Header graphic for print
InfoLawGroup privacy. security. technology. media. advertising. intellectual property.

Payment Card Breaches: Time to Spread the Risk with Mandatory Cyber Insurance

Posted in Cyber Insurance

The BIG 2014 security stories concerning the Target,  Neiman Marcus and Michaels payment card breaches of have highlighted the significant criminal hacking and fraudulent payment card activity that goes on in the retail space.  Of course, it was not so long ago that the Heartland Payment Systems breach (2008;  100 million cards exposed) and the TJX breach in (2007; 45 million card exposed) dominated the news cycle.  The reactions in the media and with the population then were very similar to those today. The latest round of mega breaches occurred, however, despite the existence of the Payment Card Industry Data Security Standard for a decade.  In fact, according to the Verizon 2014 PCI Compliance Report, only 11.1% of the organizations it audited between 2011 and 2013 satisfied all 12 PCI requirements.  In other words, just under 90% of the businesses Verizon audited as a PCI Qualified Security Assessor failed.  This begs the question, despite aggregate expenditures by merchants likely in the hundreds of millions of dollars (if not over a billion) over the last decade:  has anything really changed?

Yes, in fact some things have changed — global card fraud losses have increased from about $3 billion annually in 2000 to about $11 billion annually in 2012 (source:  the Nilson Report, August 2013).  Organized crime has increased its activity in the payment card fraud space, and sophisticated economic ecosystems have sprung up to make the fraudulent use of payment cards more efficient.  Payment card breaches are low risk (of getting caught) and high reward crimes, and activity in this space will continue to increase as a result (per the FBI):

The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors . . . we believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.

Moreover, fraudsters have automated and scaled their attacks so they can go after payment cards held by small and medium businesses on a mass basis.  These small and medium sized companies lack the sophistication, technical knowledge and resources to achieve full PCI-DSS compliance (or take even basic steps like changing the default passwords on the remote access of a point of sale system).  Breaches of small and medium businesses can result in severe financial difficulties and in many cases, bankruptcy.  Not to mention the adverse impact and inconvenience suffered by cardholders and their issuing banks.

Payment card breaches are not 100% preventable, and for most merchants over time, are inevitable (indeed the practice of information security itself has recognized this generally by shifting its attention in recent years to not only prevention, but also detection, response, containment and mitigation of breaches).  As such, rather than focus solely on cumbersome security standards such as PCI-DSS, payment card breaches should be viewed more from an overall risk management perspective. 

A full risk management approach includes efforts not only to prevent and contain the breach itself, but also to mitigate the financial impact businesses and individuals may suffer in the wake of a breach.   Spreading the risk of payment card breaches across the payment card ecosystem (e.g. merchants, banks, processors and card brands) is the best way to mitigate the systemic risk that exists.  As such, it is time to consider whether cyber insurance should be mandated either by law or the card brands to achieve this goal.

The Auto-Insurance Analog

Most States require drivers to purchase auto insurance to cover potential liability and property damage arising out of auto accidents.  There are several rationales for making auto mobile insurance mandatory, including the following:

  • Systemic and Unavoidable Risk.  A systemic and unavoidable risk exists with respect to the mass utilization of automobiles in our society.  Accidents will happen within this “system”, and it is impossible to prevent all accidents.
  • Cost of Prevention vs. Optimal Adoption/Use.  One way to manage risk is to require more safety measures to prevent automobile accidents and injury.  However, at a certain point the costs associated with attempting to prevent more accidents undermine the benefits of everybody having access to relatively inexpensive transportation.  If drivers were required to ride around in the equivalent of tanks large portions of society would not be able to afford to car.   The aggregate benefits and efficiencies we gain as a society of drivers would disappear.  Therefore, it is better to mandate a reasonable level of safety measures and accept some systemic risk.
  • Concentrated Risk vs. Optimal Adoption/Use.   Even when the proper risk prevention versus risk acceptance balance is achieved, adoption and use of automobiles on a mass basis may decrease if risk is concentrated on individual drivers and they are forced to bear the full cost of an accident.  If driving out on the roads and getting into an accident can lead to tens or hundreds of thousands of dollars in losses for a single driver, many would chose not to drive.  This again would undermine the benefits described above.  The solution is to accept a certain risk level, but to spread that risk across the entire system.  That is what mandatory auto insurance does – it helps to maximize the number of drivers while significantly limiting the chance that a single driver will face catastrophic financial loss because of an accident. 
  • Avoidance of Adverse Selection and the Development of a Balanced Insurance Market.  Mandatory automobile insurance is necessary to avoid adverse selection.  Adverse selection results when only the riskiest participants in an insurance market purchase the insurance product because they have the most to gain by buying the insurance (or better-stated: the most to lose if they don’t buy the insurance).  However, when the purchase of insurance is not mandatory this can create an unbalanced insurance market where the insurance carriers have the worst risks on their books (resulting in increased claims and losses) with no “good risks” paying premiums to offset losses.  Eventually a market that is exclusively adversely selected against cannot be sustained and the societal benefits of that insurance market disappear.
  • Increasing the Likelihood of Making Victims Whole.  One rationale for mandatory auto insurance is increasing the likelihood that victims of negligent drivers will be made whole.  If the auto insurance market was voluntary some individuals injured in automobile accidents would be unable to collect damages from uninsured motorists (aka “free loaders” who derive benefit from others purchasing insurance).  From a systemic point of view, some drivers might opt out of driving due to the risk of uncompensated injury or property damage (thereby reducing the aggregate benefits of everybody driving).  Mandating auto insurance results in more drivers and reduces the free loader problem.

