“Everybody has secrets, the trick is just finding out what they are.” - Lisbeth Salander
In Part 1 of this series, we discussed the importance of understanding your company’s exposure in the event of a cyberattack or data breach, and making sure your cyber insurance policy limits reflect that exposure. In this installment, we’ll take a look at the importance of understanding your Payment Card Industry Data Security Standards (PCI DSS) exposure as part of your cyber insurance coverage.
If you are a brand or manufacturer that sells products via online direct-to-consumer channels, then you likely take credit/payment card and other confidential information from consumers (e.g., name, address, telephone number, e-mail address, personal preferences) to process these transactions, as well as username and password information. In order to do so, you must comply with PCI DSS, a series of complex requirements developed by the PCI Security Standards Council (consisting of Visa, MasterCard, American Express, Discover, and JCB) to ensure merchants are securing their customers’ account data.
Failure to comply with PCI DSS can have disastrous consequences to your business, so it is important to understand how the process works. After a customer inputs his or her credit card and personal information to process a transaction on your website, your system will forward this information to a payment processor. The processor will then contact the credit card company and the customer’s bank for authorization to complete the transaction. If authorized, the funds will be transferred and deposited into your business account.
All of this happens because of several contracts among the parties, most notably: (1) the membership contract between the credit card company and your bank; and (2) the contract between your bank and your company. In the event your company suffers a data breach and customer and card information is compromised, the credit card company may require your bank to pay PCI DSS fines and assessments if non-compliance is found. Of course, the MSA will require your company to reimburse the bank for those fines and assessments, which can be significant, ranging from $5,000 to $500,000 per month and $50 to $90 per customer compromised.
Now consider our discussion in Part 1 about how sub-limits can erode your aggregate limit. Let’s say you have an aggregate cyber insurance limit of $3 million, with a PCI DSS fines/assessment sublimit of $2 million. Your system is breached and numerous customer records are compromised. It is determined you were non-compliant in securing customer data, and are therefore required to pay substantial fines and assessments under the MSA, maxing out your PCI DSS sublimit in the process. This would leave your company with only $1 million in insurance proceeds to cover investigations, expensive notification costs, business interruption, customer lawsuits, and responding to regulatory inquiries. Needless to say, the result could be catastrophic to your business.
Even worse, you may think you have purchased PCI DSS coverage only to be blindsided by the insurer telling you later that there was in fact no such coverage. I have worked with multiple clients that purchased cyber insurance explicitly providing coverage limits for PCI DSS fines and assessments, as well as specifically covering these items throughout the policy. However, upon analyzing the policy and coverage, we discovered the insurers had tucked a small endorsement at the end of the policy excluding coverage based on liability arising from MSAs and other payment card agreements. In other words, there was no coverage for the only contracts where PCI DSS fines and assessments could be found. Fortunately, we discovered this issue prior to any cyberattack or data breach event and have been able to take steps to remedy the discrepancy.
In sum, make sure you talk to your IT personnel to make sure you have appropriate levels of PCI DSS coverage as part of your cyber insurance, in addition to making sure the appropriate aggregate limit is in place. You can also work with IT to establish a compliant framework for securing customer payment data, minimizing exposure to fines and assessments. Finally, you need to make sure your cyber policy is actually covering your PCI DSS exposure. Just ask P.F. Chang’s how important this coverage can be. As always, we’re here to help.
In Part 3 of this series, we’ll discuss how vague and ambiguous language in your cyber insurance can result in loss of insurance proceeds, and how you can fix that language.