Digital Transactions Authoritative, insightful and timely information for payments professionals
Jim Daly
Data-breach insurance has become a mainstream product in the merchant-acquiring business, but some executives say PCI compliance and diligent security practices negate the need to buy coverage. What’s next?
The unnerving reality that credit and debit card-accepting merchants and their processors can have their computer systems hacked spawned a new niche in the insurance industry in recent years: covering losses from payment card data breaches.
Having such coverage eases the financial pain of a breach, which can generate losses of tens of millions of dollars or even more. Just ask the big merchant acquirer Global Payments Inc., which in March 2012 reported that part of its processing system had been hacked. Global Payments said the breach may have compromised 1.5 million cards.
Global Payments only reported bits and pieces publicly about the extent of the breach and how it happened, but the total tab was a biggie—$121.2 million, according to the company’s annual report for fiscal year 2013 ended May 31. The bills covered forensics, improved security, compensation to issuers for card re-issuance and fraud on compromised cards, network fines and professional services.
Luckily, Atlanta-based Global Payments had a $30 million data-breach insurance policy in place at the time. The policy had a $1 million deductible and as of last May had paid out $20 million.
Global is by no means the only big merchant processor or national retailer to have suffered a data breach. Yet the vast majority of computer break-ins—80% or more, according to Trustwave Holdings Inc., a data-breach investigator and security-services provider—that result in the theft of payment card data occur at small merchants that have insecure point-of-sale terminals, wireless networks or back-office systems.
‘Extremely Nice To Have’
These merchants, dubbed Level 4 for physical merchants or Level 3 for e-commerce retailers, usually get their processing services through an independent sales organization. In recent years having some type of coverage for breach-related losses has become common in merchant contracts.
A data breach at a Level 4 merchant generates an average of $40,000 in losses, says Robert Halsey, president of Royal Group Services, a Troy, Mich.-based insurance brokerage. While way less than the losses Global Payments and other big processors and retailers have suffered from data breaches, a $40,000 uninsured loss could easily put a mom-and-pop store or restaurant out of business. Just ask any ISO executive about some of his or her former accounts.
The true threat posed by data breaches has only emerged in the past decade as Internet connectivity became ubiquitous, a downside of which is the possibility that hackers can gain electronic entry into poorly guarded computer and telecommunication systems. The increased risk of data breaches spurred the merchant-acquiring industry and insurers to address the new concerns.
“For the small merchant, it’s kind of unlikely to have a claim, but if you have data breach, it’s extremely nice to have,” says Rick Noble, chief executive of North Kansas City, Mo.-based BCC Merchant Solutions, parent company of the ISO BankCard Central.
Not all ISO executives and merchant-acquiring experts agree. They say that paying insurance premiums may be an unnecessary expense if merchants and their acquirers comply with the Payment Card Industry data-security standard (PCI)—the card networks’ common set of security rules—and otherwise do a good job of protecting their computers and telecom systems from cyberthieves snooping for account data to steal and then re-sell to card counterfeiters.
“Is there a need? I’m not sure,” Adil Moussa, a former acquiring executive who now runs Adil Consulting in Omaha, Neb., says by email. “However, people—merchants—always pay for peace of mind. If the industry is making compelling arguments that move merchants in that direction, merchants will buy it. But that begs the question: Why are merchants also paying for [data] encryption and going through PCI-compliance exercises and paying for the compliance? If encryption is sufficient, shouldn’t merchants not have to need insurance?”
Adds Henry Helgeson, chief executive of Merchant Warehouse Inc., a Boston-based ISO: “Our opinion is that breach insurance right now is prohibitively expensive. I don’t see it paying out enough that we would offer it to our merchants. There are a lot of ‘gotchas.’”
But the peace of mind Moussa mentioned makes breach coverage an attractive service for many merchants and the ISOs that serve them. Insurers are responding to this demand. According to an article from a January 2012 publication by A.M. Best Co., the big insurer rating company, more than 50 insurance companies offer data-breach coverage to small and mid-size businesses.
“Knowing you’re not going to be put out of business—merchants get that,” says Halsey.
Few small merchants buy data-breach insurance directly. Instead, the insured party of record is the ISO or acquirer, which assumes liability on behalf of its merchant customers. A mid-sized ISO could pay $1 million or more a year for coverage, so cost indeed is an important consideration for acquirers.
The expense of the premium is spread out over an ISO’s portfolio so that an individual Level 4 merchant usually pays little for coverage—perhaps $5 to $8 per month, according to experts. For that, the merchant usually gets $50,000 in breach-related coverage. A few dollars more can buy $100,000 in coverage. Still other add-on fees will pay for annual PCI audits and related security and compliance expenses. Some vendors of security technology also make insurance coverage available with their products.
‘Very Solid Product’
Halsey says Royal Group in 2007 became the first provider to bring a data-breach coverage product to market. As a brokerage, Royal Group does not underwrite policies directly but instead works with multiple carriers. Halsey would not identify Royal’s business partners, but says some of the major insurance companies in the market include AIG, Great American and Lloyds of London, the big re-insurer.
Royal Group, through “hundreds” of policyholders, covers about 20% of the approximately 10 million U.S. locations where consumers can pay with a credit or debit card, according to Halsey.
“It’s been a very solid product for us,” he says. “We’ve got millions of merchants on it.”
Royal gets one to two claims per week on average, Halsey says. Policies typically pay the cost of post-breach forensic audits, network fines, replacing compromised cards, and notification expenses, according to Thomas Mulligan, financial-institutions manager at Frates Insurance & Risk Management LLC, an Oklahoma City-based firm that works with Royal Group.
