The cost of U.K. electronics retailer Dixons Carphone PLC's data breach, in which hackers tried to access data on 5.9 million payment cards, could "easily exceed" £50 million, not including a fine that could exceed more than £400 million under the EU's new data protection regime, according to a cyber insurance specialist.
Graeme Newman, chief innovation officer of specialist technology underwriting agency CFC Underwriting Ltd., said the costs would be covered by a standard cyber insurance policy and the loss to insurers, if Dixons Carphone has insurance, "would not make a dent in the cyber market." But Lloyd's of London insurer Beazley PLC's international breach response manager, Raf Sanchez, noted that the increase in claims since the May 25 introduction of Europe's General Data Protection Regulation could make insurers more selective about the companies they cover.
"Considering we have had a significant uptick in reported incidents since GDPR and therefore the risk profile is definitely higher, I think insurers will have to become a bit more circumspect or careful about who they are insuring," Sanchez said.
Dixons Carphone, which operates the Carphone Warehouse and Currys PC World chains, said June 13 that in addition to attempts to access the payment card data stored on its systems, 1.2 million records containing nonfinancial personal data such as names, addresses and email addresses had also been accessed. Dixons Carphone has cyber insurance, but the company declined to provide details about the cover or whether it would make a claim when contacted by S&P Global Market Intelligence.
Counting the cost
The company will likely have to pay the costs of initial investigations and fixes, Newman said, but far more expensive could be the tab for notifying the 5.9 million cardholders and potentially having to pay for the reissue of their cards. Notification could cost between £3 and £5 per person, depending on the method, while reissuing chip and PIN cards could cost between £4 and £7 apiece, he estimated.
On top of this, Dixons Carphone could face a fine from the U.K. data regulator, the Information Commissioner's Office. Under GDPR, there are two levels of fine for noncompliance: €10 million or 2% of turnover, whichever is higher, and the higher of €20 million and 4% of turnover.
The biggest possible penalty would cost Dixons Carphone £423.2 million, based on its 2016/2017 revenue of £10.58 billion, although Newman said a penalty on this scale would be "exceptionally unlikely" because he expects the ICO to reserve the top fines for the worst type of breaches.
"The most egregious examples are unlikely to be ones where a business has been a victim of cybercrime," he said. "The most egregious examples are generally going to be where businesses have knowingly and willfully collected, harvested, shared and sold data that they shouldn't have."
Data breach fines could also be included under cyber insurance policies. Paul Dickson, CEO of specialist technology insurance broker Innovation Broking, said whether fines are covered is "a bit of a gray area," but that insurers would most likely offer cover where it is not expressly forbidden by law.
"The fact that it may be, arguably, against implied public policy doesn't prevent insurers offering cover," he said. "Insurers tend to play follow-the-leader so if one takes a chance and says: 'Yes we'll cover fines so long as not uninsurable by law,' the rest, however reluctantly — and it is in some cases — will follow along."
Dixons Carphone said that of the 5.9 million cards, 5.8 million have chip and PIN protection and that the accessed data "contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made." It also said it had found "no evidence of any fraud" on the roughly 105,000 cards without chip and PIN that had been compromised.
On the 1.2 million nonfinancial records that were breached, Dixons Carphone said it had no evidence that the information had left its systems or resulted in any fraud "at this stage."