and hopefully with the best of times we might see more action and then the other part we have greater enforcement by regulatory agencies and that basically no government alliance with each country and putting clients or restrictions of funding to public companies and this year we've seen some action it's it's it's gone from you know teach and assist workers stop doing what you're doing all the way up lines which have range from

5,000 euros all the way to 50 million euros so there is quite ranging between some examples of some of that for small business was fine 5,000 euros or was basically maintaining security cameras outside of the business and part of the decision was well you weren't really optimized to be filming a sidewalk and you never told people that such a violation of the regulation a German social media so they got fined about 20,000 euros for mismanagement information and basically what it's alleged that it was keeping passwords in plain text and this arcade not complying with the regulation and it's enough proper procedure so they fine about twenty thousand years maximum portable about 400,000 euros or what the regulator's related was well

too many people had access to the information that a personal private information of individuals and sort of what they're saying is they had a sort of lose steam of access of information so any doctor could access anybody's records and nursery petition and connects with records and the regulator said oh he insured heiresses own control food sure the personal information when he spread the biggest - seems so far it is by the French ringleaders define name do it or what they say is lack of transparency in the use of personal data they're alleging that powered individuals personal data and they're saying that the terms and agreements and the sort of The Weavers that they're giving people weren't

sufficient to really create a more consent lastly we have a fully data processing company that was about two hundred thousand euros oh you know processing publicly available information of individuals without important and without requiring without getting consent for those individuals where processing of data so I guess as a desperat scenario Club what's been going on is you know there's this law that imposes slowly hot funds and and the less to be here that has been in effect is it regulators have imposed a couple of very substantial clients the companies who were alleged not to be compliant with this regulation and so to that extent it's important to think of a closer look and options that company can take

company organization or individuals can take us to mitigating that risk and in the form of litigation my colleague Lucas Tanglin will be discussing the mitigation strategies on on GE our minds

thanks for having so sort of a scary world or some companies and some of our clients have to comply with the GE PR and the earring out what the contours of the gdpr are but it requires of them I think the example of enforcement that I thought was very interesting was the closed-circuit TV simply recording people in a public space could give rise to a TV PR violation and even though that's not inherently in a cyber risk it does give a sense of how broadly vision to EPR might be applied what one company might think is a relatively innocuous activity could have privacy implications that the company hasn't thought about that might face liability over so like I

said we have a lot of clients who have been trying to figure out okay we want to transfer as much of our cyber risk as we can to our insurers is our cyber actually policy actually going to cover us if we face a lawsuit based on the TV PR or if we face a regulatory proceeding based on the TDR or if heaven forbid we are hit with one of these massive massive fines that the PR allows there are several questions that be given via the cyber policy and try to figure out where's the coverage for TV our cyber policies and insurance policies generally aren't written in a way that it says expressly straight up be covered the TV PR you need to look at

the general terms of a coverage is provided and then as an Insurance lawyer or as a risk manager you can look at that terms and say how my vision ter fitting within these two terms one possible challenge is the gdpr provides for a very very broad conception of what is personal data what's the type of personal data that addition to the TV PR that's claimed invention is basically any information through which the person can so the obvious stuff like names and social security number and phone number but also maybe less obvious things like the person's image or person even biometric data like a person's statement does the cyber insurance policy cover that type of broad scope of personal

data which could be added to the GDP are some cyber policy is defined data personal data somewhat narrow me to those categories things I just mentioned the name and the social social security number and phone number at some cyber policies defined personal day of my reference to existing privacy statutes like HIPAA or for combinations of those approaches if I were looking at a cyber policy a gentle thing that might might try to get into the psychology to ensure GPR coverage would be the definition of personal information of personally identifiable information that's at least as broad as the GDP ours definition of personal data so if you might do this by having it expressly say in the policy

