FEAR FUELS CYBER SECURITY
Cyber-attacks, breaches and fraud continue to fuel a fear within the market place that is leading to costs that your business might not be prepared for. In the past I have addressed the risks associated with non-compliant EMV payment architectures and the general risks associated with willful noncompliance across the 3 core areas from which your business receives sensitive cardholder data. (Fixed payment transactions, Card Not Present Transactions and Mobile Payment Transactions)
This article will focus on the domino effect taking place within the cyber security marketplace today and how you can prepare for changes that bring substantial risk to your business.
Uncertainty continues to create fear amongst businesses. If you’re concerned, so are the businesses that take on the burden of providing an additional layer of protection to you, your brand and your customers -Insurance. Cyber security insurance, to be exact. Insurance is quickly making its way into the same conversations as the Security and IT budgets being discussed with CIOs. Protecting your sensitive data is 100% about mitigating risk. Many CIOs or CISOs spend their time trying to understand what threats
their organizations face, and whether such threats could cripple the company. These are the discussions our company has weekly. Should CISOs be more concerned about the insurance associated with managing that risk? If it hasn’t impacted your budget yet, it is likely to do so quickly.
Key Factors:
- In 2010, there were an average of 50 successful cyberattacks per company. By 2014, that average rose to 122 successful attacks per company (a gain of 144%).
- Enterprise Businesses: In 2005, there were a recorded 157 successful breaches within the top 25% of Enterprise companies, exposing more than 67 million records. In 2015, more than 781 successful breaches were recorded exposing 170 million records.
- Small Businesses: Studies conducted by Verizon in both 2012 and 2013, found that the majority of data breaches on businesses occurred with those that had fewer than 100 employees. The average costs of one successful cyberattack on a small business was $8,700.
We are all familiar with the mammoth growth in hacking attacks on U.S. companies over the past few years. This has prompted many insurers to increase cyber security premiums for many companies, creating a stereo-type for the entire industry that every company must be as unprepared and vulnerable as Target, Home Depot and Anthem Blue Cross. If they could be breached, then every company must
have a certain level of exposure, right?
This mentality is widespread within the cyber security insurance industry, and has left many companies re-evaluating what they can truly afford on insurance. Cost/benefit considerations inform the identification of both an organization’s top cyber risk and the appropriate risk management investments to address. With the increase in deductibles comes a lower coverage amount, which can potentially
create some serious exposure to large and small businesses in the event their sensitive data does get compromised.
For example, most cyber insurance companies are limiting their total coverage on large Enterprise companies to $75M; way down from the previous $250M coverage plans from 5+ years ago. Consider Target’s coverage of just $100M while their lawsuit has reportedly cost them more than $265M, leaving them covering the difference.
Much like the crash in the housing market resulted in much stiffer regulations, underwriting, higher interest rates and more personal scrutiny; cyber insurance has taken a very similar stance. Strong security policies and procedures are reviewed in more depth, POS encryption is a must, and the overall
security posture for the business are all part of the standard prerequisites for Enterprise companies
seeking a strong cyber security policy.
After dozens of conversations within Enterprise Hospitality over the past year, I was not surprised to see the dramatic increase in the acquisition of cyber security insurance within the gaming & hospitality market. A 68% increase in the last year!!
There are many key factors that can drive insurance premiums up, but I wanted to highlight one that is new enough that many of you reading may not know exists yet. Earlier this year we started to see something within payment processing that we had educated our clients on, but really had no idea what to expect.
In the first quarter of this year, we have seen an increase in chargebacks and disputes – more than triple across our base of enterprise prospects and customers. I don’t throw that number out to be dramatic; those are real numbers that many of our CFOs will grudgingly attest to – some worse than others. Based
on the structure of the EMV mandate, we knew that this could very well become reality if the right payment architectures were not in place by October of last year.
More Simply stated: On Oct.1 of last year, merchants were required by the credit card companies
to start utilizing EMV-capable point-of-sale equipment. Merchants who are not complying will be responsible for the costs associated with accepting any fraudulent transactions. Essentially, the liability for fraudulent transactions will switch from the processor to the merchant. Credit card companies refer to this as the “liability shift.” Merchants who comply with the EMV mandate and utilize EMVcapable terminals will not be subject to the liability shift; liability will remain with the processor. This applies to any type of chargeback.
This is what surprised us and many of our customers and prospects looking to implement a new EMV solution. When a chargeback is initiated by a customer who rendered services with a “chip card” for any reason, the acquiring bank immediately looks at the transaction to determine whether or not the transaction was conducted utilizing an EMV capable device. If it is deemed the “chip card” was swiped and not “dunked,” the chargeback is declined. Don’t bother submitting the paperwork or wasting your time on the phone for an hour. To date, we have not seen one of these chargebacks overturned.
We knew this to be true years ago when we were first introduced to the whole concept of EMV but to really see it in writing from the banks over the past few months makes it a bit surreal. Unfortunately the pain has not stopped there. A few months ago during a discovery workshop with our team and a very prominent hotel company, we were exposed to the evolution of this reality and how quickly criminals learn to take advantage of opportunities. Yes, you know where I am going with this. After casing venues
to understand how their card would be processed, small chargebacks for the amount of $15 or less would show up on the merchant processing statement. Within the next 30 days the same card would be seen with a large $500-$1500 chargeback. In some cases substantially more. If there is a way to expose a weakness within an organization it has already been found. The wait-and-see mentality for many enterprise companies has quickly found its way to negatively impacting the bottom line in a way they never saw coming.
As recent as April, we have seen the next progression in chargebacks, as well. Businesses are getting chargeback notices from the bank on transactions that customers have not filed a dispute on, leading me to believe that the acquiring banks are not far behind from issuing fines associated to the amount of Non-EMV transactions within your business.
The title of this article is very real for the many clients we work with every day. Ensuring EMV and PCI compliant payment architectures is a small piece of a very large puzzle that exists within the security framework of your business. There are many solutions available to help gaming and hospitality properties mitigate their risk associated to fraud liability. It’s not too late.
Ryan Smith has spent most of his IT career supporting the Gaming & Hospitality market. First as an integrator for Cisco Systems, EMC and VMware and then as a Global Enterprise Account leader for Hewlett Packard. Ryan has helped build Enterprise architectures to support the world’s largest Gaming & Hospitality companies in more than a dozen countries. Ryan is the Founder and CEO of LCG, Inc. An IT Security Company with a core focus of helping companies address how new security standards and new payment architectures will impact their business. The team at LCG is focused on addressing the latest in breach and threat mitigation with IT Security Solutions and Software that remove liability from the customer.