Retailers – A Complex Cyber Exposure

Some clients understand this exposure, but many do not or incorrectly think that because they outsourced this service that it is not their issue to deal with.  The contracts in place governing credit card transactions push this liability down to the retailer.  Between the contracts and the technology involved, this can be a very difficult exposure to understand.  Retailers need to make sure they have adequate coverage based on the number of transactions they process, and most of this task falls to their insurance broker.

Who are retailers:

When we are talking about a retailer in the Cyber Insurance space we are talking about any company that takes credit cards or debit cards.  So not just the grocery store, gas station, or restaurants, but also a physician group that takes co-pays via credit card, property managers, CPA’s, insurance agents, architects, computer repair business, associations, car dealers, plumbers, law firms, etc.

What does a sample credit card transaction look like?

Customer – The customer swipes or inserts card.

Merchant – The merchant processes the info. passing it to a payment gateway.

Payment Gateway – The payment gateway routes the info. to the payment processor.

Payment Processor – The Processor submits the request to a card network.

Card Network – The card network passes the request to the issuing bank.

Issuing Bank – The issuing bank approves or declines the transaction.

Card Network – The card network passes the info to the acquiring bank.

Acquiring Bank – The acquiring bank forwards the response to the merchant.

Merchant Bank – The merchant bank accepts or declines the transaction.

Acquiring Bank – The acquiring bank deposits funds in the marchant’s account and submits the transaction to the card network for payment.

Card Network – The card network pays the acquirer and charges the issuing bank.

Issuing Bank – The issuing bank posts the transaction to the customer’s account.

Customer – The customer gets a monthly statement and pays the issuing bank.

What does the data flow tell us?

There are a lot of businesses involved in just one credit card transaction.  Each of these businesses have a contract in place governing that relationship.

Why do clients think they don’t have this exposure?

When a retailer contacts a payment processor for their services all of the marketing materials suggest that the processor will handle everything.  They tout PCI compliance and a full suite of services they will provide.  They claim that they will manage the system installation, security, and compliance including PCI complaince.  This is often further masked as they may be dealing with an Independent Sales Organization (they look like a payment processor) that is registered with Visa, MasterCard, Amex, etc. they may also act as an “Agent” of the bank providing the processing, but in the end the contracts they provide are between the bank and the retailer, just adding another level of complexity.

Clients seem happy to believe that they have outsourced the processing and the exposure related to that exposure.  Payment processing firms do not do much to dispel this notion, yet this is far from the truth.  In any scenario where there is a breach that affects a retailer’s customers, the retailer is the one legally required to notify their customers and regulators.  Without cyber insurance the retailer will incur these costs and then try to subrogate if the breach was actually caused by a third-party.  This is complicated by a contract that severely limits any liability at the processor level.  Payment processors lull merchants to sleep in the sales process and then limit their liability in a contract.

We outsource our processing and we are PCI compliant, so we don’t need cyber insurance, right?

Most retail breaches have been seen at the payment processing terminal level – so while an insured maintains that they do to touch or store any credit cards, if the bad guys get in through the payment processing terminal in the store (using a memory scraper, skimmer, or other malware), it will be the retailers issue to deal with.  Additionally, PCI compliance is not the Holy Grail of security.  PCI compliance is a minimum standard.

What if the payment processor did not limit their liability?

Even if a processor did not limit their liability the question I would ask is, do you want them handling a data breach on your behalf?  Do you want to manage the process with your clients and regulators?  Do you want to rely on them to pay all of the costs related to the breach as they come due?   The payment processor is not going to actively pay for all these costs while you manage the breach.  You may have to sue them after the fact to recover your costs – that is if the breach was at their level.  Per above, if you have a breach at a payment terminal or are a victim of Cyber Extortion, Cyber Business Interruption, Social Engineering, etc. you may have no one to try to recover these costs from.

Would you rather have a policy of your own, so that your carrier will pay the costs (IT Forensics, PR, Customer Notification, Credit Monitoring, Defense Costs, Regulatory Costs, PCI Fines and Assessment, etc.) and then subrogate if possible.  As a side note, we have seen very little subrogation in the Cyber insurance space and that is because it will be a very difficult case to prove and the legal costs to pursue subrogation often outweigh the possible recovery.

What does the exposure look like for an average retailer?

Sample account:

  • Retailer with $10M in revenues and roughly 50,000 credit card transactions in a year.
  • The Ponemon Institute estimates their exposure at ~$200 per record at $10M
  • Actual exposure will vary based on the details of the claim, but based on our models and our experience we would say the exposure is between $1M and $2M with an actual estimate for a run of the mill breach of 50,000 credit cards at $1.5M.

What would it cost to insure with one of the broadest policies available?

1M in limits $3,000 – $3,500

2M in limits $5,000 – $5,500

This would include full prior acts and full limits for Breach of Contract, Defense Costs, IT Forensics, Customer Notification, Credit Monitoring, PR, Online Media, Cyber Business Interruption, Cyber Extortion, Network Asset Damage, Cyber Terrorism, PCI Fines / Penalties / Assessments, Regulatory Actions / Regulatory Fines, as well as $100,000 worth of coverage for Social Engineering / Fraudulent Fund Transfer.

So to be fully protected for a catastrophic data breach will cost roughly $5,000 against $10,000,000 in revenues.  Why would you not purchase the broadest coverage possible?  All too often we see retailers that don’t purchase or they purchase a policy with inadequate sub-limits at a price that is above the market rate.

Conclusion:

Clients need a lot of hand holding in this space.  They need to be shown in detail the contracts they have in place and where this exposure lies.  Clients also need to see what that exposure means as far as total numbers of credit cards they process and if they had a breach what the costs may look like.

An insurance product can be offered to help transfer that risk, but keep in mind this may require the client to improve their cyber risk management as they need to have the proper controls in place to get the correct coverage in place.   Clients also need a policy that will respond with full limits for all the critical coverages including PCI Fines and PCI Assessments.

In the event of a breach, a retailers liability is contractual.  Most of the damages are not at the consumer level, but at the merchant bank and acquiring bank – as they re-issue the credit cards and the card networks absorb the fraud costs and pass that down the liability chain to the merchant who is left footing the bill.  Remember, the card networks do not need to file a lawsuit and prove these damages, they just need to point to the contracts in place.  Retailers face a complex set of data breach exposures, evaluating that exposure and getting the correct coverage in place is critically important.

Leave a Reply

Your email address will not be published. Required fields are marked *