personal data includes personal data or the GPR or you couldn't simply import the language of the GDP our cyber policy that might be another approach separate from what types of data are covered by the GTR which is covered in your cyber policy is what is taken up conduct is going to be covered in your cyber policy as we've talked about that the very broad conception in the TDP our of what it means to process data for which you might be liable under that regulation is your cyber insurance policy broad enough to cover all different types of processing one possible problem in a cyber insurance policy particularly those that follow the model from the earlier days of cyber

insurance is that they tend to be focused on data breaches as the key event that give rise to the cyber coverage so they have terms that are focused on what's the insurers obligation to provide coverage when there is an actual data breach which may result in things like identity theft the problem is that the GDP are it's not limited to a data breach situation they could very well include the data breach situation but it has this very very broad concept of processing to include things like collecting and entertaining data if you aren't up to what the GTR requires in your data collection and your data retention practices events liable even though you know they're not

an actual data breach the problem is when you probably knew that your insurer or to say what we got hit with this GDP our liability because of allegedly faulty data retention practices the insurer may say well that's too bad it was no cyber fault policy that's focused on data breaches and there was no data breach here you just didn't follow the rules for data retention a possible approaches to fixing this in your company size policy get a broad scope of conduct expressly covered you might be able to get a an insurance policy that expressly says we're going to cover you for your own price collection or disclosure or you some access or destruction of personal

information I've seen cycle policies that say sermon to cover you for any infringement of any violation of any rights to privacy or for violation of any privacy related statutes these are ways these are practical ways practical things that you can remove an insurer or an insurance broker to and say we think this coverage can be a little broader to make sure we're covering all of the different stuff that our company does that could give rise to cyber liability continue their liability specifically and the big question CEOs and together of us wants to know about when they're talking about TV PR and cyber insurances okay we get hit with a 50 million euro fine in Europe if the insurance company going to

pay for that and unfortunately even if no matter how hard you study in the awarding of your insurance policy it is a bit of an unknown right now how the insurance markets are really going to respond when the situation comes up so it is a good idea to start with the policy wording and make sure you're giving yourself the best chance to make an army after coverage for this type of applying you might look at how do policy defines which losses are covered what constitutes covered damages what constitutes covered costs and maybe able to change the wording to save and yes damages include fines it's not limited to mine that a plaintiff went against you in a lawsuit it includes government

fines you ain't you might want to make sure that there's not an exclusion of the policy some cyber policy planning say we don't cover fines let's say that's really done that's going to make it very difficult to see covered for a TV you are buying and you might have to look at the choice of law provision in your cyber policy to get deeper into the legal leaves here some in some states will have law that courts have need that says no fines are not insurable what the insurance policy says because fines are supposed to be a punishment periscopes supposed to be a deterrent and we are undermined what the regulator intended to do by employees is fine and

we just like you said that cost your insurer if you go about your merry way so those even besides the absolute policy where there are considerations under specific jurisdictional law whether you can see coverage of those lines so an insurance policy will definitely be covered by the law be subject to the law of a particular jurisdiction so if you're a US company and you have a u.s. insurer and there's not a choice of law provision and the policy the policy will likely mean never mind the insurance coverage law of Pennsylvania or some other relevant jurisdiction so in that in that hypothetical if you're a Pennsylvania company you might need to research Pennsylvania law but as Pennsylvania law

say about whether clients can be covered by other insurance the added legal but the gdpr is that did you use the you nation since then we'll take a very hostile view to seeking insurance coverage or finds that think about surety of EU nations do not allow or do not encourage policy more to be able to recover them from their territories or vizor are imposed it's a bit of an open question now if you have the fine clothes in Europe seek coverage from your insurance company in America what what saved us to eat you about in that question of insurability nullifying so unfortunately the bottom line is there's no clear answer to whether these big clients are ultimately going to be

covered by a fiber insurance but it absolutely is a good idea to look at the policy wording negotiate it to get yourself the most favorable ground possible to argue from in the event you might need to go to see that kind of coverage and we have a few minutes left to talk about a topic that the business news of the new york times method that i believe about it this week and that is how do or and hostility exclusions in insurance policies potentially apply to limit coverage or size of the caps lock key really high or at least attributed to foreign governments this quote alludes to the planta that we made earlier of businesses of business

