Retailers Most Vulnerable to Cyber Breaches at Point-of-Sale
In justifying a reluctance to purchase cyber insurance coverage for data breaches, many retailers insist they don’t store credit card information after a sale. But experts say the headline-generating data breaches at retailers across the country in the past few years — think Target, Neiman Marcus, the SuperValu grocery chain — have for the most part targeted the point-of-sale (POS), not stored data.
The POS is where retailers are most vulnerable, according to Michael Palotay, senior vice president at California-based NAS Insurance.
“The point-of-sale machines have been targeted by hackers. Where you swipe your credit cards — that’s where a lot of the exploits have been targeted,” Palotay said during a presentation at the PLUS Cyber Liability Symposium in Chicago in September.
In the attacks on companies like Target Corp., which was compromised in late 2013, hackers used a virus called Black POS, which has been tweaked so that it is undetectable by virus scanners, he said.
The Target breach was massive — account details of some 40 million credit and debit cards were exposed — and expensive. It has cost Target more than $250 million so far.
That $250 million is just for “2013 – 2014,” Palotay said. “This year they’ve already had a $67 million settlement with VISA. … They also had a $19 million settlement with MasterCard, which was actually thrown out because not enough of the banks agreed with it. They didn’t think the amount was high enough.”
Target did have insurance coverage, but not enough. With only around $90 million to $100 million recoverable from insurance, Target’s experience drives home the fact that many retailers are not “properly protected from an insurance perspective … and that’s driving big increases in limits across the marketplace,” Palotay said.
Agents will want to make sure their insureds are “adequately protected or that they’re well informed of the risks if they’re not buying enough limits,” Palotay said.
The increase in the frequency of breaches also has impacted the approach underwriters are taking with retailers when it comes to cyber coverage.
“A lot of carriers aren’t writing retail any more … or they’ve restricted how much they’re willing to [insure]. … And underwriters have dramatically increased the underwriting scrutiny they’re applying to risks,” Palotay said.
But the headlines have also heightened the awareness among retailers of the need for coverage.
“They’re pretty well aware of the risk,” Palotay said. But they may not understand all of the issues involved with underwriting decisions.
Agents can and should play a role in helping the insured to understand how much money is at risk in a cyber breach.
“The first step is to figure out how many records are stored by the insured or the credit card volume they have, because the costs are directly proportional to the size of the breach in terms of volume of records,” Palotay said. The cost usually runs around $20 to $25 per record times the number of records.
“It’s important as an agent talking to a retail insured to have an understanding of how much they could potentially lose, because that drives the conversation about limits needed and a conversation about how much exposure they’re willing to self-insure. That’s a really important part of the sales process,” he said.
The next step is to figure out the extent to which an insured is protected in terms of their controls, policies and procedures.
The controls pertaining to POS are most important. “You really want to get very detailed. You want to understand what happens with credit card data after it is swiped. Is it unencrypted anywhere in the environment, or are they tokenizing the credit card information? The point-to-point encryption, that’s the Holy Grail. That means that data from the credit card is never really present in their environment. That’s fantastic. That’s where a lot of retailers are taking it seriously. That’s a good one to watch out for,” Palotay said.
Whether intrusion protection and prevention mechanisms are in place, and whether the retailer is in compliance with Payment Card Industry (PCI) security standards are also important things to know.
“Retailers, if they have a breach face a number of assessments and fines from the credit card industry. Lots of penalties are really due to non-compliance,” he said.