Cyber attacks against point-of-sale (PoS) systems continue to be a major source of pain for retailers and hospitality firms, but recent case law has exposed dangerous gaps in cover that exist in some cyber insurance policies.
PoS systems are used by companies to accept payment from consumers, but also to provide operational information such as accounting, sales tracking, and inventory management, as well as customer loyalty programmes. However, the information captured by such systems is highly valuable to cyber criminals who use it to commit credit card fraud.
A study from security company Trustwave found that incidents involving PoS systems doubled in 2016, with 63% of all US breaches it observed targeting payment card data. Such attacks were most common in the US, which has been slow to adopt the EMV chip standard that is now common in Europe, it said.
According to Verizon, PoS attacks provide rich pickings for cyber criminals, with nearly 98% of all recorded PoS attacks resulting in a confirmed data breach. The focus of attacks has shifted from hotel chains to restaurants and small businesses, it said.
In November 2017, clothing store Forever 21 revealed that it had discovered a cyber attack that had compromised customers’ payment card data over a seven month period. It blamed the intrusion on the failure to activate encryption software, which allowed hackers to plant malware on its PoS terminals.
Forever 21 is just the latest addition to a long list of companies affected by a PoS attack. In May 2017, US retailer Kmart revealed that some of its payment systems were infected with malicious software – the company suffered a similar breach in 2014.
Last year, InterContinental Hotels Group found malware on its payment card systems at over 1,100 of its hotels, while Whole Foods Market in the US and stores owned by Irish retailer Musgrave also suffered similar attacks in 2017.
Cyber attacks and data breaches involving credit card information can be particularly expensive. In addition to the costs of dealing with the breach, companies face sizeable third party liabilities.
Lenders will often cancel and replace cards if their details have been leaked. In December 2017 Tesco Bank in the UK was forced to replace credit cards after it became aware of a data breach at an online retailer. Following the massive Target data breach in 2013, US banks reissued over 17.2 million debit and credit cards at an average cost of USD 10 per card. Data breaches at Sony reportedly cost credit card companies USD 300 million.
Banks, credit card companies and credit card processors will typically look to recoup the cost of reissuing credit cards from retailers, as well as associated fraudulent charges and the cost of providing services like credit and identity theft monitoring. The liability for such costs is often written into contracts and ultimately passed on to the retailer. In some cases lenders will resort to litigation to recover such costs.
Last year, a number of financial institutions successfully sued retailers over costs incurred by cyber security incidents. For example, US lender Veridian Credit Union successfully filed suit against Eddie Bauer in a bid to reclaim the costs of reissuing payment cards after hackers accessed the clothing retailer’s point-ofsale system.
Following the success of that case, Independent Community Bankers of America filed suit against Equifax in the wake of its record-setting data breach, claiming its members incurred costs of notifying customers, replacing payment cards, covering fraudulent purchases, and taking protective measures to reduce the risk of identity theft and fraud. Last year Home Depot reached a USD 27 million settlement with a group of banks claiming damages for losses they incurred after a 2014 data breach at the US retailer.
Litigation has also focussed on the extent of recoverability of costs associated with PoS attacks from cyber insurers. Perhaps the best known case is that of P.F. Chang’s China Bistro, Inc. v. Federal Insurance, which centred on a 2014 cyber attack that compromised approximately 60,000 payment card numbers.
Following the attack, the payment card processor sought to recover from P. F. Chang the costs for notifying affected individuals and delivering new credit cards. Chang attempted to claim these costs from its cyber insurer, Federal Insurance, a unit of Chubb. However, the court ruled in favour of Chubb, citing exclusions for “liability assumed by any insured under any contract or agreement” and because the first insuring clause for loss arising out of a “privacy injury” did not extend to the credit card processor.
The two parties eventually settled their dispute while Chang’s appeal was pending.
The case highlights the need for buyers with credit card exposures to pay special attention to the breadth of cover available for payment card losses, in particular for contractual liabilities to credit card processing companies and banks. While a cyber insurance policy will cover the first party costs of a data breach, it will not necessarily cover all costs. Off-the shelf cyber insurance policies will often exclude cover for third party contractual liabilities (often referred to as PCI DSS assessments) as this is an exposure that insurers are hesitant to cover.
Some cyber policies do provide specific coverage for payment card industry losses, while others will add such cover via an endorsement. However, payment card cover may be sub-limited or restricted to specific costs, such as Payment Card Industry Data Security Standard fines.
In light of cases like P.F. Chang, buyers of cyber insurance with credit card exposures should run loss scenarios and test their policy language accordingly. They need to work with their advisors to understand their cover and ensure that it is as broad as possible.
By working with your broker, it may be possible to amend the policy language to broaden cover for payment card losses. In some instances an insurer will agree to remove exclusions for liabilities assumed under contract or amended wordings to cover liabilities under merchant services agreements.
Download Cyber Newsletter
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org