The Green Sheet Online Edition
December 08, 2014 • Issue 14:12:01
Nothing ado about much
One subject that is often given too little attention in the payments industry is cyber liability. The discussion seems to only include data breach prevention and costs, which most assume will all be picked up under a breach insurance policy.
However what plan of action do you have in place in the event of a breach, and will you have Payment Card Industry (PCI) Data Security Standard (DSS) -related costs above and beyond those covered in a group policy? How would a processor respond to a mass exodus of its merchants, and the lost revenue, liability and corresponding legal costs? What if you came into work one morning and learned that fraudsters had compromised your systems via CryptoLocker (or a similar virus) and were now demanding thousands of dollars to unlock your data (which is typically payable by bitcoin)? What if the news of anything of the sort got out, tarnishing your company's name? What would the revenue loss due to attrition be?
Breach versus cyber liability insurance
First, I'll clarify a couple terms that are often incorrectly used synonymously, and whose misuse could end up being costly. In the payments industry, when data breach or PCI insurance is mentioned, it is the group coverage an ISO or processor offers to merchants as a value-add. The ISO or processor gets this coverage directly through an insurance broker. What that will cover are the costs associated with a breach, such as notifications, mandatory audits, fines, assessments, card replacement and identity recovery services.
An obvious hole in the above is the lack of first- and third-party liability coverage, especially for the processor. While some may offer a sub-limit of liability, depending on the size of the processor, it may not be in line with the actual exposure. This is where a comprehensive cyber liability policy comes into play. Breach insurance and cyber liability insurance cannot be purchased through the processor.
When people use the term breach insurance, they are referring to a component of cyber liability insurance. In addition to breach related costs, a good comprehensive cyber liability policy should include: first- and third-party liability; lost revenue; operating expenses; extortion costs; reputable third-party vendors for prevention, notification, monitoring, forensics and response; and legal representation.
This lack of understanding between breach and cyber liability often results in the finger pointing game, an ideal situation for the attorneys involved. P.F. Chang's China Bistro Inc. is currently battling with its insurance company for legal breach expenses, which it claimed against its general liability policy. This is like claiming a doctor visit against your homeowners insurance.
The case for SMB coverage
But why would any small to midsize business (SMB) need cyber liability coverage? Isn't the PCI data breach coverage or breach insurance enough? What do Heartland Payment Systems Inc., Target Corp. and The Home Depot Inc. all have in common? Yes, their breaches all made headlines, but if they generated less than $100 million a year, chances are you wouldn't even know they were breached, let alone existed.
However, another thing they all had in common, in addition to resources to prevent data breaches, was a comprehensive cyber liability policy. If these multibillion-dollar companies have the resources to devote solely to prevention and seem to be so easily breached with increasing frequency nonetheless, what does that say about SMBs?
The companies we hear about are the multibillion-dollar institutions, but what size loss can a SMB truly absorb? One recent story was that Goodwill Industries left its processor due to a breach. What would the ramifications be of that negative press and the potential loss of other merchants? How about getting pulled into a suit for a loss of a merchant's customers?
One of the many suits against Home Depot involves First NBC Bank of New Orleans, which is also seeking class-action status for reissuing costs, as well as lost revenue and customers associated with its breach. The costs of reissuing would be covered by PCI breach coverage; the lost revenue and customers would not. Put this in the context of a processor breach affecting its merchants, and see how easily the numbers and legal expenses could add up.
In an industry where the battle is constant against continually shrinking margins, the last thing anybody wants to talk about is yet another product or service that costs money. However, for an industry as competitive as this one is, and considering the cost to acquire a single merchant, maybe it is time to pay a little more attention to preserving all of that hard work. No matter how prepared, all it could take is one cyber-extortion threat and 12 hours to put a company out of business, as the ruined software-as-a-service provider Code Spaces found out in June 2014.
Kevin Mendizabal, Director of Financial Institutions at Frates Insurance and Risk Management, specializes in the electronic payments industry. Prior to joining Frates, Kevin was part of the Financial Institution division at AIG. Previously, he held underwriting and leadership roles in the mortgage banking sphere, as well as at Bank of America. Kevin has a degree in computer science from Rutgers University. You can reach him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.