In September, I posted Global Payments’ statement from their quarterly filing that dealt with the costs of a breach disclosed in March 2012. BankInfoSecurity.com has just reported on their most recent filing. Whereas last year, Global Payments estimated the cost of the breach at about $84 million, their current 10-Q filing puts the cost of the breach at $93.9 million. Although the total is up, the overall fraud costs resulting from the incident were significantly lower than what they had estimated last year ($35.9 million vs. $67.4 million). Also of note, they report that their losses due to being removed from PCI-DSS compliant status were “immaterial:”
As a result of this event, certain card networks removed us from their list of PCI DSS compliant service providers. Our removal from certain networks’ lists of PCI DSS compliant service providers could mean that certain existing customers and other third parties may cease using, referring or selling our products and services. Also, prospective customers and other third parties may choose to delay or choose not to consider us for their processing needs. In addition, the card networks could refuse to allow us to process through their networks. To date, the impact on revenue that we can confirm related to our removal from the lists has been immaterial. Also the impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial. We continue to process transactions worldwide through all of the card networks.
So what are we to make of their report about the impact – or lack thereof – of losing PCI-DSS compliant status? Does losing compliant status really not significantly impact a payment processor? If so, then where’s the motivation to comply? Does their insurance depend on PCI DSS compliance? If not, why should they care about compliance if there’s been no material losses due to non-compliance?
The firm provides its updated breakdown of costs:
During the six months ended November 30, 2012, we recorded $9.5 million of expense associated with this incident, bringing the life-to-date total expense to $93.9 million. Of this life-to-date expense, $60.0 million represents costs incurred through November 30, 2012 for professional fees and other costs associated with the investigation and remediation, incentive payments to certain business partners and costs associated with credit monitoring and identity protection insurance. An additional $35.9 million represents our estimate of total fraud losses, fines and other charges that will be imposed upon us by the card networks. We have also recorded $2.0 million of insurance recoveries based on claims submitted to date as discussed below. During the three months ended November 30, 2012, we reduced our estimate of fraud losses, fines and other charges by $31.5 million resulting in a credit of $14.5 million for total processing system intrusion costs for the quarter ended November 30, 2012. We based our initial estimate of fraud losses, fines and other charges on our understanding of the rules and operating regulations published by the networks and preliminary communications with the networks. We have now reached resolution with and made payments to certain networks, resulting in charges that were less than our initial estimates. The primary difference between our initial estimates and the final charges relates to lower fraud related costs attributed to this event than previously expected.
[…]
We have not reached final resolution with certain other networks. As such, the amount of fraud losses, fines and other charges that will be imposed by those networks could differ from the amount we have accrued as of November 30, 2012. Currently we do not have sufficient information to estimate the amount or range of additional possible loss for fraud losses, fines and other charges that will be imposed upon us by those card networks.
We are insured under policies that we believe may provide coverage of certain costs associated with this event. The policies provide a total of $30.0 million in policy limits and contain various sub-limits of liability and other terms, conditions and limitations, including a $1.0 million deductible per claim. Our insurers have been advised of the circumstances surrounding our recent event. During fiscal year 2012, we recorded $2.0 million in insurance recoveries based on claims submitted to date. During the three months ended November 30, 2012 we received assessments from certain networks and submitted additional claims to the insurers. We expect to receive additional recoveries as the insurers complete their assessments of our claims. We will record receivables for such recoveries in the periods in which we determine such recovery is probable and the amount can be reasonably estimated.
We expect to incur additional costs associated with investigation, remediation and demonstrating PCI DSS compliance. We will expense such costs as they are incurred in accordance with our accounting policies for such costs. We currently anticipate that such additional costs may be $25 to $35 million in fiscal 2013 (prior to any potential insurance recovery), including the $9.5 million recorded during the six months ended November 30, 2012. We anticipate that we may receive additional insurance recoveries of up to $28 million although the timing of such recoveries is uncertain and such recoveries may not occur in fiscal 2013.
