One of the scariest things to any credit union board, CEO, or CIO is the prospect of your members’ data being hacked. Seeing yourself on the front page of your local newspaper or television station explaining the impact is terrifying.
Unfortunately, the reality is that it is more a question of when, not if, your credit union will be hacked. That means it is essential that your credit union fully understand the consequences of a breach and start mitigating any possible impact now by taking steps to minimize potential data loss.
First, let’s calculate the potential impact. There are two types of costs – direct and indirect.
The direct costs include the following:
- Member Communications
- Forensic Response
- Legal Costs
- Fraud Loss
- ID Theft Protection
- Additional Call Volumes
- Card Reissues
- Legal damages
- Regulatory fines
Indirect costs include:
- Member attrition
- Brand impact
- Insurance deductibles
- Staff productivity and stress
- Business plan distraction
- Opportunity costs
Ultimately, the biggest impact on all of the cost is the amount of data lost. Because of this prime factor, the cost of the breach can vary greatly from $3 per record all the way to over $20k per record. Here is a quick chart based on the size of the CU.
|0-1000 Records||$25k to $2k per record|
|1000-10000 Records||$800 to $500 per record|
|10000-50000 Records||$500 to $200 per record|
|50000-500000 Records||$200 to $50 per record|
|500000-1000000 Records||$50 to $30 per record|
|100,000,000 Records||$3 per record|
While that chart is likely helpful, a credit union doesn’t usually have just one type of record per member. In fact, there are often multiple records such as credit cards, ssn#, driver licenses, or other PII data. So, ultimately, to get a real factor of your credit union’s potential risk, you need to scan the credit union environment to look for three things:
- The number of PII records found across all PCs, servers, email accounts etc.
- The number of people with access to those records
- The known vulnerabilities correlating to the machines where the information is found.
Next, use the chart provided to determine the total risk and track overtime. Finally, wherever the largest amount of PII, with the most access by staff and the most vulnerabilities should be locked down and reviewed immediately. That way, if there is a breach, the impact is greatly minimized. Since systems, people, and data are constantly changing, best practices would dictate making this review a regular, monthly process. Don’t say we didn’t warn you!