Data breaches are on the rise, as are the high costs associated with them. Some organizations are looking to cyber insurance to mitigate these costs. However, many in the industry are skeptical.
Is cyber insurance something you really need? What does the insurance cover? What does it not cover? What do you need to know when evaluating coverage?
Definitely do your due diligence before pulling the trigger.
Cyber insurance, like many insurance products, will vary based on the insurer and your institution’s needs. Just as your car insurance policy rates go down as your accident risk level decreases, rates for cyber insurance are based on the risk level for a potential breach. If you want affordable insurance, you will have to prove you are implementing effective security controls (enter ongoing PCI compliance!).
Cyber insurance policies may cover forensic and investigative costs, legal expenses, crisis management and the replacement of lost or damaged equipment. Policies also cover costs associated with notifying breached victims and providing them with credit monitoring services. Fines and penalties are sometimes covered.
Reputation damage and revenue losses associated with the breach are not covered. These losses are difficult to quantify, but can be some of the most significant, especially in higher education.
Another major concern with cyber insurance is if merchant assessment and service fees are covered. One recent case to note is that of restaurant chain, P. F. Chang’s. In June 2014, P.F. Chang’s discovered point-of-sale malware had compromised over 60,000 payment cards. The restaurant chain immediately notified its insurer, Federal Insurance, who paid out more than $1.7 million to cover breach-related costs associated with the forensics investigation and litigation with consumers and banks.
Following the breach, in March 2015, MasterCard imposed $1.9 million in assessment fees on P.F. Chang’s merchant services provider, Bank of America Merchant Services, for case management, fraud recovery and operational reimbursement costs. P.F. Chang’s sent a request to Federal Insurance for the additional coverage. Federal Insurance denied the claim.
A year of litigation later, courts ruled that P.F. Chang’s was obligated to pay the $1.9 million to Bank of America, stating that while the restaurant chain and all merchants that process card payments must rely on merchant services providers, cyber insurance policies are not required to cover post-breach fees merchants pay those providers to fulfill the obligations of their contracts.
This was a landmark case and confirms that although cyber insurance offers some coverage in the event of a breach, your organization is still going to be liable for numerous fees. It is critical to review all service provider contracts and document the potential liabilities and responsibilities of all parties.
Review your incident response plan as well. Most important of all, make sure you are working hard to implement the PCI DSS as business-as-usual. It might be impossible to prevent hackers from trying to attack your systems or networks, but it is possible to prevent them from gaining access or getting away with any data.
Additional guidance from the Security Advisor Team below:
(Gilmore): Many schools, large and small, are frustrated with implementing all PCI requirements to their current environment. Many see that no matter what, there is no *guarantee* of no data loss.
Remember, compliance is always an ongoing, business-as-usual process that must be reviewed and revised as technology, people, and processes change. Every day there are new vulnerabilities that can harm a system. It is the duty of those who support these systems to make sure they keep up with potential problems and adjust their systems in a timely manner to avoid having a data breach. There is no insurance policy that will mend reputational black eyes of any institution. It is better is invest in the people (education and/or number of employees) and technology up front to keep a secure system rather than leave holes open and risk a beach, fines, a tarnished reputation, and worst of all the possibility of completely losing the ability to accept payment cards.
If you are considering an insurance policy for your campus and have questions, please do not hesitate to contact us.