[BreachExchange] Know Your Cyber Insurance Gaps Before a Breach Hits

Inga Goddijn inga at riskbasedsecurity.com
Fri Nov 25 19:07:48 EST 2016


http://www.jdsupra.com/legalnews/know-your-cyber-insurance-gaps-before-a-82371/

Data breaches are on the rise throughout the business sector, including the
hospitality industry.

In 2015, in California alone, there were approximately 178 reported
breaches that compromised 24 million records, according to the California
Department of Justice’s Data Breach Report
<https://oag.ca.gov/breachreport2016>. Attacked businesses on average now
incur data breach costs equal to $221 per compromised record, states a 2016
study by the Ponemon Institute <http://www-03.ibm.com/security/data-breach/>,
and response costs to a data breach average in excess of $7 million.

The hospitality industry is, in fact, a prime target—dubiously ranking
within the top three industries targeted by hackers, according to the 2016
Trustwave Global Security Report <https://www2.trustwave.com/GSR2016.html>.
The primary reason why is that industry players rely on remote access
software to manage numerous geographic locations and payment processing
systems, thereby creating a veritable smorgasbord of hacking entry points.

With the proliferation of data breaches, it is no surprise that many
hospitality businesses are turning to cyber insurance in an effort to
defray the risk of significant response costs. However, a recent case
illustrates that securing cyber-insurance is not a guarantee against all
response costs.

*Case in point*
The pertinent facts of the case are recited here. P.F. Chang’s China Bistro
Inc. obtained a cybersecurity policy from Federal Insurance Company for a
period of 1 January 2014 through 2 January 2015. The policy was marketed as
a “flexible insurance solution designed by cyber risk experts to address
the full breadth of risks associated with doing business in today’s
technology-dependent world” that “[c]overs direct loss, legal liability,
and consequential loss resulting from cyber security breaches.”

P.F. Chang’s, as the insured, was categorized as a high-risk “PCI Level 1”
business because it conducted in excess of six million transactions per
year, many of which involved customer credit cards. At that time, the
company did not process credit card transactions itself, but instead (like
many hospitality businesses) contracted with a third-party vendor (Bank of
America Merchant Services) to facilitate the processing of those
transactions with the various banks issuing the credit cards. P.F. Chang’s
agreed to reimburse Bank of America for any fees, fines, penalties or
assessments imposed on the vendor by any credit card associations.

In June 2014, P.F. Chang’s discovered its system had been breached and
thousands of its customers’ credit card numbers had been posted on the
internet. The company immediately notified its insurer.

In the aftermath of that breach, MasterCard ultimately issued multiple
assessments to Bank of America Merchant Services totaling approximately $2
million—costs incurred by MasterCard to notify affected cardholders,
reissue and deliver new cards, card numbers, and security codes to
customers, and to reimburse fraudulent charges.

Bank of America, in turn, demanded reimbursement of those assessments from
P.F. Chang’s—which the company paid. P.F. Chang’s then tendered those
assessment costs to its insurer for reimbursement under its cyber insurance
policy. When its insurer declined to cover the assessment costs, P.F.
Chang’s initiated its lawsuit.

After reviewing the language of the insurance policy, the court determined
the assessments imposed on Bank of America Merchant Services (and
reimbursed by P.F. Chang’s) were not covered, despite having directly
resulted from the data breach.

As stated in the policy, the insurer was not liable for “any costs or
expenses incurred to perform any obligation assumed by, on behalf of, or
with the consent of any Insured.” The policy further excluded as a covered
loss, “any costs or expenses incurred to perform any obligation assumed by,
on behalf of, or with the consent of any Insured.”

The court therefore concluded that those exclusions “bar coverage for
contractual obligations an insured assumes with a third-party outside of
the Policy.” Because P.F. Chang’s Master Service Agreement obligated it to
assume any assessments imposed on Bank of America Merchant Services
(including MasterCard’s $2 million in assessments), those assessments were
not covered by P.F. Chang’s cyber insurance policy.

It is worth noting, however, that P.F. Chang’s insurer did cover more than
$1.7 million in other breach-related costs, and thus its policy did provide
measurable protection.

*Know your coverage, protect your business*
The hospitality industry is under siege from hackers, and there are a
variety of cyber insurance policies available to industry businesses to
potentially cover breach-related costs. However, unexpected coverage gaps
may exist.

There are two primary lessons for businesses that have or are interested in
securing cyber insurance.

First, it is imperative that you and your legal team thoroughly review and
understand the scope of any cybersecurity coverage you select, paying
particular attention to the express exclusions.

Second, if your business contracts with third-party facilitators to process
credit card transactions, you and your legal team must scrutinize those
contracts (and likely others) to assess whether they potentially create
uninsurable losses. Such information not only might dramatically impact
service contract negotiations with your vendors, but might educate you on
what to look for when securing a cybersecurity policy.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161125/ca366d45/attachment.html>


More information about the BreachExchange mailing list