Payment Card Breaches: Time to Spread the Risk with Mandatory Cyber Insurance

The BIG 2014 security stories concerning the Target,  Neiman Marcus and Michaels payment card breaches of have highlighted the significant criminal hacking and fraudulent payment card activity that goes on in the retail space.  Of course, it was not so long ago that the Heartland Payment Systems breach (2008;  100 million cards exposed) and the TJX breach in (2007; 45 million card exposed) dominated the news cycle.  The reactions in the media and with the population then were very similar to those today. The latest round of mega breaches occurred, however, despite the existence of the Payment Card Industry Data Security Standard for a decade.  In fact, according to the Verizon 2014 PCI Compliance Report, only 11.1% of the organizations it audited between 2011 and 2013 satisfied all 12 PCI requirements.  In other words, just under 90% of the businesses Verizon audited as a PCI Qualified Security Assessor failed.  This begs the question, despite aggregate expenditures by merchants likely in the hundreds of millions of dollars (if not over a billion) over the last decade:  has anything really changed?

Yes, in fact some things have changed -- global card fraud losses have increased from about $3 billion annually in 2000 to about $11 billion annually in 2012 (source:  the Nilson Report, August 2013).  Organized crime has increased its activity in the payment card fraud space, and sophisticated economic ecosystems have sprung up to make the fraudulent use of payment cards more efficient.  Payment card breaches are low risk (of getting caught) and high reward crimes, and activity in this space will continue to increase as a result (per the FBI):

The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors . . . we believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.

Moreover, fraudsters have automated and scaled their attacks so they can go after payment cards held by small and medium businesses on a mass basis.  These small and medium sized companies lack the sophistication, technical knowledge and resources to achieve full PCI-DSS compliance (or take even basic steps like changing the default passwords on the remote access of a point of sale system).  Breaches of small and medium businesses can result in severe financial difficulties and in many cases, bankruptcy.  Not to mention the adverse impact and inconvenience suffered by cardholders and their issuing banks.

Payment card breaches are not 100% preventable, and for most merchants over time, are inevitable (indeed the practice of information security itself has recognized this generally by shifting its attention in recent years to not only prevention, but also detection, response, containment and mitigation of breaches).  As such, rather than focus solely on cumbersome security standards such as PCI-DSS, payment card breaches should be viewed more from an overall risk management perspective. 

A full risk management approach includes efforts not only to prevent and contain the breach itself, but also to mitigate the financial impact businesses and individuals may suffer in the wake of a breach.   Spreading the risk of payment card breaches across the payment card ecosystem (e.g. merchants, banks, processors and card brands) is the best way to mitigate the systemic risk that exists.  As such, it is time to consider whether cyber insurance should be mandated either by law or the card brands to achieve this goal.

The Auto-Insurance Analog

Most States require drivers to purchase auto insurance to cover potential liability and property damage arising out of auto accidents.  There are several rationales for making auto mobile insurance mandatory, including the following:

  • Systemic and Unavoidable Risk.  A systemic and unavoidable risk exists with respect to the mass utilization of automobiles in our society.  Accidents will happen within this “system”, and it is impossible to prevent all accidents.
  • Cost of Prevention vs. Optimal Adoption/Use.  One way to manage risk is to require more safety measures to prevent automobile accidents and injury.  However, at a certain point the costs associated with attempting to prevent more accidents undermine the benefits of everybody having access to relatively inexpensive transportation.  If drivers were required to ride around in the equivalent of tanks large portions of society would not be able to afford to car.   The aggregate benefits and efficiencies we gain as a society of drivers would disappear.  Therefore, it is better to mandate a reasonable level of safety measures and accept some systemic risk.
  • Concentrated Risk vs. Optimal Adoption/Use.   Even when the proper risk prevention versus risk acceptance balance is achieved, adoption and use of automobiles on a mass basis may decrease if risk is concentrated on individual drivers and they are forced to bear the full cost of an accident.  If driving out on the roads and getting into an accident can lead to tens or hundreds of thousands of dollars in losses for a single driver, many would chose not to drive.  This again would undermine the benefits described above.  The solution is to accept a certain risk level, but to spread that risk across the entire system.  That is what mandatory auto insurance does – it helps to maximize the number of drivers while significantly limiting the chance that a single driver will face catastrophic financial loss because of an accident. 
  • Avoidance of Adverse Selection and the Development of a Balanced Insurance Market.  Mandatory automobile insurance is necessary to avoid adverse selection.  Adverse selection results when only the riskiest participants in an insurance market purchase the insurance product because they have the most to gain by buying the insurance (or better-stated: the most to lose if they don't buy the insurance).  However, when the purchase of insurance is not mandatory this can create an unbalanced insurance market where the insurance carriers have the worst risks on their books (resulting in increased claims and losses) with no “good risks” paying premiums to offset losses.  Eventually a market that is exclusively adversely selected against cannot be sustained and the societal benefits of that insurance market disappear.
  • Increasing the Likelihood of Making Victims Whole.  One rationale for mandatory auto insurance is increasing the likelihood that victims of negligent drivers will be made whole.  If the auto insurance market was voluntary some individuals injured in automobile accidents would be unable to collect damages from uninsured motorists (aka “free loaders” who derive benefit from others purchasing insurance).  From a systemic point of view, some drivers might opt out of driving due to the risk of uncompensated injury or property damage (thereby reducing the aggregate benefits of everybody driving).  Mandating auto insurance results in more drivers and reduces the free loader problem.

