Payment Card Breaches: Time to Spread the Risk with Mandatory Cyber Insurance

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infolawgroup.com/2014/02/articles/cyber-insurance/payment-card-breaches-time-to-spread-the-risk-with-mandatory-cyber-insurance/

The BIG 2014 security stories concerning the Target,  Neiman Marcus and
Michaels payment card breaches of have highlighted the significant criminal
hacking and fraudulent payment card activity that goes on in the retail
space.  Of course, it was not so long ago that the Heartland Payment
Systems breach (2008;  100 million cards exposed) and the TJX breach in
(2007; 45 million card exposed) dominated the news cycle.  The reactions in
the media and with the population then were very similar to those today.
The latest round of mega breaches occurred, however, despite the existence
of the Payment Card Industry Data Security Standard for a decade.  In fact,
according to the Verizon 2014 PCI Compliance Report, only 11.1% of the
organizations it audited between 2011 and 2013 satisfied all 12 PCI
requirements.  In other words, just under 90% of the businesses Verizon
audited as a PCI Qualified Security Assessor failed.  This begs the
question, despite aggregate expenditures by merchants likely in the
hundreds of millions of dollars (if not over a billion) over the last
decade:  has anything really changed?

Yes, in fact some things have changed -- global card fraud losses have
increased from about $3 billion annually in 2000 to about $11 billion
annually in 2012 (source:  the Nilson Report, August 2013).  Organized
crime has increased its activity in the payment card fraud space, and
sophisticated economic ecosystems have sprung up to make the fraudulent use
of payment cards more efficient.  Payment card breaches are low risk (of
getting caught) and high reward crimes, and activity in this space will
continue to increase as a result (per the FBI):

"The growing popularity of this type of malware, the accessibility of the
malware on underground forums, the affordability of the software and the
huge potential profits to be made from retail POS systems in the United
States make this type of financially-motivated cyber crime attractive to a
wide range of actors . . . we believe POS malware crime will continue to
grow over the near term despite law enforcement and security firms' actions
to mitigate it."

Moreover, fraudsters have automated and scaled their attacks so they can go
after payment cards held by small and medium businesses on a mass basis.
 These small and medium sized companies lack the sophistication, technical
knowledge and resources to achieve full PCI-DSS compliance (or take even
basic steps like changing the default passwords on the remote access of a
point of sale system).  Breaches of small and medium businesses can result
in severe financial difficulties and in many cases, bankruptcy. Not to
mention the adverse impact and inconvenience suffered by cardholders and
their issuing banks.

Payment card breaches are not 100% preventable, and for most merchants over
time, are inevitable (indeed the practice of information security itself
has recognized this generally by shifting its attention in recent years to
not only prevention, but also detection, response, containment and
mitigation of breaches).  As such, rather than focus solely on cumbersome
security standards such as PCI-DSS, payment card breaches should be viewed
more from an overall risk management perspective.

A full risk management approach includes efforts not only to prevent and
contain the breach itself, but also to mitigate the financial impact
businesses and individuals may suffer in the wake of a breach.
Spreadingthe risk of payment card breaches across the payment card
ecosystem (e.g. merchants, banks, processors and card brands) is the best
way to mitigate the systemic risk that exists.  As such, it is time to
consider whether cyber insurance should be mandated either by law or the
card brands to achieve this goal.


The Auto-Insurance Analog

Most States require drivers to purchase auto insurance to cover potential
liability and property damage arising out of auto accidents.  There are
several rationales for making auto mobile insurance mandatory, including
the following:

- Systemic and Unavoidable Risk.  A systemic and unavoidable risk exists
with respect to the mass utilization of automobiles in our society.
 Accidents will happen within this "system", and it is impossible to
prevent all accidents.

- Cost of Prevention vs. Optimal Adoption/Use.  One way to manage risk is
to require more safety measures to prevent automobile accidents and injury.
 However, at a certain point the costs associated with attempting to
prevent more accidents undermine the benefits of everybody having access to
relatively inexpensive transportation.  If drivers were required to ride
around in the equivalent of tanks large portions of society would not be
able to afford to car.   The aggregate benefits and efficiencies we gain as
a society of drivers would disappear.  Therefore, it is better to mandate a
reasonable level of safety measures and accept some systemic risk.

- Concentrated Risk vs. Optimal Adoption/Use.   Even when the proper risk
prevention versus risk acceptance balance is achieved, adoption and use of
automobiles on a mass basis may decrease if risk is concentrated on
individual drivers and they are forced to bear the full cost of an
accident.  If driving out on the roads and getting into an accident can
lead to tens or hundreds of thousands of dollars in losses for a single
driver, many would chose not to drive.  This again would undermine the
benefits described above.  The solution is to accept a certain risk level,
but to spread that risk across the entire system.  That is what mandatory
auto insurance does - it helps to maximize the number of drivers while
significantly limiting the chance that a single driver will face
catastrophic financial loss because of an accident.

