When the front lines of IT security fail and a cyber breach occurs, businesses often rely on insurance to reduce the often extreme financial impact associated with the breach. Policies are usually written to ensure that the insured recovers extra expenses incurred and are covered for fines and penalties placed on the company by regulatory agencies.
According to the Ponemon Institute 2016 Cost of a Data Breach Study: United States, The average cost for each lost or stolen record containing sensitive and confidential information is $221, and the average cost that organizations paid to respond to a data breach is $7.01 million.
Without a cyber liability insurance policy in place, it may be impossible for an organization to recover after suffering a significant cyber breach. However, it is important to keep in mind that even if you have purchased a cyber policy, gaps in the coverage may exist, rendering some or all of your coverage useless.
A prime example of this is the P.F. Chang’s China Bistro vs. Federal Insurance Company case that occurred in 2016. P.F. Chang’s, designated by the Payment Card Industry Data Security Standards Council as high risk (PCI Level 1), purchased a CyberSecurity by Chubb insurance policy which was marketed as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today’s technology-dependent world,” that “covers direct loss, legal liability, and consequential loss resulting from cyber security breaches.”
Chang’s, which did not process its own six million-plus annual credit card transactions, entered into a Master Service Agreement (MSA) with Bank of America Merchant Services (BAMS) to process credit card payments. The agreement noted that Chang’s agreed to pay BAMS any fines, fees or penalties imposed on BAMS by any association(s).
When Chang’s suffered a data breach resulting in the loss of roughly 60,000 credit card records, MasterCard issued assessments to BAMS totaling approximately $2,000,000 – costs to notify cardholders of the breach, issue new credit cards, and to reimburse fraudulent charges. In accordance with their agreement, Bank of America looked to Chang’s for reimbursement of those fees. Chang’s then looked to their insurance policy for coverage…
Unfortunately for Chang’s, the court reviewed the policy language and determined that the exclusion of the wording “any costs or expenses incurred to perform any obligation assumed by, on behalf of, or with the consent of any Insured,” held Chang’s liable for the costs to reimburse BAMS for the MasterCard assessments due to their contractual obligation.
This case proves the importance of not only carefully reviewing your coverage for significant exclusions, but also understanding the depth of any contracts/agreements with third-party providers as they may introduce exposures not covered by your insurance policy.
Click here to request more information about The ALS Group or if you have questions regarding cyber risk mitigation strategies.