The rationale and reasoning for mandatory cyber insurance for payment card breaches is the same.  Ultimately, information security is not about preventing all security incidents; it is about minimizing the risk and impact of security incidents.  There is no such thing as perfect security and risk will always remain in the payment card system.  Breaches will happen (just as there will always be automobile accidents). 

There is also a diminishing return with respect to efforts to prevent security breaches.  Organizations cannot cost-effectively build “Fort Knox” just as drivers cannot afford to military grade armored vehicles.  Once a reasonable level of security is achieved, at a certain point, it is more cost-effective and efficient to accept a certain level of risk and insure at least a portion of it.

In addition, the payment card system could face an unfavorable risk concentration that could undermine the adoption and use of payment cards in the long run.  If merchants legitimately fear they could be put out of business because of a payment card breach, they may choose to opt out.  I have already had clients inquire about payment card work-arounds (for one client, we explored the possibility of putting ATMs in each of this client’s restaurants).  A system of mandatory cyber insurance for payment card breaches can alleviate this concentration problem and strengthen the payment card system overall.

What types of companies are purchasing cyber insurance currently?  While the profiles may vary, it is likely that many of the “early adopters” are companies who want the insurance because they feel that they are prime targets with a lot of payment card information or that their security may not be adequate.   It is possible that insurance underwriting can weed out these higher risk companies and decrease adverse selection.  However, especially in the small and medium business market, due to competition and other factors, underwriting requirements and standards have decreased significantly.  Even where more involved underwriting occurs, because of the ever-shifting nature of cyber risk and the complexity of security, it is often very difficult to truly understand a company’s risk.  All of these factors could lead to “adverse selection,” and the ultimate question for the insurance industry (especially in light of increasing litigation and regulatory actions) is whether the cyber insurance market is sustainable without a very wide base of insureds.  Like automobile insurance, mandating cyber insurance can help balance the market out to the benefit of insureds, carriers and society as a whole.

Finally, as with auto insurance, mandating cyber insurance across the board can increase the likelihood that the victims of a payment card breach can be made whole.  Some organizations that get hit with a breach, because of financial stress associated with responding to a breach, are not going to be able to compensate individuals or issuing banks (for card reissuance costs or fraud).   Moreover, under the current system, most issuing banks whose cards are exposed get pennies on the dollars for the losses they suffer because of a breach.  Mandatory cyber insurance can address both of these issues.  With risk spread throughout the system and every organization being covered, breached companies will be able to avoid bankruptcy.  In addition, if insurance is available in every case, it may be possible to adjust card brand recovery processes to allow issuing banks to recover more after a security breach.

How Might this Work?

Some readers might blanch at the idea of mandated insurance, and most automatically think the mandate would come from the government.  While a government mandate would work in this context, in the payment card context, the card brands are at the top of the pyramid and can impose requirements for merchants that want to accept payment cards.  Like the PCI-DSS standard itself, the card brands could agree to require merchants to have some level of cyber insurance.  That said, because all of the participants in the payment card system have a stake when it comes to payment card breaches, it may be possible to spread the cost of insurance across all of the stakeholders (merchants, merchant banks, processors and issuing banks).   Overall, while there are a lot of details that would have to be worked through, a mechanism (the card brand’s operating regulations and associated payment-card related agreements) to mandate cyber insurance exists, and governmental involvement is not necessary (although if action is not taken, government action may be the result).  Finally, the rationale laid out above applies equally to security breaches involving other types of personal information, including financial and healthcare information — however, that is a conversation for another day.

  • Dave Dyk

    One thought — Could such an insurance mandate by the card brands be tied in with their PCI-DSS Report on Compliance audit requirement?

    In the wake of the target breach, there has been a lot of finger pointing about the independence and quality of QSA firms. They often do shoddy audit work.

