PCI Compliance has been around for a number of years, yet still there is an attitude amongst businesses, especially the smaller organisations, that it doesn’t apply to them and that the threat of a breach is far less than that facing larger businesses.
These organisations are running a big risk however, by not falling in line with the required PCI standards. For brokers looking to protect their retail clients online, this is one of the key regulations they should be advising on.
Why is this? With the boom in ecommerce, PCI regulation has become increasingly stringent in order to protect consumer’s data online. This is due to the volume of smaller retailers online that don’t have the resources to protect this data as effectively as the larger, more established players do. Hackers have been quick to realise this, and so PCI regulation has to be rigidly enforced in order for it to protect businesses online.
So what should brokers be asking their clients BEFORE they consider what cover is appropriate for them? First of all, do their clients really understand the consequences of a breach?
The first thing that will happen, even if a business is only suspected of a breach, is the arrival of the PCI auditors at their door. This audit can take up to weeks, and involves a thorough review of security policies, penetration testing (testing of network defences), computer inspections, wireless and phone line testing, all to find out where the breach occurred, or where the vulnerabilities are if the business is only suspected of one.
Whilst the auditors are doing this, a business is naturally disrupted. Brokers need to ensure that their clients understand the consequences and that they communicate that insurance needs to not just cover the costs associated with the breach (paying the auditors, revamping security etc.), but also the business interruption they suffer as a result (lost custom, cost to replace consumer’s cards).
Most estimates put the real cost of a data breach at between $30,000 and $50,000, even for small businesses. It doesn’t matter as to whether your client is the merchant or the acquirer, if either of them suffer a breach then there is a potential cost they are responsible for. As a broker it is your responsibility to ensure that your clients are as fully covered as possible to mitigate against the damages caused by even the most minor of breaches.
Jack Elliott-Frey is a cyber broker with Safeonline LLP.
You may also be interested in: "New era of cybercrime leaves financial institutions uninsured"
"Cybercrimes are on the rise; why aren't SMEs covered?"
"House introduces cybersecurity bill aimed at public-private cooperation"
