Cybercrime is all about the money. It motivates most cyber crooks, from hackers penetrating company networks looking for information to sell or exploit, through the operators of online underground marketplaces, to DDoSers hired to take out a rival firm’s web infrastructure.
And, in the end, that money leads back to the financial sector. Banks, credit unions, insurers and everyone charged with looking after our money and covering us when something bad happens are starting to feel the pinch from the steady growth in cybercriminality.
The recent spate of epic data breaches illustrates this most clearly. A report from the US Consumer Bankers Association (CBA) puts the cost of merely replacing cards after the Target data breach at over $200 million so far, with some way still to go.
The report merges the CBA’s own figures, of $172 million, with another $30.6 million quoted by fellow banking body the Credit Union National Association (CUNA).
That only covers a little over half of the 40 million card numbers heisted from Target.
Smaller institutions will be feeling the pinch even more – the Independent Community Bankers of America (ICBA), a body representing smaller and local banks, estimates that their members have had to shell out $40 million to replace 4 million cards since the barrage of recent retail breaches, including Target and Neiman Marcus.
All this is just to replace standard low-grade cards of course. There’s probably a lot more still to come, with banks likely to be called upon to bear the costs of any money defrauded from their customers’ accounts by whoever scooped up all that data.
And a little further down the line, there will be the cost of finally rolling out more secure cards and card systems featuring Chip-and-PIN (or EMV) technology.
To be fair, this last cost should have been well prepared for, and had the US’s great leap forward to EMV been made a little earlier, say 7 or 8 years ago like the rest of the developed world, these data breaches would have been much harder to carry out, and the data stolen more difficult to monetize.
The huge bills to cover replacing cards affected by data leaks have led to speculation that a change may be coming, with responsibility for covering such costs to be pushed more onto the party responsible for the breach, rather than the banks.
Already there have been legal actions brought against Target to recoup some of the costs, and it seems likely that similar pathways may be taken in future.
It may even be that the latest wave of leaks will lead to changes in regulation surrounding banks, retailers and cybercrime.
At the very least, it seems certain banks will impose higher card-handling fees to recoup their costs.
It’s possible that such a move will act as a strong motivator for retailers and others dealing with large amounts of sensitive financial data, to ensure their systems and processes are as robust as possible to reduce the risk of future breaches, which would be a good thing for everyone.
Others will, of course, argue that the banks can afford to absorb these costs.
Meanwhile Target, like anyone else hit by a major breach, is already absorbing heavy costs, both in terms of damaged reputation and in dealing with the huge numbers of irate customers.
In the long term, financial firms will always be the ones with the money, and will feel the biggest drain from cyber theft and fraud, whether the hit comes via their clients and customers or directly.
A recent survey from consultancy firm PwC, gathering views from over 5000 people (mainly senior executives) in 99 countries, found that 45% of financial services organisations had been hit by cyber attacks, compared to 17% of other types of firms and institutions.
Following the money all the way down, banks will want to keep their hefty profit margins at the levels to which they have become accustomed, so even if they do continue to bear the main responsibility for cleanup costs, the extra outlay will eventually make its way to the pockets of all of us, in the form of increased banking fees and reduced interest on savings.
So it’s in all our interests to do our bit to minimise the damage done by cybercrime.
Whether you’re a CISO at a major retailer pondering saving cash on a cheap security infrastructure, or just an ordinary Joe considering picking up some bargain drugs from a Canadian pharmacy, think about the long-term implications for your own wallet (and those of everyone you know), and make sure you lean towards caution and security.