It’s been about 2 months since the first of the stories broke on the multiple large-scale hacking attacks in the retail sector. The target in this recent round were the “Point of Sale” systems, the computers and card/pin pads formerly known as ‘cash registers’. We have leaned since that several national retailers succumbed to the sophisticated series of hacks, losing millions of debit and credit card numbers in some cases.
One question we’ve frequently received since from retailers is: “What Cyber Insurance limits should we be purchasing?” A simple question with a complex, yet calculable, answer. (The answer, incidentally, applies to non-retail firms as well, however with a few adjustments.)
It requires a few steps, which we briefly discuss:
- What is the cost of a typical data breach per lost card number?
- How many payment card numbers could be lost?
- What is the annualized expected losses based on a company’s potential frequency and severity?
- How best do we fund for that expected loss?
What is the Cost of a Typical Data Breach per Lost Card Number?
Step 1 is perhaps the easiest. Costs to cancel/reissue a debit or credit card is known. The issuing bank may incur $3-$10 in many scenarios to get a new card to a customer, and look to pass costs to the retailer.
Adding this to costs for communications, call centers, offered services such as credit monitoring, lawsuits, class actions, regulators and industry penalties, one can arrive at cost estimates for varying sized breaches.
Keep in mind, the costs for a payment card breach are different from a health record or social security number breach. And costs per record typically reduce as the breach size grows. Credit card breach costs vary, but can range from $50+ per record down to $2 per record. Work with your experienced cyber broker to determine costs for various sized breaches for your organization.
How Many Payment Card Numbers Could be Lost?
Step 2 is where it gets fun, and more unique to the retail industry. Small and mid-sized “Point of Sale” retailers (under 10M card transactions per year) may want to assume their maximum probable loss could be a year’s worth of card numbers. Larger retailers may want to limit the calculated maximum probable “length” of the breach, as these P.O.S. hackers typically have a short window of opportunity to move the stolen cards before they are rendered useless by the bank’s cancellation of the number. The hackers and “card shops” (illegal operations that sell batches of stolen card data) that sell to the “carders” (criminal organizations that buy stolen card data and make fake cards to purchase goods and steal money) need to move fast.
In other words, if a hacker can steal 10M cards per week from your system based on your high transaction volume, there is little benefit for the hacker to stick around for 10 more months, risking getting discovered, to try to collect 400M cards. Once they sell the first few million, the cards will start to be used, and the banks will begin to render the stolen numbers useless. This is not to say a hacker won’t steal 100M+ cards, and cause a huge loss.
In one recent case, while the retailer processed 100M cards per month, it “only” exposed less than half of that because the breach was discovered once the first batch of stolen cards were sold and used. The breach lasted about 2 weeks before discovery.
The card shops selling the stolen card numbers have seen the “valid” rate from these cards go from 100% down to 60% over the first few weeks post discovery. Therefore, the price they can get for each stolen card has reduced from $25-45/card to $8-28/card.
The point is, for a large retailer processing millions of cards per month, don’t assume your maximum probable loss is a year’s worth of card transactions.
As they say, your mileage may vary so it is important to work with your cyber broker/risk advisor to understand the nature of your particular payment card risks.
What are the Annualized Expected Losses Based on a Company’s Potential Frequency and Severity?
Step 3 is where to utilize the vast amount of claims data to predict frequency and severity of privacy breaches for your organization.
How Best do we Fund for that Expected Loss?
Step 4 allows a retailer to measure their risk, evaluate expected losses, and analyze the efficiency of self-insuring the risk, or purchasing varying levels of cyber insurance.
Whereas peer benchmarking and purchasing coverage limits based upon your “worst case” loss is informational, it is not the optimal way of evaluating the financing of privacy risks for retailers. The quantitative process described above provides improved intelligence from which to make sound business decisions.
Commercial Break Alert
Willis’ proprietary PRISM℠ analysis steps clients through this process.