Privacy & Information Security Law Blog

Hunton & Williams Insurance Litigation & Counseling partner Lon Berk reports:

As the demand for cyber insurance has skyrocketed, so too has the cost. One broker estimates that sales in 2014 will double from the $1 billion premium collected in 2013. Much of the increase in demand and cost has been the result of the widely publicized hacks of the point-of-sale systems at large retailers, and the primary emphasis of most cyber policies is to address liability arising from such events. New payment technologies, however, will change the need for this type of cyber insurance. American Express recently announced a token service; Apple incorporated ApplePay into its new iPhones; and a group of retailers, the Merchant Customer Exchange, is working on the release of a new payment technology as well. These technologies, although different in detail, eliminate the need for merchants to collect unencrypted payment card information from customers, significantly reducing the risk created by point-of-sale malware.

These technologies work by generating tokens or cryptograms for use at the point of sale. Financial institutions are able to determine whether the tokens or cryptograms are associated with a customer’s account, even though it is virtually impossible for a third party possessing the token or cryptogram alone to identify the account. The exact specifics of the technologies vary, but the end result is that the merchant does not need access to the customer’s unencrypted account information and any data obtained through the point-of-sale malware becomes virtually worthless.

As these payment technologies become prevalent in the U.S., the need for cyber insurance protecting retailers against point-of-sale malware should sharply drop. There still will be a need for coverages protecting against other cyber risks, including other forms of malware and security breaches as well as against business interruptions arising from cyber events. However, the need and demand for cyber insurance covering privacy breaches should be reduced and the pressure on much of the current cyber insurance market removed.