What To Expect When You’re Expecting A Breach

Last year set a record for data breaches. U.S. companies and government agencies suffered a record 1,093 breaches in 2016 — that’s a 40% increase from 2015, according to the Identity Theft Resource Center. And even with nearly three months remaining in 2017, reports say breaches are occurring at a record pace.

Data breaches, it seems, are a fact of life.

For financial institutions, the volume and scope of breaches that occur outside the bank or credit union — whether Equifax, Wendy’s, Sonic, or Home Depot — presents significant challenges.

There are four primary credit union impacts, say Scott Daukas and Daniela Parker, chief risk officer and assistant vice president of risk management, respectively, at TwinStar Credit Union ($1.2B, Olympia, WA).

First is the financial impact on the institution.

“Depending on the nature of the breach, there will potentially be IT restoration costs, forensic accounting costs, plastic card reissuance, attorney’s fees, and settlement costs,” Daukas says. “Some, but not all, of these costs are insured, but most insurance doesn’t cover even close to the costs of a wide-scale data breach.”

Credit unions can write-off some of the loss from fraudulent activity but not all.

“We have charge-back rights,” says Ron Felder, executive vice president and chief lending officer at Redwood Credit Union ($3.5B, Santa Rosa, CA). “We can try and recoup, but it’s not always possible. We probably recover 70% of what we write-off. It’s a decent recovery, but there are still significant dollars at risk.”

Other impacts include reputational damage, resource strain, and business disruption.

“Depending on the nature of the breach, we might need to shut down and quarantine critical services like online banking, mobile banking, or core processing,” Parker says. “That would likely result in major disruptions to our business.”

Knowing the trouble areas are one thing, knowing what to do is another. Unfortunately, there’s no one-size-fits-all response.

A credit unions post-breach response evolves according to several variables, including breach size, when and how it was detected, whether it was internal or external, if it’s criminal or negligent, and more.

“We make sure we help members understand all the things they can do to mitigate fraud activity, such as setting up transaction alerts, adjusting daily limits on their cards, or even locking them if they are not in use,” Felder says.

Beyond member communication, Daukas at TwinStar says the credit union needs to also communicate with its board of directors, supervisory committee, and state and federal regulators.

TwinStar treats breaches as an incident that affects business continuity, so it activates its business continuity planning team. Additionally, the credit union notifies its insurance company and a third-party PR firm it holds on retainer.

After addressing administrative tasks, however, credit unions face the decision of whether to reissue credit cards.

Card reissuance, especially en masse, is a pricy endeavor for any credit union. It can also cause member inconvenience, especially if the breach occurs in a high-usage time, like the holiday season.

It takes time to reissue, and the member might be without a card from some time, Redwood’s Felder says. And then wherever that card is registered, members have to update that information.

But there are tangible benefits to a mass reissue.

With new plastic, credit unions can head off fraud losses before they occur.

So, how does a credit union know when it makes more sense to reissue versus wait for potential fraud losses to occur?

Like anything else, practice helps.

“When the TJ Maxx, Target, and Home Depot breaches hit, the entire industry learned about the management of these processes,” Daukas says. “In the beginning, I would say the risk of unknown fraud losses, combined with a fearful consumer, led most credit unions to mass reissue cards.”

Now, the industry is more aware and has more data on which to base decisions.

“Unfortunately, historical evidence provides more accurate correlations,” Parker says. “Theoretically, the more breaches we have [to learn from] the better we would be at predicting losses.”

Historical evidence provides more accurate correlations. Theoretically, the more breaches we have [to learn from] the better we would be at predicting losses.

Redwood has several rules of thumb for making the decision to mass reissue, Felder says.

For example, if 15% of its card portfolio has confirmed fraud, a mass reissue is necessary.

Also, if pin numbers are compromised as part of the breach, a mass reissue is necessary.

Further, if Redwood can identify a common point of compromise, it will reissue cards that have been used at that location and notify the merchant and local law enforcement.

The level of information compromised should also play into a credit union’s decision to reissue. Did the breach include non-public information such as social security numbers? If it was card related, were card and pin numbers stolen?

“We believe there is a spectrum of risk that runs with the volume of consumers involved and what type of information,” Daukas says.

At the end of the day, the best a credit union can do is arm members with information to keep themselves abreast of any fraudulent activity that might occur on their accounts. In conjunction, an institution should base its response not on gut feel, but on risk thresholds and other available data.

Through its own internal monitoring, TwinStar has seen how close its fraud loss assumptions need to be to its true losses before a mass reissuance strategy makes sense.

“You don’t know the fraud loss that is involved with a monitor-and-react strategy,” Daukas says. “But credit unions must use data and not gut feeling.”