Cyber Liability Insurnace


Cyber Insurance Coverage for Bank Assessments

What Merchants and their Insurance Brokers Need to Know

Coverage under a cyberliability insurance policy with respect to assessments levied on behalf of a financial institution or payment processing entity varies quite significantly throughout the marketplace. The nuances of the coverage differences will continue to grow as more and more companies begin to recognize the exposure inherent in electronic payment processing.

Monetary fines are levied by the card brands against merchants as a result of non-compliance with the payment card industry data security standards (PCI-DSS) which are set by the payment card industry security standards council (PCI SSC). A very important distinction lies within the definition of fines, costs or expenses as respects common cyber policy language. “Fines” are often merely reserved for costs levied directly against an insured for the breach of PCI standards set by the PCI SSC. The fines, which are punitive in nature, result from failing to comply with the standards. On the other hand, “assessments” are costs specifically associated with liabilities arising out of a Merchant Service Agreement (MSA). The card brands are looking to recoup expenses that resulted from a security breach by the merchant. Assessments can be costs resulting from a breach of the card brand rules, costs passed along to the merchant through the withholding of funds by a merchant bank, card reissuance expenses, fraud losses and a number of other liabilities arising out of obligations under an MSA.

To further clarify this distinction, merchants that accept payment cards are placed into a payment card network (i.e. VISA or MasterCard) by the bank or financial institution with whom they enter into a MSA. At the time of a sale, merchants submit card information to a bank or financial institution, which passes it through the payment card network to the cardholder’s payment card issuer (i.e., Citibank or Bank of America). Once approved, the funds flow back through the bank to the merchant. In the event of a data breach, a payment card company may assess fines or other amounts on the bank involved. The bank will then seek to pass that liability along to the merchant, which is often achieved through the withholding of funds owed to the merchant. As an oversimplified example, consider this: The merchant may be waiting for the card company to pay them $100,000 for all their billings during the month. If they get fined, they may only get $60,000 paid to them with the other $40,000 being withheld as a fine. As a result, this has proven quite costly given the disruption of cash flow.

Currently pending in federal court, apparel retailer Genesco is involved in litigation against VISA for assessments levied as a result of a data breach. Upon confirmation from a forensic audit, the retailer was found guilty of three different PCI-DSS violations, resulting in a $13 million assessment. That assessment was levied against the banks involved, which Genesco had to indemnify under the terms of their MSA. The suit against VISA is an attempt to recover the assessment costs absorbed by Genesco. However, it has been speculated by the court that if the breach did not involve actual theft of data, then the assessment may be deemed an unenforceable penalty.

There are a few places to look in order to truly understand the payment card exposure for a given client; it’s important to both review the MSA and understand exactly how the merchant processes credit card transactions. A company may simply be processing through a swipe box that doesn’t retain card information or they could be processing transactions through a point of sale (POS) system, which does store card information, thus multiplying the exposure. Essentially, an MSA places obligations on a merchant when a payment card company views the merchant as the potential source of the breach, which can result in the merchant paying for a forensic audit as well as additional fines or penalties.

Insurance carriers are approaching coverage for assessments in a variety of ways, which magnifies the importance of closely reviewing the policy form and endorsements. Some cyber products are clearly defining PCI fines, expenses and costs via policy form, which may reference assessments arising out of a MSA. Carriers can even include coverage for costs or amounts levied as part of a MSA per the definition of damages. Some even go as far as carving back their exclusionary wording to clearly address this particular coverage detail. However, not all carriers directly acknowledge this distinction which could play an increasingly significant role for many businesses, especially companies with high frequency payment processing.

Alternatively, there are a number of carriers that don’t address the distinction of assessments levied out of liability under a MSA. Subsequently, they are not only ignoring this important distinction, but their approach to the contractual exclusion seems to all but outright exclude any coverage for liability arising out of any contract or agreement.

Companies must confront the reality that their most significant liability threat as a result of a data breach or unauthorized disclosure may not come from the consumer, but from their business partners. Those business partners include banks and payment card processors. Although fines vary depending on the volume of payments processed by the merchant and the number of violations, companies that experience a data breach can be fined and assessed millions of dollars as a result of their obligations under a MSA. Merchants and their legal representative should closely review their payment card agreements and have a very direct dialog with their insurance broker and underwriters to be certain that the coverage matches their needs and expectations.

Please feel free to reach out to your AmWINS professional lines broker with any questions or coverage needs.

This article was authored by Trey Waldrep, a professional lines broker at AmWINS Brokerage in Dallas, TX.
Contact Us

To learn more about how AmWINS can help you place coverage for your clients, reach out to your local AmWINS broker.  If you do not have a contact at AmWINS, please click here.

Legal Disclaimer. Views expressed here do not constitute legal advice. The information contained herein is for general guidance of matter only and not for the purpose of providing legal advice. Discussion of insurance policy language is descriptive only. Every policy has different policy language. Coverage afforded under any insurance policy issued is subject to individual policy terms and conditions. Please refer to your policy for the actual language.

(c) 2017 AmWINS Group, Inc.

Most Popular Insights

From Seed to Sale: The Top 5 Issues Impacting the Cannabis Insurance Industry


​Over the last few years, the legal cannabis industry has seen rapid growth and had a significant impact on the U.S. economy. With states continuing to legalize its use, insurance needs for cannabis-related businesses are becoming a popular topic of discussion. This article examines the evolving cannabis industry by exploring five key issues impacting coverage.

Four Key Additional Insured Endorsements for Contractors

Construction contract negotiations, which determine the kind and amount of insurance required for a construction project, can be time-consuming, complicated and frustrating. Project owners require contractors on a project to name the project owner as an additional insured on the contractor’s casualty insurance program. It's important that both project owners and contractors understand the coverage provided by these additional insured endorsements. This article discusses four common ISO additional insured endorsements related to commercial general liability policies purchased by contractors, including their limitations, conditions and exclusions.

Claims Reporting: Better Late than Never?

A common complication during the claim process is the late reporting of claims. In some cases, a late claim can put the agent or broker's own E&O policy in jeopardy. There are many reasons for missing a reporting deadline; however, in most cases, they will not matter to the insurer or the courts. This article discusses typical claim reporting requirements, common causes of late reporting, and recommendations to mitigate the risk of late notice claim denials.

Understanding Property Theories of Recovery and Ensuing Loss Clauses

​The theories of recovery, as well as the ensuing loss provisions, contained in property insurance policies are often complex and, at times, seemingly in conflict. Although a policy may not directly address these theories, their application by courts plays a significant role in the coverage determination process after the claim. It is essential that brokers understand the primary theories of recovery – Efficient Proximate Cause, the Concurrent Causation Doctrine, and the Anti-Concurrent Causation Doctrine – in order to navigate the challenging post-claim process and effectively serve their clients.

Ordinance or Law Insurance Coverage

Ordinance or Law insurance coverage provides limited protection for costs associated with repairing, rebuilding, or constructing a structure when physical damage to the structure by a covered cause of loss triggers an ordinance or law. Compliance with ordinances and laws after a loss can add 50% or more to the cost of a claim. This article will help you educate your insureds on exclusions and limitations and help them take a proactive approach to their insurance program.

Employment Practices Liability in the Age of #MeToo

In 2017, the issue of sexual harassment – especially in the workplace – gained greater awareness as accusations of harassment by high-profile individuals were constantly in the news. In many cases, sexual harassment lawsuits seriously impacted businesses and their respective insurers. Employment Practices Liability Insurance not only provides protection against employee lawsuits, but can also help your clients mitigate their sexual harassment risks.

Sign Up For Our Monthly Newsletter

Sign Up