is the first line of defense to a cyber factory not by a foreign government of cyberattacks obviously don't know borders so that companies right they are very concerned about what they needed to defend themselves and to respond to cyber attacks that's the background I'm sure almost everyone here is familiar at some level with the Phnom Penh attack for 2017 this was a cyber attack that hit businesses in the u.s. France Germany Italy Poland UK Ukraine Russia this attack caused damage to and it also caused massive interruptions to these companies businesses where they were at some distance were essentially forced to shut down for days at a time losing millions of millions of dollars so lost profits the US government

eventually the tributes not petty enough to the aggressive government one of the companies that is hit by the Mafia attack is Mondelez which is their very large food company that's behind some of the most famous brands of foods that you see at the grocery store Nabisco Oreo - cetera they have us users potential stolen in the course of its attack they had 1,700 servers the 24,000 laptops essentially be ruined and they say that the total loss including their business Monta Ellis goes to its property insurer under its poverty and insurance policy to see coverage for these losses it's even though it wasn't property insurance policy on a cyber policies this particular property policies containing the expressed wording for cyber related

risks and for introduction of malicious code would be company systems so it seems very reasonable unless it's not covered under this policy for this losses arising from the potential obstacle is an exclusion the policy that says this policy is not going to cover you a hostile or warlike action in time of peace or war including absolutely incompatible defending against an actual impending Mississippi expected attacked by a government or a sovereign power so what does an exclusion length this mean and an exclusion could very well appear in a cyber policy as well as property policy what does that mean when a company seeks coverage one of these massive attacks that's attributed to a foreign government are you not a lot and

the cyber insurance that you've been paying expensive premiums for is not going to have any value

so there are a bunch of issues relevant to how this exclusion should be applied one question is who is to have a final word on who carried out this particular cyber attack does the US government when it says it was Russia is that the end of the story do we get to put Russia on file in the context of insurance litigation and get to the bottom of what really happened in this attack likely not that's not like you're not going to be practical but if you have the less server traitor that my name's involvement like Russia has the policyholder is out of luck because you have a disagreement among different sovereign nations about what happened here what if there is

disagreement even within the US government we have in the headlines pretty regularly the intelligence community telling us one thing and a chief executive questioning that the strength of those conclusions and the facts under the underline those conclusions if the president is allowed to second guests intelligence determinations shouldn't the policy motor be allowed to in this fantasy coverage for these millions of dollars and then there are a bunch of arguments that insurance covers lawyers like me would make when we're dealing with an exclusion like this what does the top side or like actually even mean isn't that ambiguous there was there's no battlefield there aren't tanks rolling through this is a company going the money business and it gets hit by a

cyber attack it is not really a warlike shouldn't this exclusion require some proximity to appeal the battle and by the way in its in the litigation yes it's insurers Model S is pointing out these insurance companies are off you're advertising every time there's a big cyber incident like this saying you better make sure you have the cyber returns in the order will sell the cyber insurance view if the industry is going to take this aggressive position that attacks like this mark covered that has really significant implications for how companies you manage this particular cyber are they really able to transfer this divert list and just the 5th of may be good news to close with and this is something that

you might go back to you insurance policies of this management I think the insurance industry is somewhat sensitive to this issue to the MIT event cyber policy might be perceived as much less valuable than otherwise thought if people get the perception that the insurance are not going to paper claims like this it may be a good idea to go back to a cyber there to a broker / - an insurer and try to get some exceptions built into this or exclusion that it's easier for you to argue that no no a cyber attack like not dead yet that's not war that's not possibilities we don't lose coverage for that so here are a couple of approaches that an insurer might be

willing to incorporate it into its policy to make that your arguments a little more available in the event you argued with a cyber attack like this and that's what we have prepared their thing for the spot out of time Raymond and I will be at the candidates table all day that you want has any questions I'm happy to take them there thank you