Cyber Insurance: Is It Worth It?Court Ruling Denying P.F. Chang's Claim in Wake of Breach Raises Questions
Just days after a federal appellate court supported a community bank's claims that its $485,000 account-takeover loss should be covered by insurance, a federal district court in Arizona ruled that restaurant chain P.F. Chang's China Bistro should not be reimbursed by its cyber insurer for fees it paid to its merchant services provider related to its 2013 card breach.
It's the second legal setback for P.F. Chang's in recent months. In April, a federal appellate court ruled that a consumer class-action suit filed against the chain could move forward (see P.F. Chang's Ruling: Is the Tide Shifting?).
This ruling in P.F. Chang's suit against its cyber insurer illustrates how merchants are increasingly being burdened with fees and fraud-related costs that even cyber insurance cannot help them cover, some security experts say.
"In this age of uncertainty, as it relates to hacking and cyber liability, an important mitigant for companies is cyber insurance," says cybersecurity attorney Chris Pierson, CISO and general counsel at invoicing and payments provider Viewpost. "But if it becomes more difficult for companies to get policies that will ... cover losses, companies may decide going forward that it may not be worth investing in cyber insurance. [The P.F. Chang's] case could prove to be a very important event that helps companies decide if they will buy cybersecurity insurance policies."
Financial fraud expert Avivah Litan, an analyst at Gartner, says the P.F. Chang's case shows just how much merchants are paying for breaches, with little recourse to cover all of their breach-related losses and expenses.
"Merchants are definitely on the short end of the stick when it comes to payment card acceptance," she says. "They have no choice but to accept these dominant payment instruments, and they have no choice but to pay what seem to be unfair penalties when they suffer a card data breach. Merchants are basically the parties who pay for consumer card benefits, e.g. cashback programs, frequent flyer and other loyalty programs that enable card issuers to remain profitable. It's an unfair situation that the ... antitrust division of DOJ [Department of Justice] should examine and remediate as appropriate."
Most insurers don't offer coverage for fees assessed by Visa and MasterCard, which are often passed along to retailers by processors and banks that offer merchant services, Litan says. Those fees are considered to be part of the card associations' regular business practices, which are included in merchant contracts, she explains.
P.F. Chang's Claims
In June 2014, P.F. Chang's discovered that point-of-sale malware had compromised some 60,000 payment cards that subsequently ended up for sale on underground forums online (see P.F. Chang's Breach: 6 Key Developments).
The restaurant chain immediately notified its cyber insurer, Federal Insurance, a division of the Chubb Group, of the breach, according to its lawsuit. Federal Insurance later paid P.F. Chang's more than $1.7 million to cover certain breach-related costs, such as those associated with the forensics investigation and litigation with consumers and banks, the lawsuit states.
In March 2015, MasterCard imposed $1.9 million in assessment fees on P.F. Chang's merchant services provider, Bank of America Merchant Services, for case management, fraud recovery and operational reimbursement costs linked to the restaurant chain's breach, the lawsuit notes. Following the terms of its contract with Bank of America Merchant Services, P.F. Chang's in April 2015 paid for those expenses. It then sent a letter to Federal Insurance requesting coverage of the $1.9 million, its lawsuit states.
But Federal Insurance declined to cover that $1.9 million expense, and P.F. Chang's filed its lawsuit seeking to have the court force the insurer to pay.
Insurance Doesn't Cover Contractual Expenses
The court ruled that Federal Insurance Co. was not responsible for covering breach-related fees that are paid to a third-party under contract.
Judge Stephen M. McNamee noted in his ruling that while P.F. Chang's and all merchants that process card payments must rely on merchant services providers, cyber insurance policies are not required to cover post-breach fees merchants pay those providers to fulfill the obligations of their contracts. And because P.F. Chang's merchant services provider did not suffer a breach, no insurance coverage is applicable, he ruled.
The judge ruled that P.F. Chang's was obligated to pay $1.9 million to Bank of America Merchant Services under the contract it signed for merchant processing. According to the master service agreement P.F. Chang's signed with Bank of America Merchant Services, P.F. Chang's "agreed to compensate or reimburse BAMS for 'fees,' 'fines,' 'penalties,' or 'assessments' imposed on BAMS by the associations," McNamee wrote.
Fees to Cover Breach Expenses
Viewpost's Pierson says fees assessed by card brands that fall back onto merchants are part of the card brands' business models, which are designed to ensure their businesses are profitable.
"Everyone in the card food chain wants to be made as whole as possible," Pierson says. "Visa and MasterCard are looking to make sure they are made whole; merchant services groups and processors want to be made whole; and the third-party institutions want to be made whole."
As a result, cyber insurance is at an important crossroads, he adds. "Companies implement cybersecurity insurance to mitigate harm that cannot otherwise be mitigated by security controls or people. To the extent cybersecurity insurance becomes unusable, the market incentives for securing this will disappear."