Newsletter Sign-up

By JARED SHELLY, senior editor/web editor of Risk & Insurance®

In yet another high-profile cyberdata breach, a large credit and debit card breach was discovered on March 30 by a third-party payment processor.

As a result, Visa removed Global Payments from its list of compliant service providers but the company can reapply after showing it addressed the problem. Meanwhile, Mastercard said it has alerted payment card issuers, while Discover and American Express have released statements saying that they're monitoring the situation.

In a conference call Monday, Global Payments Chairman and Chief Executive Paul R. Garcia said the incident was "absolutely contained," and said there were no fraudulent transactions.

In just the past year, there have been data breaches at Sony's PlayStation Network, Citigroup, the International Monetary Fund, Google and National Public Radio.

One of the largest attacks in recent memory happened in 2008, when Heartland Payment Systems saw 130 million customer accounts compromised in a cyberattack. The company eventually agreed to a $110 million settlement with American Express, and Visa, MasterCard and other card associations.

Although risk managers say cyberrisks are top-of-mind, purchasing such coverage still lags. A 2011 survey of risk managers by Towers Watson found that 73 percent of respondents had not purchased network liability policies.

The recent Global Payments case is just the type of breach to get the attention of risk managers and push them to buy coverage, said Robert Parisi, senior vice president at Marsh, who called the breach "a wake-up call for retailers and how they deal with payment processors."

In fact, clients are already calling Willis' FINEX North America to make sure their risk management plans are sound and that their insurance policies would cover such a breach, said Thomas Srail, senior vice president of the company's Cyber and Errors & Omissions team.

"I expect more retailers, payment processers and tech companies to look at this breach, examine the fines, penalties and regulatory actions, and examine at their approaches to cyber risk," Srail said.

When data losses capture headlines, there tends to be a spike in the number of companies purchasing cyberliability policies.

Before approximately 2004, the only companies that seemed to buy cyberpolicies were in the telecom industry, said Parisi. Now, he estimates that between 10 percent to 20 percent of all companies have such policies. That number jumps to about 40 percent to 50 percent, he said, in industries that routinely handle personal and financial data like retail, credit card companies, banks, higher education and health care.

It remains to be seen if the Global Payments data breach will bring those numbers even higher.

April 3, 2012

Copyright 2012© LRP Publications