View this article online: https://www.insurancejournal.com/magazines/mag-features/2016/09/06/424905.htm
Rebuilding Cyber Insurance in the Wake of P.F. Chang’s vs Chubb Ltd.
If the cyber insurance landscape seems like a confusing mess, you are not alone. In fact, the recent case of P.F. Changs v. Federal Insurance Co. (Chubb), in which P.F. Chang’s filed suit after being denied a claim following a data breach, suggests no one can be certain how policies will fare in the event of a breach. But this case doesn’t mean cyber insurance is useless; far from it. Rather, the case should be a rallying cry for industry leaders to patch problems that can no longer be ignored. Now is the time for insurers, insureds, lawmakers and cybersecurity experts to come together to define this crucial vehicle for mitigating the fastest-growing risk to businesses.
To understand the significance of the Chubb ruling, it’s necessary to know exactly why they went to court.
As has previously reported, Chubb Ltd. sold P.F. Chang’s an insurance policy covering “direct loss, legal liability, and consequential loss resulting from cyber security breaches.” In 2014, P.F. Chang’s became aware that hackers had gained access to the payment systems in its restaurants, gathering 60,000 credit card numbers and posting them online. As a result, Chubb reimbursed Chang’s $1.7 million to cover costs from the breach. That transaction represents the ideal for cyber insurance: insured purchases a policy, suffers damages and is reimbursed. If that had been the end of it, everyone would be walking away with warm and fuzzies – or at least confidence in their policies.
In addition to the $1.7 million in direct injuries, P.F. Chang’s got hit for another $1.9 million in fines levied against them by their credit card processing vendor for Payment Card Industry (PCI) assessments following the breach. P.F. Chang’s paid $1.9 million to Bank of America Merchant Services and was then denied reimbursement from Chubb. That’s when they filed suit. The court ruled with Chubb, leaving P.F. Chang’s with more than half the bill from their data breach.
‘Fining’ Retailers
This practice of payment processors “fining” retailers for PCI assessment following a data breach is common, but that doesn’t mean retailers like it or even agree that it is a legitimate cost. A spokesperson for the National Retail Federation has called it “a near scam.” In fact, there is currently a pending case in which a retailer, Genesco, is suing VISA for exactly this reason. Banks and card processors can unilaterally collect fines that are within the terms of service from retailers, putting the burden on retailers to lobby for reimbursement.
There are insurance policies that would cover the PCI assessment costs that left more of a sour than sweet taste in P.F. Chang’s mouth. At a minimum, this ruling is a reminder for insureds to understand their coverage. But in the context of the larger legal landscape, where crucial points of law are yet to be decided or even brought to court, it suggests that carefully reading your policies may not be enough. There are disconnects between insurers and insureds on the meaning of words at the heart of current cyber insurance products.
To make matters worse, the technical complexity of modern businesses requires the concept of liability to be rebuilt from the ground up. As at P.F. Chang’s, retailers rely on third-party card processors through whom all their revenue flows. Responsibility for the technical systems involved in a purchase transaction – that is, the things that are actually breached in a data breach – is spread across the multiple vendors involved in a credit transaction and may even involve additional managed service providers who administer the systems, but are not employed by either company.
Point-of-sale systems may be updated by the card processor, but physically located in a retailer, preventing either one from taking full responsibility for all breach vectors. For example, a machine may be breached due to unauthorized physical access allowing the exploit of an unpatched software vulnerability, but because liability is not clear, retailers and card processors are left arguing over how to split the check.
Improving the Situation
Insurance is a vital social mechanism for distributing risk. Improving this situation is a responsibility for all parties involved. Legal experts need to clarify how today’s laws function and what changes are needed to protect digital businesses. Lawmakers must unite to create a legal environment in which claims are decided by adjusters instead of courts. Insurers and insureds need to work together early in the underwriting process to be clear on possible outcomes who is responsible for what.
Those are the feel-good solutions everyone can agree on, but there are harder truths ahead as well. Premiums based on a misunderstanding of the product are by definition underpriced. Premiums will rise; in this case P.F. Chang’s was expecting double the coverage than they actually had. As more insureds understand the coverage they need and purchase policies accordingly, the risk pool stands to increase dramatically – and that’s not even accounting for the rising number of attacks.
Insurers and insureds both need to partner with technology providers to get information they are sorely missing. Good fences make good neighbors, and having visibility and accountability for IT systems is the only way for liability to be determined fairly and predictably. With that will come better models for IT risk and more accurate pricing of premiums. Currently, however, insurers are flying blind, relying on historical claims patterns that will change quickly as cases like this alert retailers to the risks they have unknowingly retained.
There is a tremendous opportunity for insurers and retailers to benefit from cyber insurance, but they can’t succeed alone. The legal community needs to be engaged to clarify how the law will function in this new market, and cybersecurity experts must build data products that can generate actuarial tables. Together, we can blunt the threat cyber attacks pose to business. Until then, sadly, the cost of data breaches will include one more line item: lots and lots of lawyers.