The rationale and reasoning for mandatory cyber insurance for payment card breaches is the same.  Ultimately, information security is not about preventing all security incidents; it is about minimizing the risk and impact of security incidents.  There is no such thing as perfect security and risk will always remain in the payment card system.  Breaches will happen (just as there will always be automobile accidents). 

There is also a diminishing return with respect to efforts to prevent security breaches.  Organizations cannot cost-effectively build “Fort Knox” just as drivers cannot afford to military grade armored vehicles.  Once a reasonable level of security is achieved, at a certain point, it is more cost-effective and efficient to accept a certain level of risk and insure at least a portion of it.

In addition, the payment card system could face an unfavorable risk concentration that could undermine the adoption and use of payment cards in the long run.  If merchants legitimately fear they could be put out of business because of a payment card breach, they may choose to opt out.  I have already had clients inquire about payment card work-arounds (for one client, we explored the possibility of putting ATMs in each of this client’s restaurants).  A system of mandatory cyber insurance for payment card breaches can alleviate this concentration problem and strengthen the payment card system overall.

What types of companies are purchasing cyber insurance currently?  While the profiles may vary, it is likely that many of the “early adopters” are companies who want the insurance because they feel that they are prime targets with a lot of payment card information or that their security may not be adequate.   It is possible that insurance underwriting can weed out these higher risk companies and decrease adverse selection.  However, especially in the small and medium business market, due to competition and other factors, underwriting requirements and standards have decreased significantly.  Even where more involved underwriting occurs, because of the ever-shifting nature of cyber risk and the complexity of security, it is often very difficult to truly understand a company’s risk.  All of these factors could lead to “adverse selection,” and the ultimate question for the insurance industry (especially in light of increasing litigation and regulatory actions) is whether the cyber insurance market is sustainable without a very wide base of insureds.  Like automobile insurance, mandating cyber insurance can help balance the market out to the benefit of insureds, carriers and society as a whole.

Finally, as with auto insurance, mandating cyber insurance across the board can increase the likelihood that the victims of a payment card breach can be made whole.  Some organizations that get hit with a breach, because of financial stress associated with responding to a breach, are not going to be able to compensate individuals or issuing banks (for card reissuance costs or fraud).   Moreover, under the current system, most issuing banks whose cards are exposed get pennies on the dollars for the losses they suffer because of a breach.  Mandatory cyber insurance can address both of these issues.  With risk spread throughout the system and every organization being covered, breached companies will be able to avoid bankruptcy.  In addition, if insurance is available in every case, it may be possible to adjust card brand recovery processes to allow issuing banks to recover more after a security breach.

How Might this Work?

Some readers might blanch at the idea of mandated insurance, and most automatically think the mandate would come from the government.  While a government mandate would work in this context, in the payment card context, the card brands are at the top of the pyramid and can impose requirements for merchants that want to accept payment cards.  Like the PCI-DSS standard itself, the card brands could agree to require merchants to have some level of cyber insurance.  That said, because all of the participants in the payment card system have a stake when it comes to payment card breaches, it may be possible to spread the cost of insurance across all of the stakeholders (merchants, merchant banks, processors and issuing banks).   Overall, while there are a lot of details that would have to be worked through, a mechanism (the card brand’s operating regulations and associated payment-card related agreements) to mandate cyber insurance exists, and governmental involvement is not necessary (although if action is not taken, government action may be the result).  Finally, the rationale laid out above applies equally to security breaches involving other types of personal information, including financial and healthcare information -- however, that is a conversation for another day.