- Avoidance of Adverse Selection and the Development of a Balanced
Insurance Market. Mandatory automobile insurance is necessary to avoid
adverse selection.  Adverse selection results when only the riskiest
participants in an insurance market purchase the insurance product because
they have the most to gain by buying the insurance (or better-stated: the
most to lose if they don't buy the insurance).  However, when the purchase
of insurance is not mandatory this can create an unbalanced insurance
market where the insurance carriers have the worst risks on their books
(resulting in increased claims and losses) with no "good risks" paying
premiums to offset losses. Eventually a market that is exclusively
adversely selected against cannot be sustained and the societal benefits of
that insurance market disappear.

- Increasing the Likelihood of Making Victims Whole.  One rationale for
mandatory auto insurance is increasing the likelihood that victims of
negligent drivers will be made whole.  If the auto insurance market was
voluntary some individuals injured in automobile accidents would be unable
to collect damages from uninsured motorists (aka "free loaders" who derive
benefit from others purchasing insurance).  From a systemic point of view,
some drivers might opt out of driving due to the risk of uncompensated
injury or property damage (thereby reducing the aggregate benefits of
everybody driving).  Mandating auto insurance results in more drivers and
reduces the free loader problem.

The rationale and reasoning for mandatory cyber insurance for payment card
breaches is the same. Ultimately, information security is not about
preventing all security incidents; it is about minimizing the risk and
impact of security incidents.  There is no such thing as perfect security
and risk will always remain in the payment card system.  Breaches will
happen (just as there will always be automobile accidents).

There is also a diminishing return with respect to efforts to prevent
security breaches.  Organizations cannot cost-effectively build "Fort Knox"
just as drivers cannot afford to military grade armored vehicles. Once a
reasonable level of security is achieved, at a certain point, it is more
cost-effective and efficient to accept a certain level of risk and insure
at least a portion of it.

In addition, the payment card system could face an unfavorable risk
concentration that could undermine the adoption and use of payment cards in
the long run.  If merchants legitimately fear they could be put out of
business because of a payment card breach, they may choose to opt out.  I
have already had clients inquire about payment card work-arounds (for one
client, we explored the possibility of putting ATMs in each of this
client's restaurants).  A system of mandatory cyber insurance for payment
card breaches can alleviate this concentration problem and strengthen the
payment card system overall.

What types of companies are purchasing cyber insurance currently?  While
the profiles may vary, it is likely that many of the "early adopters" are
companies who want the insurance because they feel that they are prime
targets with a lot of payment card information or that their security may
not be adequate.   It is possible that insurance underwriting can weed out
these higher risk companies and decrease adverse selection.  However,
especially in the small and medium business market, due to competition and
other factors, underwriting requirements and standards have decreased
significantly.  Even where more involved underwriting occurs, because of
the ever-shifting nature of cyber risk and the complexity of security, it
is often very difficult to truly understand a company's risk.  All of these
factors could lead to "adverse selection," and the ultimate question for
the insurance industry (especially in light of increasing litigation and
regulatory actions) is whether the cyber insurance market is sustainable
without a very wide base of insureds.  Like automobile insurance, mandating
cyber insurance can help balance the market out to the benefit of insureds,
carriers and society as a whole.

Finally, as with auto insurance, mandating cyber insurance across the board
can increase the likelihood that the victims of a payment card breach can
be made whole.  Some organizations that get hit with a breach, because of
financial stress associated with responding to a breach, are not going to
be able to compensate individuals or issuing banks (for card reissuance
costs or fraud).   Moreover, under the current system, most issuing banks
whose cards are exposed get pennies on the dollars for the losses they
suffer because of a breach.  Mandatory cyber insurance can address both of
these issues.  With risk spread throughout the system and every
organization being covered, breached companies will be able to avoid
bankruptcy.  In addition, if insurance is available in every case, it may
be possible to adjust card brand recovery processes to allow issuing banks
to recover more after a security breach.

How Might this Work?

Some readers might blanch at the idea of mandated insurance, and most
automatically think the mandate would come from the government.  While a
government mandate would work in this context, in the payment card context,
the card brands are at the top of the pyramid and can impose requirements
for merchants that want to accept payment cards.  Like the PCI-DSS standard
itself, the card brands could agree to require merchants to have some level
of cyber insurance.  That said, because all of the participants in the
payment card system have a stake when it comes to payment card breaches, it
may be possible to spread the cost of insurance across all of the
stakeholders (merchants, merchant banks, processors and issuing banks).
Overall, while there are a lot of details that would have to be worked
through, a mechanism (the card brand's operating regulations and associated
payment-card related agreements) to mandate cyber insurance exists, and
governmental involvement is not necessary (although if action is not taken,
government action may be the result).  Finally, the rationale laid out
above applies equally to security breaches involving other types of
personal information, including financial and healthcare information --
however, that is a conversation for another day.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!