Target Corp. has $100 million in “network-security” insurance and has generated $44 million in reimbursable costs as of Feb. 1, the Minneapolis-based retailer said in a U.S. Securities and Exchange Commission filing.
Target is self-insured for the first $10 million of cyber coverage, according to insurance market sources. On top of that there is additional cyber insurance through $15 million of excess coverage with Ace Ltd.; then a $15 million layer with American International Group Inc.; a $10 million layer with Bermuda-based Axis Capital Holdings Ltd.; another $10 million coverage layer with AIG; then a quota share for the next $40 million cyber insurance divided among four unidentified insurers (BI, Jan. 20).
In its 10-K filing to the SEC earlier this month, Target said malware stored on its checkout registers led to the theft of data from about 40 million credit and debit card accounts and the personal information of up to 70 million people.
Target said it expects to incur significant investigation, legal and professional services expenses associated with the breach.
Litigation already filed among more than 80 lawsuits against the retailer includes a putative class action filed last week against Target and its Chicago-based cyber security firm, Trustwave Holdings Inc. Two banks — New York-based Trustmark National Bank and Houston-based Green Bank N.A. — filed the suit in federal court in Chicago.
The complaint alleges that Target knew since at least 2007 that its data security policies were “insufficient, antiquated, and did not safeguard and protect sensitive consumer data from theft.” It states the breach could cost banks upwards of $1 billion.
Target said it does not comment on pending litigation. A Trustwave spokesman could not be reached for comment.
Meanwhile, the U.S. Senate Committee on Commerce, Science, and Transportation last week issued a report stating that there were “key points at which Target apparently failed to detect and stop the attack.”
In a statement, Target said that after criminals entered its network, “a small amount of their activity was logged and surfaced to our team. That activity was evaluated and acted upon.
“Based on their interpretation and evaluation of that activity, the team determined that it did not warrant immediate follow-up. With the benefit of hindsight, we are investigating whether, if different judgments had been made, the outcome may have been different,” Target said in the statement.