There’s no doubt that bank data breaches cost businesses money, but there are costs associated with breaches that add up beyond a round dollar figure. Most studies that calculate the costs from breaches focus on short-term quantifiable costs such as discovering and mitigating the breach and recovering assets. But the long-term, indirect breach costs — costs such as hits to the stock price, brand reputation, and reduced customer loyalty — can be harder to quantify. Historically, a dip in stock price after a breach is temporary and stocks typically rebound in the months following a breach. Customer loyalty and brand reputation doesn’t follow the same pattern of predictability.
Fraud Transactions Influence Customer Retention
Until now, researchers weren’t sure how the rate of customer retention would be impacted after breach events. Many had argued that customers become immune to breaches after nearly constant disclosures and concluded that customers wouldn’t be likely to sever a relationship if reimbursed. However, Carnegie Mellon University released a study about the effect of fraudulent transactions on customers’ relationship with their bank. The findings of the study offer a different perspective and show that customers will leave a bank after experiencing fraudulent charges on an account.
The study focused on more than 500,000 customers of a leading U.S. bank over a five-year period and found that customers who experienced unauthorized charges on their account were one percentage point more likely than the average customer to end the relationship with their bank within the next six months. Keep in mind, these customers had their fraudulent charges credited back to them. Customers who reported a fraudulent transaction that was later determined by the bank to be a valid client charge were 2.7 percentage points more likely to end their relationship with the bank within the next six months. These are customers who did not have what they thought was a fraudulent charge credited back to their account. Customers who had been with the bank the longest and those with larger fraudulent charges (more than $500) were even more likely to sever ties.
Researchers found that after fraudulent charges are discovered, often the customer does not know how his financial information was breached, just that he had a fraudulent charge made on his account. When a fraudulent charge is not clearly accounted for, customers become concerned that the breach itself has not been rectified and additional fraudulent charges will happen. Interestingly, a customer’s information may not have been breached by bank error at all, however customers ultimately hold banks accountable for fraudulent charges. Banks could be innocent of wrongdoing, reimburse customers for fraudulent transactions, and still lose those customers.
How Customers Respond to Breaches Across Industries
Can we apply these numbers to other industries? While healthcare insurers and providers host a wealth of information, customers are not at liberty to move through the industry at will like they are with banks or retail stores. Customers may only have a choice of one or two insurers in a healthcare market and customers’ choice of healthcare provider may be limited by who accepts their insurance. Further, customers cannot leave insurers at will, usually being contracted for a full year.
In the retail industry, customers can come and go at will. However, a customer’s tenure with a retailer is based some on where the customer lives and if there are choices of places to shop. These rates of customer loss at banks can have transfer to the retail industry based on the fact there is more customer choice in retailers in most places in the country. This will not apply in every market but it is reasonable to expect customers to avoid retailers that breach their information.
Future Implications for Banks
Even more problematic for the future of retail banks, firms are increasingly offering mobile applications, or card-not-present transactions, for consumers to use on the go. Retail commerce is moving from brick and mortar and from e-commerce to mobile e-commerce. Banks offer mobile banking applications. This is increasing the attack surface and exposing more information across multiple sites, both physical and virtual. Attackers are becoming more savvy. While all firms are becoming better at protecting data, breaches will still happen.
In fact, a study from Accenture shows that banking executives’ confidence in their cyber security strategy is increasing. Half of respondents said they have high confidence in their ability to detect a breach. Yet, respondents reported an average of 85 serious attempted breaches annually and 99 percent of breached banks admit that it took several months to detect a breach.
Banks and financial firms need to ensure transactions are legitimate or risk losing market share. When customer financial information gets breached, it doesn’t have to be the fault of the bank for customers to hold the bank accountable. Knowing this, banks should be more inclined to focus on safeguarding accounts and making sure transactions are legitimate using security measures such as two-factor authentication and biometrics.
Check out our blog about the impact of the New York Cyber Security Rules on the banking and finance industry, and download our white paper to learn more about the cyber security challenges banking and finance professionals face.