Consumers are blaming banks for cyberattacks. Forty percent of consumers hold banks responsible for security breaches, according to a 2014 study from the TNS Retail Banking Monitor. That's up from 33% in June 2013. Thirty-seven percent of those surveyed also said that their bank wasn't doing enough to prevent cyberattacks, up four percentage points from the previous year.
This is bad news for banks. Over the next decade, as cyberattacks continue to escalate, data security could become a key factor when customers decide whether to switch institutions. If your bank lacks a carefully considered security communication plan in addition to a muscular security program, you could start losing customers.
Ironically, in the current environment the most responsible banks tend to get the most blame. Institutions that proactively reissue debit and credit cards after a retail breach risk the wrath of customers who get rejected at the checkout counter. Meanwhile, people who patronize less cautious ones may continue to shop while remaining blithely unaware of the risks. And even when the inadequate security that led to the breach is the fault of a big box retailer or third-party vendor, customers are likely to hold the bank that freezes their cards accountable.
Banks already deal with reams of regulation and dozens of audit reports in their efforts to ensure the privacy and security of customer data. But these safeguards and guidelines mean little to customers with a frozen debit card.
Perception is everything.
Therefore every bank should have a data security communication plan that includes detailed information for handling security breaches. The plan should include an internal year-long security messaging campaign, a prepared corporate spokesperson response in the case of a breach and text for website, customer and social media communications. Your website should have built-in emergency messaging capabilities with various degrees of prominence to alert, but not alarm, customers.
In addition, prepare an instructional notice for distribution to employees that can be modified for specific circumstances. Include a question-and-answer section to ensure that employees can respond to all kinds of customer inquiries in an approved, consistent manner.
The goal of the yearlong security campaign is to inoculate your bank, as much as possible, from the backlash which comes with card reissuances. Conveying the steps and services that your bank has taken to protect consumer information will temper customer reaction. Every e-newsletter should include articles about avoiding scams and data protection techniques, or a story about an employee protecting a customer from a scam artist. Banks should also put security messages on rotation in their posters, statements and video screens.
Rather than spouting platitudes about your commitment to protecting consumer data, increase message credibility. Discuss common security technology such as firewalls, spyware and malware detection, intrusion detection tools and encryption practices. The goal is to give customers enough information to build trust with them, but not enough to help hackers.
Banks should also let customers know that protecting their information is a two-way street. Encourage customers to review their own financial behaviors and provide security tips. Conduct seminars on scams and computers safety. And position security practices as a partnership rather than the sole domain of the financial institution.
Experts say that the adoption of EMV card standards in October 2015 will temporarily slow the increase in cybercrime. But when Europe adopted card chip technology, fraud shifted from brick-and-mortar retailers to online stores.
Hackers will inevitably find a way to exploit vulnerabilities in existing magnetic stripe payment terminals and the new EMV-compliant equipment. It's only a matter of time. Smart banks will be prepared.
Kevin Tynan is senior vice president of marketing at Liberty Bank in Chicago. He can be reached at tynanmarketing.com and on Twitter at @kevintyn.