Financial sector hit hard by data breach cleanup costs

Filed Under: Data loss, Featured, Law & order

Mop and bucket. Image courtesy of Shutterstock.Cybercrime is all about the money. It motivates most cyber crooks, from hackers penetrating company networks looking for information to sell or exploit, through the operators of online underground marketplaces, to DDoSers hired to take out a rival firm's web infrastructure.

And, in the end, that money leads back to the financial sector. Banks, credit unions, insurers and everyone charged with looking after our money and covering us when something bad happens are starting to feel the pinch from the steady growth in cybercriminality.

The recent spate of epic data breaches illustrates this most clearly. A report from the US Consumer Bankers Association (CBA) puts the cost of merely replacing cards after the Target data breach at over $200 million so far, with some way still to go.

The report merges the CBA's own figures, of $172 million, with another $30.6 million quoted by fellow banking body the Credit Union National Association (CUNA).

That only covers a little over half of the 40 million card numbers heisted from Target.

Smaller institutions will be feeling the pinch even more - the Independent Community Bankers of America (ICBA), a body representing smaller and local banks, estimates that their members have had to shell out $40 million to replace 4 million cards since the barrage of recent retail breaches, including Target and Neiman Marcus.

All this is just to replace standard low-grade cards of course. There's probably a lot more still to come, with banks likely to be called upon to bear the costs of any money defrauded from their customers' accounts by whoever scooped up all that data.

And a little further down the line, there will be the cost of finally rolling out more secure cards and card systems featuring Chip-and-PIN (or EMV) technology.

To be fair, this last cost should have been well prepared for, and had the US's great leap forward to EMV been made a little earlier, say 7 or 8 years ago like the rest of the developed world, these data breaches would have been much harder to carry out, and the data stolen more difficult to monetize.

The huge bills to cover replacing cards affected by data leaks have led to speculation that a change may be coming, with responsibility for covering such costs to be pushed more onto the party responsible for the breach, rather than the banks.

Target logoAlready there have been legal actions brought against Target to recoup some of the costs, and it seems likely that similar pathways may be taken in future.

It may even be that the latest wave of leaks will lead to changes in regulation surrounding banks, retailers and cybercrime.

At the very least, it seems certain banks will impose higher card-handling fees to recoup their costs.

It's possible that such a move will act as a strong motivator for retailers and others dealing with large amounts of sensitive financial data, to ensure their systems and processes are as robust as possible to reduce the risk of future breaches, which would be a good thing for everyone.

Others will, of course, argue that the banks can afford to absorb these costs.

Meanwhile Target, like anyone else hit by a major breach, is already absorbing heavy costs, both in terms of damaged reputation and in dealing with the huge numbers of irate customers.

In the long term, financial firms will always be the ones with the money, and will feel the biggest drain from cyber theft and fraud, whether the hit comes via their clients and customers or directly.

A recent survey from consultancy firm PwC, gathering views from over 5000 people (mainly senior executives) in 99 countries, found that 45% of financial services organisations had been hit by cyber attacks, compared to 17% of other types of firms and institutions.

Following the money all the way down, banks will want to keep their hefty profit margins at the levels to which they have become accustomed, so even if they do continue to bear the main responsibility for cleanup costs, the extra outlay will eventually make its way to the pockets of all of us, in the form of increased banking fees and reduced interest on savings.

So it's in all our interests to do our bit to minimise the damage done by cybercrime.

Whether you're a CISO at a major retailer pondering saving cash on a cheap security infrastructure, or just an ordinary Joe considering picking up some bargain drugs from a Canadian pharmacy, think about the long-term implications for your own wallet (and those of everyone you know), and make sure you lean towards caution and security.


Image of mop and bucket courtesy of Shutterstock.

, , ,

You might like

3 Responses to Financial sector hit hard by data breach cleanup costs

  1. Well, time to start using cash for local shopping and Paypal for on-line shopping. And, the shoebox under the bed is starting to look good for savings, as the pitiful 1/2% most institutions give is not worth the effort!

  2. ejhonda · 212 days ago

    "And, in the end, that money leads back to the financial sector." versus "the extra outlay will eventually make its way to the pockets of all of us, in the form of increased banking fees and reduced interest on savings." - The fact that all of these costs will eventually be shouldered by taxpayers and customers should be the main focus of this article, and not obfuscated behind the talk of breach costs being shouldered by retailers and banks.

  3. Stephen H · 211 days ago

    I am normally a fan of greater regulation for the financial sector, but this is one area where it is not needed. Civil law is already completely adequate to determining where fault (and costs) should lie.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Hawes is Chief of Operations at Virus Bulletin, running independent anti-malware testing there since 2006. With over a decade of experience testing security products, John was elected to the board of directors of the Anti-Malware Testing Standards Organisation (AMTSO) in 2011.