For the last year or so at The CISO Group in addition to helping payment processors with their merchants PCI compliance needs we have been offering a low cost, no deductible breach insurance policy.
For literally a few dollars a month, a small merchant can obtain a no questions asked breach insurance policy that will cover even the costs of a forensic audit in case of a suspected breach.
It amazes me how processors and merchants resist this no-brainer. Of course the most common retort is that they don’t need it because a breach “would never happen to them”. Still others though try to claim that they already have insurance under their general liability insurance. I have told them repeatedly “go check the fine print” I don’t think it covers data breach.
Well now the Sony case is showing that indeed general liability insurance does not cover data breaches. My friend Ericka Chickowski had an article about this in Dark Reading the other day detailing how Sony’s insurers are stepping back from defending the various class action suits being filed against Sony.
In the case of processors and ISOs there is even more of a compelling reason. If any of their merchants can not meet the fines, losses and costs of a breach incident, they could be responsible. Spread that out over the thousands of merchants the represent and their exposure becomes pretty significant. Why would one not want to sleep well at night?
Anyway, anyone selling security knows what it is like to sell insurance. Even though it seems to be an easy decision, it is not always so easy.