Tag Archives: Chubb

Not Getting The Right Cyber Insurance Cost PF Chang’s $2 Million

P.F. Chang’s restaurant chain suffered a cyber breach in which about 60,000 credit cards were stolen.  The breach only affected 33 of the company’s approximately 400 restaurants, so it could have been much worse, even though it lasted 8 months.

Still, the restaurant spent about $1.7 million recovering from the breach.  If the breach hit all of their locations at the same rate, that number might have been around $20 million.  This is still small compared to, say, Target.

Chang’s had purchased cyber breach insurance from the Federal Insurance unit of the insurance giant Chubb just in case of an event such as this, but as I have said in the past, cyber breach insurance is not a standard form policy and as a result, you don’t always get what you expect.  This is why we recommend conducting a cyber insurance assessment.

As the story moves forward, Bank of America, their credit card processor, fines P.F. Chang’s $1.9 million to cover the costs of reissuing cards and losses.  Notice that this number is greater than the rest of the expenses that P.F. Chang’s had from the breach.

P.F. Chang’s paid B of A and then asked Federal Insurance to reimburse them.  Federal said no and ultimately, Chang’s sued Federal.

This month a verdict in that suit came in and it validates my comment that you don’t always get what you expect.

There were some interesting twists and turns in the trial.

First, Chubb said that there was no coverage because Bank of America suffered the loss, not Chang’s, even though Chang’s was contractually required to reimburse B of A,

Then Chang’s said it should be covered under the privacy notification clause.  This seems a bit strange to me and the answer from the court was no.

Next Chang’s said it should be covered under the business interruption clause. This usually covers extra expenses you have to pay as a result of a covered event.  Again, the court said no.

Ultimately, it boiled down to the fact that Chang’s did not have PCI DSS coverage in their policy.  Whether they understood that at the time the policy was written or not is unclear.  Whether their broker understood that or not is unclear.  Whether Federal Insurance understood that and figured it was a great way to limit their liability in case of a breach is unclear.

What IS clear is that P.F. Chang’s gets to cover that check out of their pocket.

While they will not go broke over this, it is a great lesson for other people to make sure that they understand what they are getting, because $1.9 million to cover a breach of only 60,000 cards could sink a lot of companies and 60,000 cards is not a large breach.

This is only one example of how you can go wrong when it comes to buying cyber insurance.  The first step is to understand what coverage you need to have.  The second step is to make sure that your policy provides that coverage.  Outside help may be required in both cases.



Information for this post came from National Law Review and Lockton’s Blog.

Facebooktwitterredditlinkedinmailby feather

Insurance Companies Deny Cyber Insurance Claims

As I predicted (which did not require a large amount of clairvoyance) after the Cottage Health fiasco, insurance companies prefer to deposit premium checks and have begun to fight cyber insurance claims.  Since most people don’t read their insurance policies and even fewer make sure that they are in compliance with the terms of the policy, this is kind of like taking candy from a baby – an unfair fight.

In the Cottage Health case, Cottage was breached and their cyber insurance carrier, a division of CNA, paid the $4 million claim.  CNA later said that Cottage was not in compliance with the terms of their policy even though the insurance carrier initially paid the $4 million claim, and is suing to get their money, legal fees and other costs back.  That suit is currently withdrawn pending back room negotiations between the two parties.

There are now two new lawsuits.

Ameriforge Group is suing Chubb because they were suckered into a business email compromise (where a hacker convinces someone in the company to wire money to some place because of a secret deal the CEO is working on or whatever).  Chubb says that the policy covers fraud (where someone writes a bogus check or wire, for example), but in this case, an authorized employee got suckered and, sorry to be impolite, there is no sucker coverage in the policy.  In this case the loss was around $500,000.

The second case is similar.

Earlier last year, Chubb was sued by Medidata Solutions after it was suckered out of about $5,000,000 in a similar “super secret” deal.  Even though in this case, the company said there was some hacking involved, Chubb said the employee voluntarily sent the money, so no coverage.

The moral in this story is that companies need to understand what coverage they have and what coverage they do not have.  Cyber risk insurance is not a standard form of insurance, so policy coverages vary significantly.

And, as Cottage Health discovered, even if you have coverage you have to make sure that you follow the rules if you want to get paid.

Information for this post came from Krebs on Security.


Facebooktwitterredditlinkedinmailby feather