    Back in the early 2000s (around the Enron/Anderson collapse) there was an idea floating around called “financial statement insurance”. Basically, instead of the government requiring publicly-traded companies be audited, FSI would require that they carry insurance which would pay out to investors if there were a lawsuit that concluded there was a material misstatement in the financial reports. The insurers would price their premiums based on inherent risk factors (how big is the company, what industry is it in, are its finances simple or complex), as well as a specific assessment. E.g. the insurers would be the ones who would select auditors, and they would use the results of those audits to decide whether to continue providing insurance, and how expensive the premiums would be for that insurance. Incidentally, this idea never happened in the U.S. because the Big 4 hate it — they like the status quo where they control the market for big company audits, and FSI would have broken them up and made the market look more like law firms — lots of smaller and mid-sized regional players (including highly specialized firms like yours!).

    I think an FSI-like insurance model would be perfect for the payment card marketplace. Merchants would basically be required to get insurance, and the insurance companies would be empowered to do as much or as little they want in determining risk, likely using something like PCI-DSS as a tool to standardize their decisions. The insurance would pay out upon a data breach. The insurance companies would hire auditors based on their ability to cost-effectively do *quality* assessments, that were based on *real risk*. Poor quality audits would result in bad underwriting, and would be unprofitable for the insurance companies. This would improve the quality of audits when necessary, reduce the burden on smaller companies that have lower inherent risk and higher relative compliance burden, and ultimately help sort out the question of responsibility.

    One final comment is that by going down this path, card brands could easily start including entities who generally do not get a ROC today, but do have lots of cardholder data (namely: issuing banks). This would be a cost effective way to balance risk versus compliance cost for all of the entities with cardholder data.

    • David Navetta

      Dave, I love your thinking here. With respect to underwriting, PCI compliance (or at least validation) will be a factor for insurers (it already is). How insurers get comfortable with a merchant’s PCI status will vary I am sure. Right now, considering the findings of the Verizon report, I am sure that many insurers assume that many of their retailer policyholders are not fully compliant. That’s okay, because the proper analysis is about risk, not compliance. So in the small and middle market, full PCI compliance may not be necessary for a carrier as long as there is some evidence that the merchant has focused on key security issues around its point of sale. The focus for larger merchants would likely be different (perhaps more around vendor management for merchants that outsource card processing). The point is, as is implied by your comment, is that the carriers would have market-based financial incentives to “get it right.” I think that is correct. However, I doubt that the insurers would want to take over the role of QSAs wholesale. That is a completely different business. They will use the PCI validation process as a data point and conduct something less than a full blown audit in order to get comfortable.

      Note, there is also the “loss side” to consider in all this. Carriers, of course, are concerned about the likelihood of a breach, but more important, what is the financial impact of the breach? So carriers will tolerate breaches as long as their book of business, overall is profitable on the loss side. This means that carriers will not demand or expect perfect security — so their standards may not be as high if the losses are manageable.

      • Patrick Florer

        David –
        I have a slightly different takeaway from the Verizon numbers and the Nilson report:
        1) If approx. 10% were found to be PCI compliant, perhaps PCI compliance is too difficult. And, achieving compliance at a point in time in order to satisfy a QSA is a very different proposition than maintaining continuous compliance. I am of the opinion that the latter is basically impossible.
        2) The Nilson report cited above also states that the cost of fraud was $0.0522 (a nickel) per $100 of transactions globally, and roughly double that for the US alone. Even though $11 billion is a lot of money ($5.33 billion in the US), it is a trivial sum compared to the $21.5/$5.05 trillion (globally/US) in payments volume reported by Nilson for 2012. I have always wondered if there was a real benefit to PCI compliance spending. The Verizon and Nilson numbers do little to convince me that there is.
        Best regards,
        Patrick Florer
        Risk Centric

  • Ulf Mattsson

    I like the insurance approach. Sounds like a great model and the premium level could be related to the types of security controls that the merchant implemented. It can increase the quality of auditing. We know that many QSAs are not skilled to do a quality audit, they are selected by the merchant and also selling their own security solutions. We also know that Target and many other retailers are not even implementing basic best practices in security.

    The payment system is broken from a security point and it will take a long time to fix it, but I read an interesting report from the Aberdeen Group that revealed that “Over the last 12 months, tokenization users had 50% fewer security-related incidents (e.g., unauthorized access, data loss or data exposure than tokenization non-users”. The name of the study, released a few months ago, is “Tokenization Gets Traction”.

    I think that the Aberdeen approach can quickly address some of the urgent issues, while we start working to fix the other problems.

    Money2020 is saying that “Tokenization has been a hot topic lately” and “In a tokenization scheme, even if a hacker has access to several PAN-token pairs, the tokenization algorithms should be complex enough so that no perfect translation can be reverse engineered.”

    Ulf Mattsson, CTO Protegrity

  • cloudcovered

    David, as you already know, your comments on this topic resonate with CloudCover. Thanks for taking up the torch! —Stephen Cardot