Breaches can hit banks with twice the hassle and cost

By Erin Ayers on September 5, 2014

bankcard200x200Data breaches carry a high price tag for any organization, but banks may end up with a heavy burden for any cyber event – even ones that hit other businesses, but require financial institutions to reissue scores of credit and debit cards.

Doug Johnson, the ABA’s vice president of risk management policy, told Advisen that the only way to guard against data breaches is for all involved entities to effectively protect their systems.

He added that federal legislation providing consistent data breach reporting requirements and data protection standards would help.

“It’s abundantly clear that the only way we can protect the environment is for all levels of the environment to fulfill their responsibility,” Johnson said. Banks end up having a hand in most data breaches involving payment cards, reissuing compromised cards and refunding any fraudulent transaction funds. In the now-classic case of Target’s data breach, nearly every bank in the nation felt the impact as well as about 10 percent of their client base. A February 2014 report from the Consumer Bankers Association estimated that the Target breach cost banks and credit unions over $200 million – and the true cost is likely to be higher as the study reflected only credit unions and members of the CBA.

“It makes us an active partner in trying to help the customers,” he said.

Unfortunately, while banks reserve for the potential losses due to external data breaches and have the option to seek reimbursement from the breached organization, it might be a lost cause. For a fraudulent transaction at a physical store, a retailer needs only to capture a signature.

“Based on that signature alone – which could say Mickey Mouse, essentially the retailer can deny the chargeback. We get pennies on the dollar,” said Johnson. Breached organizations could be fined by regulators, but that doesn’t pay banks for the costs of new cards, ongoing fraud monitoring or labor costs involved in the process.

Insuring the Costs

Cyber insurance offers limited protection for outside breaches that affect banks, according to Johnson.

“If I was to put on my insurer’s hat and talk to my actuaries and say, ‘How would I price that?’, they would say ‘It’s difficult to price, because the risk is external.’”

According to George Allport, vice president and worldwide financial fidelity products manager of Chubb, cyber insurance can offer a degree of protection, a customized policy.

“It is an area that the insurance industry can respond and, at least in certain cases, has responded to,” he told Advisen. “I don’t think that cyber insurance policies as a general thing provide that type of coverage, but some can be amended and endorsed to provide that type of coverage, subject to underwriting.”

He added, “I would not say that it is a widely asked-for coverage. But I think it is certainly something that banks should consider.”

Allport voiced a “hunch” that banks include the cost of card reissuance as an expected business cost.

“My hunch is that this is an issue that banks have to deal with every day,” he said. “My belief is that the cost of the reissuance is not very much. It’s not a big cost per card, but if you’re talking about hundreds of cards, the costs go up.”

And banks do have another option – cyber liability insurance will usually provide defense and indemnification for an insured organization that suffers a breach, in the event that third parties sue to recoup costs. The 2014 Ponemon Institute study on the cost of data breaches found the average cost per record to the compromised company to be $195. Industry trade groups for banks estimate the cost of replacing payment cards to be about $10 per card.

Frustrations and Clarity

For banks, according to Johnson, the issue could be helped by improving communication and providing greater clarity in the process of announcing data breaches. It is “not uncommon” for banks to have spied trends in fraudulent transactions and, via industry information sharing, tracked the breached cards “back to a common point of compromise.” However, if the potentially breached organization hasn’t publicly announced a problem, it is “borderline impossible,” for liability reasons, for banks to formally broadcast it.

“They’re reissuing the card, but they can’t be completely transparent on the reasons why they’re reissuing the card,” said Johnson. “It’s frustrating on the part of the bank.”

In addition, the customers might not even understand that the banks themselves haven’t been breached.

“At the end of the day, it behooves every organization to get that information out as soon as possible. Speculation doesn’t do anybody any good,” said Johnson.

The ABA has been vocal in advocating federal legislation to resolve the questions of data breach reporting as well as determining who should shoulder the cost of reissuing cards. Congress has not yet acted on the issue.

“We’ll continue to push. But we recognize realistically that time is short this year. And you’re in an election cycle,” said Johnson. “But we’ll continue, in recognition that we might be having that conversation again next year.”'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].