AFP compiles the most alarming—and informative—payments fraud news relevant to corporates in AFP Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization.
What’s it like from a treasurer’s perspective when your company is hit by a cyberbreach?
“It’s a whirlwind,” said Lisa Joublanc, CCM, CFA, vice president and treasurer for Atlanta-based credit card processor Global Payments.
Speaking at the recent CTC Corporate Treasurers Forum in Chicago, Joublanc provided an insider’s view of the security breach that her organization incurred in 2012. The breach compromised 1.5 million credit card numbers and resulted in a loss of $125 million for the company.
“You get this call that this is happening and you wonder why you’re not going public,” Joublanc recounted. “But that’s because there’s criminal activity that’s occurred. Law enforcement is going to be immediately involved and the last thing they want to do is tip off the perp about what’s going on. So there’s this period of time where you’re in limbo.”
When it was time to go public, Global Payments announced that it had sustained a breach. Personally identifiable information (cardholder names, addresses and social security numbers) was not leaked, but the numbers on the credit cards were. As it went through this process, Global Payments began to realize that its cyber insurance broker at the time was not adequately prepared to handle such an event, and so the company switched to McGriff, Seibels & Williams.
“We switched brokers midstream, which I wouldn’t recommend,” Joublanc said. “One of the things we learned during this process was that your policy is a contract. And if you don’t do exactly what it says in the policy, you probably won’t get coverage. So that means every time you want to spend money, you have to get prior approval.”
Mary Guzman, senior vice president & E&O practice leader for McGriff, Seibels & Williams, added that some insurers will not let companies choose their own vendors for credit monitoring, PR, call center services, forensics, etc. “We’ve had quite a few clients who were with other brokers come to us after the fact and say, ‘We had no idea; it was hidden in the conditions of the policy that we had to use Experian for credit monitoring and XYX company for forensics. We didn’t have the choice to use the people we’ve always used,” she said.
This can become a significant problem for companies who want to control their overall message when a breach occurs, Guzman continued. “Say you’ve already got a relationship with PricewaterhouseCoopers, but they’re not on the approved list for your carrier because they’re too expensive—that’s an issue. So it’s something to be very aware of when you’re looking at these policy forms.”
Global Payments now gets its vendors preapproved through its insurance carrier. “So if this happens again, we’re not spending a week or two to look at a contract with a vendor; we do that all up front,” Joublanc said.
Choosing a cyberinsurance policy
Joublanc offered some advice to corporate treasurers buying cyber insurance. Before a company even has an official claim, there are multiple expenses it is already incurring. Therefore, corporate would be wise to avoid policies that only kick in when someone starts demanding money. “You’re calling your law firm, you’re working on public relations issues, you’re doing forensics and trying to figure out what has happened,” she said. “All those things are very expensive. So the breadth of your policy is very important.”
Guzman noted that so much of the discussion around cybersecurity in the current environment centers around data breaches, which can be extremely expensive and damaging to a company’s reputation. “But we really look at security risk today as a three-pronged stool,” she said. “Privacy is one issue we are concerned about all the time. Supply chain and infrastructure risk has increasing importance in what we do. And then the third leg of the stool, which doesn’t get a lot of attention from an insurance standpoint, is theft or corruption of trade secrets and intellectual property, and/or, on the liability side, intellectual property infringement. We spend a lot of time on trying to develop new products for that.”
Additionally, professional services firms have significant errors and omissions exposure relative to the services they provide. So much of that is done electronically now that it can be difficult to distinguish between an errors and omissions loss and a cyber claim, Guzman explained. “So we do a lot of blended programs where we do the E&O and cyber insurance on a combined basis,” she said. “Most of our financial institutions buy their cyber as part of a blended crime fiduciary EPL program all under one giant aggregate tower of up to $400 million of limits.”
Guzman noted that almost no two cyber policies are the same from one carrier to the next. Corporate treasurers really have to do their homework and know what they are paying for. “If you’ve bought an off-the-shelf carrier policy to lead your program on the primary, you’re not getting anywhere near the broadest coverage you can get,” she said. “Some of the policy forms are pretty good, but there’s not a single one that doesn’t need some sort of significant manuscripting and amendment.”
Joublanc added that there are so many ways that a breach can impact a company, so it is imperative to know exactly where a claim might come from. “Use your broker to talk about scenarios because they’ve gone through it before,” she said. “Also, try to get the broadest coverage that you can.”