32
Wisconsin Community Banker
March/April 2014
Planning Now Can Limit Future Data Breach Losses
Eric Lillard, PULSE Vice President,
Fraud and Risk Management
F
inancial institution executives
and their cardholders, as well as
merchants and other financial services
organizations, are understandably on
edge these days. Recent high-profile
point-of-sale security breaches have
revealed a pressing need to reevaluate
card security. While the investigations
into precisely what happened will
likely help to sharpen defenses in the
future, PULSE is encouraging issuers
to seize this opportunity to plan for
the next cyber attack.
Every organization involved in
debit and credit card transactions is
facing fraudsters who have proved to
be intelligent, coordinated, strategic
and stealthy. The nonprofit Privacy
Rights Clearinghouse calculates that
over the past nine years businesses
including financial institutions and
retail outlets have reported 1,571
breaches involving 470 million cus-
tomer financial records.
These attacks are not opportunis-
tic in nature. They are the result of
deliberate efforts and long-term plan-
ning. Evidence suggests the holiday
breaches were likely launched much
earlier in the year, with hackers com-
promising systems, exploring what
they could without being detected,
and then waiting patiently for an
opportune moment to exploit their
plan.
Over the next 18 to 24 months, the
risk of data breaches will continue
to challenge the industry. Financial
institutions can expect increased scru-
tiny of everything from the standards
and practices of technology service
providers and their core processors
to the type of payment cards issued.
Third-party risks were already in
the crosshairs of regulators prior to
the breaches, with the Office of the
Comptroller of the Currency issuing
updated guidance for banks to shore
up defenses by improving their vendor
management programs. Likewise, the
push toward the EMV standard has
been boosted immeasurably by the
breaches.
Time for Planning
A Fraud Incident Response Plan
is an essential tool that can provide
structure and rational thinking during
the stress and anxiety that accompa-
nies these types of events. Any finan-
cial institution that doesn’t already
have a formalized Fraud Incident
Response Plan should consider devel-
oping one as part of its risk manage-
ment process.
During the chaotic and emotional
response to the holiday breaches, it
was easy to distinguish between the
financial institutions that had a plan
in place and had rehearsed these situ-
ations from those that did not. A plan
takes into account the very stressful
conditions that accompany a fraud
incident. It also provides the financial
institution with a framework for mak-
ing critical business decisions based
on data and previously identified risk
tolerance levels.
Financial institutions that planned
ahead were in a far better position
to address the challenges they faced
when a large number of their custom-
ers’ cards are at risk. Essential ele-
ments of a Fraud Incident Response
Plan include:
• Profiles of your transaction-level
activity to aid in the rule strategy
development process
• Contact information for all pro-
cess participants including internal
and external departments, vendors,
decision makers, approvers, etc.
• Clear understanding of your
organization’s rule strategy approval
process (time is money)
• An accurate inventory of all fraud
strategies currently in place within
your financial institution
• An assessment of known gaps or
risks in your fraud mitigation pro-
gram to help reduce surprises during
the heat of the battle
Where possible, identify potential
solutions to those gaps you identify.
This may include the use of third-
party organizations that can provide
technical and human resource
consultants.
>>>
A Fraud Incident Response Plan can provide structure and
rational thinking during a breach.
