Financial sector hit hard by data breach cleanup costs

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://nakedsecurity.sophos.com/2014/02/21/financial-sector-hit-hard-by-data-breach-cleanup-costs/

Cybercrime is all about the money. It motivates most cyber crooks, from
hackers penetrating company networks looking for information to sell or
exploit, through the operators of online underground marketplaces, to
DDoSers hired to take out a rival firm's web infrastructure.

And, in the end, that money leads back to the financial sector. Banks,
credit unions, insurers and everyone charged with looking after our money
and covering us when something bad happens are starting to feel the pinch
from the steady growth in cybercriminality.

The recent spate of epic data breaches illustrates this most clearly. A
report from the US Consumer Bankers Association (CBA) puts the cost of
merely replacing cards after the Target data breach at over $200 million so
far, with some way still to go.

The report merges the CBA's own figures, of $172 million, with another
$30.6 million quoted by fellow banking body the Credit Union National
Association (CUNA).

That only covers a little over half of the 40 million card numbers heisted
from Target.

Smaller institutions will be feeling the pinch even more - the Independent
Community Bankers of America (ICBA), a body representing smaller and local
banks, estimates that their members have had to shell out $40 million to
replace 4 million cards since the barrage of recent retail breaches,
including Target and Neiman Marcus.

All this is just to replace standard low-grade cards of course. There's
probably a lot more still to come, with banks likely to be called upon to
bear the costs of any money defrauded from their customers' accounts by
whoever scooped up all that data.

And a little further down the line, there will be the cost of finally
rolling out more secure cards and card systems featuring Chip-and-PIN (or
EMV) technology.

To be fair, this last cost should have been well prepared for, and had the
US's great leap forward to EMV been made a little earlier, say 7 or 8 years
ago like the rest of the developed world, these data breaches would have
been much harder to carry out, and the data stolen more difficult to
monetize.

The huge bills to cover replacing cards affected by data leaks have led to
speculation that a change may be coming, with responsibility for covering
such costs to be pushed more onto the party responsible for the breach,
rather than the banks.

Already there have been legal actions brought against Target to recoup some
of the costs, and it seems likely that similar pathways may be taken in
future.

It may even be that the latest wave of leaks will lead to changes in
regulation surrounding banks, retailers and cybercrime.

At the very least, it seems certain banks will impose higher card-handling
fees to recoup their costs.

It's possible that such a move will act as a strong motivator for retailers
and others dealing with large amounts of sensitive financial data, to
ensure their systems and processes are as robust as possible to reduce the
risk of future breaches, which would be a good thing for everyone.

Others will, of course, argue that the banks can afford to absorb these
costs.

Meanwhile Target, like anyone else hit by a major breach, is already
absorbing heavy costs, both in terms of damaged reputation and in dealing
with the huge numbers of irate customers.

In the long term, financial firms will always be the ones with the money,
and will feel the biggest drain from cyber theft and fraud, whether the hit
comes via their clients and customers or directly.

A recent survey from consultancy firm PwC, gathering views from over 5000
people (mainly senior executives) in 99 countries, found that 45% of
financial services organisations had been hit by cyber attacks, compared to
17% of other types of firms and institutions.

Following the money all the way down, banks will want to keep their hefty
profit margins at the levels to which they have become accustomed, so even
if they do continue to bear the main responsibility for cleanup costs, the
extra outlay will eventually make its way to the pockets of all of us, in
the form of increased banking fees and reduced interest on savings.

So it's in all our interests to do our bit to minimise the damage done by
cybercrime.

Whether you're a CISO at a major retailer pondering saving cash on a cheap
security infrastructure, or just an ordinary Joe considering picking up
some bargain drugs from a Canadian pharmacy, think about the long-term
implications for your own wallet (and those of everyone you know), and make
sure you lean towards caution and security.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!