The Green Sheet Online Edition
April 11, 2016 • Issue 16:04:01
Be wary of hackers seeking BII
Numerous articles and discussions in the payments industry revolve around breaches and the importance of protecting personally identifiable information (PII). Rarely discussed is the topic of protecting business identifiable information (BII) and the negative ramifications of a compromise of that data.
Whether data is managed internally or by a third party, it is important to explore how much more valuable the BII of one's clients is than PII and to know the damage that can be done with that information. To illustrate, let's examine a data breach at three levels.
First scenario: merchant-level breach
At the merchant level, the liability faced is to customers, issuers and regulators, and includes contractually agreed upon duties and fees, as well as response costs. In other words, a merchant can be sued by its customers and customers' banks, and be fined or assessed by state and federal regulators and Payment Card Industry (PCI) Data Security Standard (DSS) authorities.
PCI insurance, as commonly referred to in the payments industry, is a stripped down version of cyber insurance and will only cover some of these costs. Liability such as damages, defense costs, lost revenue and reputational restoration costs are not covered because these are only offered by a comprehensive policy.
A merchant could incur costs to defend against a lawsuit by an issuing bank, including the cost of a judgment. Losses a bank incurs because of a merchant could be sought and included in such a judgment. Although issuing banks can obtain plastic card insurance to cover certain losses, The Home Depot Inc. and Target Corp. cases show that both merchants and issuers face both lost revenue and public relations costs associated with restoring damaged reputations.
Second scenario: ISO-level breach
Let's take the same breach scenario using an ISO serving 1,000 merchants, each with $100,000 per year in sales. A competitor who obtained those merchants' information and terms would have a great sales advantage. Because of this, organizations go to great lengths to contractually prevent competitors from accessing this data.
However, what could someone with no interest in stealing merchants for his or her own portfolio do with this information? Further, what could this ISO be held liable for should this data become compromised?
To explore this, we must put on our criminal thinking caps. One could:
- Use merchants' bank information to request fraudulent wires. Banks are not liable for these losses (although many people think they are), and only individuals are protected, not businesses.
- Impersonate a merchant to take out bank loans or open business credit cards – bonus points for defrauding the ISO's acquiring bank.
- Request a merchant cash advance in the compromised merchant's name – bonus points for getting an MCA from the compromised ISO if it offers this service.
- Steal the identity of merchant principals – bonus points for establishing new businesses with stolen identities to open merchant accounts through the compromised ISO.
- Steal from merchants' customers: Establish a merchant clone site where "sales" are made but aren't delivered – bonus points for using compromised ISO's processor.
- Establish lines of credit with other businesses – bonus points for defrauding other merchants in the ISO's portfolio.
- Steal merchant employee PII – bonus points if employees sue merchants.
- Unleash cyber attack on merchants: hijacking or duplicating websites, for example.
- Extort merchants by threatening harm to people or property.
These scenarios have nothing to do with being PCI compliant or how secure systems are. All potential loss scenarios can cause substantial loss to an ISO, its merchants and business partners. This is why any acquiring bank or processor with solid underwriting practices will require evidence of multiple lines of specific insurance.
Third scenario: cloud-level breach
Third-party cloud or customer relationship management (CRM) solutions offer value by managing data and thereby assuming some of this liability. However, a company can still be named in a lawsuit if a breach takes place at a third party. Any company using third-party services, in addition to having its own cyber liability insurance policy, should require said third-party to name the company as an additional insured on its policy.
Typically, a service provider will have indemnification language in its agreement. But this is not always the case, and even when included, it will not do any good in the event of insolvency. The 1,000-merchant portfolio discussed demonstrated how devastating a loss can be to just one ISO. Imagine the financial devastation at a breached CRM provider managing 10 ISOs.
It is crucial for an organization not to rely on one particular strategy in protecting its clients' data. No matter how secure a firewall or virus protection may be, the potential for a breach is ever present. No matter how strong indemnification language between two organizations is, a chance of not being able to fulfill these obligations always exists. If one company is entrusted with another company's data, proof of insurance should be required and, ideally, a copy of the insurance policy provided.
The logic behind reviewing a provider's policy is to ensure it is comprehensive, not stripped-down. For many organizations, insurance is last on the list of priorities. The cost of such managerial neglect can be financially devastating to a company, its business partners, and the individual directors and officers.
Many companies, including insurance brokers, simply look for the cheapest policy without regard to what is actually covered. The price an organization pays for insurance is meaningless if it does not cover a claim that it was purchased to cover. Furthermore, insurance is not a substitute for controls. People do not buy auto insurance so they can drive drunk.
Having few controls in place while touting the importance of PCI compliance to merchants seems ironic, but it exists. What this says about an organization is that its leaders have nothing worth stealing and place little value on their customers and company.
For example, what does the fine handed to Dwolla by the Consumer Financial Protection Bureau say to a potential customer or business partner? Aside from the CFPB's accusations, one can deduce a few things. First, the company has no cyber insurance in place, since one of the requirements to attain such coverage is good cyber security protocols. In addition, Dwolla's financial institution partners exposed themselves to losses by not performing their own due diligence. A substantial loss would also get the attention of investors (or accountholders). Subsequently, a lawsuit could be brought against the individual directors and officers of the bank.
It is time for the payments industry to take a close look at its own risk management practices, not solely those of its merchants. Cyber security involves having proper protocols, technology and insurance in place ‒ and knowing that your business partners do the same. As an officer of your company, not doing so could result in your being sued individually and losing your personal assets, as many executives have experienced.
Kevin Mendizabal, Director of Financial Institutions at Frates Insurance and Risk Management, specializes in the electronic payments industry. Prior to joining Frates, Kevin was part of the Financial Institution division at AIG. Previously, he held underwriting and leadership roles in the mortgage banking sphere, as well as at Bank of America. Kevin has a degree in computer science from Rutgers University. You can reach him at firstname.lastname@example.org or at 405-290-5610.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.