In 2012, Global Payments suffered an online security breach that compromised 1.5m credit card numbers and lost the company $125m. Vice President and Treasurer Lisa Joublanc gives an insider’s perspective on the disaster – and what companies can do to stop costs from spiralling if it happens to them.
Cyberattacks, says Joublanc, are a “whirlwhind” that throws you into “limbo.” Being a criminal offence, they can’t be talked about publicly whilst initial police investigations are underway, making it impossible to meaningfully advise or reassure your customers, even as the blogosphere is buzzing with rumours. If the PR implications aren’t bad enough, finding out now that your insurance brokers aren’t good enough, or that your policy doesn’t cover quite what you thought it did, can be an extraordinarily expensive revelation.
For Global Payments, says Joublanc, the realisation that their existing cyber insurance brokers weren’t up to the job, and the decision to switch to new providers McGriff, Seibels & Williams midway through the process, ended up making things worse. “We switched brokers midstream, which I wouldn’t recommend,” she said. “One of the things we learned during this process was that your policy is a contract. And if you don’t do exactly what it says in the policy, you probably won’t get coverage. So that means every time you want to spend money, you have to get prior approval.”
Other contract caveats that added to the expense were to do with their choice of suppliers. As the crisis unfolded, Global Payments found that their use of preferred suppliers – not those designated by the policy – led to rows with their initial brokers. Now, said Joublanc, the company ensures that all vendors are preapproved through its insurance provider. “So if this happens again, we’re not spending a week or two to look at a contract with a vendor; we do that all up front,” she said.
Cyberattacks are getting more sophisticated all the time and, whilst strong compliance and security measures mitigate the risk, it’s essential that companies also plan for the worst. All-in-all, Joublanc advises, ensuring that your coverage covers all eventualities is the most important consideration. A breach can impact on a company in myriad ways, so understanding that a claim can come from many different channels is key. “Use your broker to talk about scenarios because they’ve gone through it before,” she said. “Also, try to get the broadest coverage that you can.”
Policies to be avoided are those that only apply once customers or regulators start demanding money, for example for compensation or fines. This, Joublanc points out, hardly covers the financial reality of dealing with a cyberbreach. “You’re calling your law firm, you’re working on public relations issues, you’re doing forensics and trying to figure out what has happened,” she said. “All those things are very expensive. So the breadth of your policy is very important.”