“Probably the most important aspect is the audit expense,” says Mulligan, citing the case of a restaurant chain that suffered a data breach. The payment systems at all 11 of its locations had to be probed. “That gets to be expensive.”
Network fines, Mulligan adds, can also be costly depending on how many card numbers are compromised.
“We’ve seen breaches where there’s a couple hundred thousand cards and breaches with a few hundred cards,” he says. Get up to 50,000 or so and “that’s going to be a pretty significant fine.”
BankCard Central now requires breach insurance, which costs its merchants under $10 per month, according to Noble. “It’s a combination of our whole PCI program,” he says.
Liability Coverage
Other insurance market players sense opportunity from businesses that want more than standard data-breach coverage. Walnut Creek, Calif.-based Identity Fraud Inc. started out 15 years ago offering identity-fraud coverage to consumers but has expanded into the realm of business coverage.
As a program administrator, Identity Fraud works with carriers to offer up to $1 million in coverage, and its SB Core Protector products will pay expenses beyond the standard covered costs in most Level 4 data-breach insurance.
“We sit above the PCI coverage in the marketplace,” says company president and chief executive Thomas A. Widman. “It’s PCI and more, and quite importantly, liability coverage. When you get sued, PCI insurance does not respond to a lawsuit. PCI coverage is extremely important, but it is not liability insurance.”
In addition to liability coverage at the $50,000, $250,000 and $1 million levels, SB Core Protector offers monitoring of businesses’ credit records after a breach, credit alerts, and other services. And unlike conventional data-breach plans offered through ISOs and acquirers, Identity Fraud does individual underwriting of merchant applicants through its online platform.
Despite the widening variety of data-breach insurance products available to merchants and acquirers, some still question the need for them. One is Princeton, N.J.-based acquirer Heartland Payment Systems Inc., which serves more than 100,000 small businesses and which holds the record for the biggest data breach ever in the card industry, with some 130 million card numbers exposed.
After first disclosing in early 2009 what was clearly shaping up to be a massive breach, Heartland embarked on a big security and technology upgrade that included the introduction of its own line of so-called end-to-end data-encrypting point-of-sale terminals, PIN pads and related hardware under the E3 brand. Merchants using the E3 products get a warranty that states in the event of a breach within the first year, Heartland would pay for the related costs, a spokesperson says by email.
“Heartland does not sell or provide PCI or breach insurance to its merchant customers or have any preferred-provider arrangements at this time,” the spokesperson says. “The company feels the best way to protect against breaches is through ongoing PCI compliance and education about how to create a safe environment, including strong passwords; never writing down card data; updated malware [protection] and firewalls, etc. We also have a PCI program where we refer merchants to a preferred provider for PCI services, like filling out the PCI questionnaire and doing any applicable reporting and/or scanning services.”
Likewise, Helgeson of Merchant Warehouse would rather spend his security budget on fortified POS terminals than on insurance premiums.
“It costs a year’s worth of breach insurance [per merchant] to put in an encrypted terminal,” he says.
The card networks’ mandate that merchants and processors comply with the PCI rules isn’t about to go away, which could dampen demand for data-breach coverage by some acquirers. Meanwhile, market observers say demand for breach insurance by ISOs is fairly stable following big growth a few years ago.
But that could change as technology changes. Witness the coming conversion of the U.S. from magnetic-stripe payment cards to the Europay-MasterCard-Visa (EMV) chip card standard through a series of deadlines over the next few years from the networks. Noting the experience of other countries that have gone through similar conversions, security experts expect card fraud to migrate from the point of sale, where data on EMV cards is very hard to steal, to the Internet, where chip cards offer no better protection than mag-stripe cards. Level 3 merchants might be very interested in beefing up their data-breach coverage.
“The changes coming with EMV, I think, will impact the product,” says Royal Group’s Halsey. “There’s a lot of unknowns.” Halsey adds that his company is preparing for EMV payments but he can’t discuss its strategy publicly.
What seems certain, however, is that demand for data-breach insurance in one form or another will be around as long as there are fraudsters trying to steal card numbers, expiration dates and related information. BankCard Central’s Noble says there isn’t much difference between medical and data-breach insurance.
“It’s worth very little if you don’t use it, but if you use it, it’s worth it and then some,” says Noble.
—With additional reporting by John Stewart
A Breached Grocery Store’s Happy Ending?
Schnuck Markets Inc. thought it had enough woes after disclosing a data breach in mid-April. The breach may have compromised about 2.4 million payment cards used at 79 of its 100 stores between December 2012 and late March 2013, the St. Louis-based regional supermarket chain said. By late summer, Schnucks was facing eight breach-related lawsuits, not to mention costs directly arising from the hack.
Then, in August, Schnucks was blindsided by its insurer, Liberty Mutual Insurance Co., which filed a federal lawsuit seeking a court declaration that its commercial liability policy for Schnucks did not cover data breaches. Liberty claimed that it was only responsible for covering bodily injury or damage to tangible property in excess of a self-insured amount, not losses from the theft of card data.
“For purposes of this insurance, electronic data is not tangible property,” the lawsuit said.
Insurance-industry executives described the lawsuit as unusual. But the mini-drama never got to Act II. In mid-October, a Schnucks spokesperson told Digital Transactions that the lawsuit had been dismissed.
“Liberty Mutual and Schnucks have agreed to discuss alternatives to litigation,” the spokesperson said by email. The spokesperson would not comment further. A spokesperson for Boston-based Liberty Mutual confirmed that account.
One lesson from the dust-up may be that rather than relying on general liability policies, big companies may need to either buy specific data-breach coverage or get breach riders to their general coverage if they want assurance they won’t bear all the losses from a data breach alone.
