To obtain approval and funding for security improvements, bank technologists often have to make their case by pointing to losses from recent security breaches. But calculating those losses can be tricky.
The effects can be far reaching, from the hit to companies' and individuals' reputations and careers (take, for instance, Target's firing of CEO Gregg Steinhafel), morale and stock value, to the heavy toll on the customer service, operations and technology teams working around the clock to fix the problem. These intangibles come on top of the obvious costs, such as chargeoffs due to fraud, the expense of reissuing cards, and the loss of customers freaked out by the breach.
Two studies released in the past week, from the American Bankers Association and from Kaspersky Lab, attempt to put a price tag on cybersecurity losses.
In a survey of more than 3,900 financial and other companies worldwide, Kaspersky Lab found that the cost of lost financial data ranged from $66,000 to $938,000 per organization, depending on the size of the company. This included the costs of engaging service providers such as consultants and lawyers to help manage the problem, as well as the cost of lost business opportunities and investment in services and solutions to prevent additional incidents, such as extra security training.
The first and most obvious metric banks measure around security breaches is actual fraud losses.
The ABA surveyed its members in May and June to assess how they were affected by the Target breach. The research found that the average loss per fraudulently used debit card was $331; the loss per gamed credit card was far higher, at $530. However, debit cards were used far more than credit cards — around 8% of debit cards were used for fraud, versus less than 4% of credit cards.
Reissuing cards is another piece of the cost. Small community banks (under $1 billion in assets) report that the cost of creating and mailing a new debit card is about $11; the largest banks have economies of scale that bring that cost down to $2.70. The costs for credit cards are similar, ranging from $12.75 for the community banks to $2.99 for the top-tier banks.
The top-tier banks tend to reissue only the cards fraudsters are actively using, noted Avivah Litan, a vice president at Gartner Research.
"The small banks will reissue everything; the big banks will actively watch these cards," she said. "One large issuer was able to identify a lot of them through the contact center, as they were trying to remove the blocks or change the PINs." The bank used voiceprints to identify the criminals as they called in.
Loss of customers is another factor, one that's tough to measure. Customers don't necessarily announce that they're leaving the bank because of a breach. But Kaspersky's research found that 43% of businesses changed banks following fraud on their account, with 33% moving their primary cash management services elsewhere. And 82% of businesses say they would consider leaving an institution that suffered a breach.
But the biggest cost related to card breaches and other types of financial fraud, some say, is the burden, financial and otherwise, placed on customer service.
"The customer service calls — they're $20 a shot," said Litan.
A banker who participated in the ABA's Target breach study described the strain on employees. "Our call center was swamped for several weeks, impacting our ability to provide normal servicing," said this person, who was not identified. "The amount of research necessary to review customer transactions because customers who had shopped at Target wanted to see if they had unauthorized transactions was enormous.… A very large number of customer conversations occurred even if the card was not compromised."
Hardest of all to quantify is the human toll of breaches.
"We see the financial loss amount as the tip of the iceberg," said Ross Hogan, global head of fraud prevention at Kaspersky Lab. "There are so many ancillary impacts to a fraud loss that are crippling to an organization. Some of those less-spoken-of impacts are more emotional and human — people get fired over things like this, people lose sleep over things like this and organizations, from a morale perspective, sometimes never recover."