Litigation costs may also impact the firm, and they note the potential class-action lawsuit filed in April 2012 by Natalie Willingham in the United States District Court for the Northern District of Georgia. Global filed a motion to dismiss in October, but as of today, the court has not ruled on the motion to dismiss. Global Payments notes:
This event could result in additional lawsuits in the future. In addition, governmental entities have made inquiries and may initiate investigations related to the event. We have not recorded any loss accruals related to these items or any other claims (except as described above) that have been or may be asserted against us in relation to this incident as we have not determined that losses associated with any such claims or potential claims are probable. Further, we do not have sufficient information to estimate the amount or range of possible losses associated with such matters. As more information becomes available, if we should determine that an unfavorable outcome is probable on such a claim and that the amount of such probable loss that we will incur on that claim is reasonably estimable, we will accrue our estimate of such loss. If and when we record such an accrual, it could be material and could adversely impact our financial position, results of operations or cash flows.
So…. $93.9 million and counting, but no material losses due to being non-compliant with PCI DSS. Is anyone else surprised by that?
These numbers are way out of whack. Go look up any megabreach and divide the number of records lost into the total remediation cost. It’s in the neighborhood of $5 per record and a few were as low as $2 per record. These guys are over $60 per record. There’s either something they’re not telling us or they’re lousy negotiators.
I know what you mean. Their numbers are pretty consistent with what Ponemon reported last year. They had put the cost at about $194/record, but noted that certain factors could reduce that to about $80/record, which would be about what Global is reporting. But I never fully believed Ponemon’s figures as they seem too high to me. Maybe the more appropriate comparison for this breach is Heartland Payment Systems, where there were 130M card numbers involved, and the breach reportedly cost them $140M, or slightly more than $1/per. But even though Global had “only 1.5M” card numbers involved, some costs aren’t number-dependent, so I would expect their per record cost to be a lot higher than Heartland’s.
When you look at their breakdown of costs, which specific figures seem wrong or questionable to you?
When we were in the market for breach insurance I ran every megabreach I knew about against costs reported in public filings like SEC records. Even big ones like TJX and Sony were less than $10 per record. The insurance companies were promoting limits like the “Ponemon cost multiplied by every record we held” and we figured we would be way over-paying if we took their proposed limits. The simple fact is that a lot of the process get automated in big breaches and you don’t incur the same investigative costs for every record, just one big cost to figure out what happened. Yes, we know the companies don’t report all costs so we threw in a fudge factor.
The Ponemon numbers include “customer churn” guesses but the reality is no one seems to lose customers permanently. In fact, a large breach seems to help overall sales and revenue figures because the company gets more focused on the customers.
We know our average “salary + benefits” cost for the company. So we took that number and divided it by 2080 hours per year to get an average employee cost per-hour. We then reviewed our records to figure out how many people got involved in a reported breach and how much time it took. This included taking the call, referring it to compliance, investigating how it occurred including interviewing people in the affected departments and their time, legal review, drafting the response to the customer and implementing the response. For a single record breach it usually runs between four and eight hours.
For a single record breach, our direct and indirect costs run a range of $100 to $350 per record without factoring in any customer churn numbers. Some require more investigation and thus more employees involved. Some involve third-party service providers, some don’t. Some are pretty clear cut, like a statement sent to the wrong person. Some require credit monitoring, some don’t.
If you look at the filings for FIS Global, they had a $13 million loss in March 2011. Their SEC filings from 2012 say they are spending around 5% of operating revenues on information security now. That’s around $250 million (which apparently is way up from previous years). That’s still only $20 a record. One filing says their 2012 spend was expected to be almost double what their 2011 spend was. The breach occurred in March 2011 so it’s pretty obvious their 2010 spend on information security was almost nil in relation to their revenue.
It’s also obvious to me that they were way under-investing in information security if their federal regulators are making them spend that much to catch up. So you cannot attribute the total ongoing cost increase to the breach itself because they apparently are now doing what they were supposed to do in the first place and thus should have been spending that money already.
In a cold, hard dollars-and-cents calculation, they may have lost $13 million dollars but they “saved” way more than $13 million in each year previous to the breach. So it helps the bottom line to not have information security as long as you have the resources to survive the breach event.
This is why I love this blog. I continually learn things from commenters. Thanks so much for sharing that! In a conversation with Larry Ponemon last year, I told him the problem with his reports was that they were based on guesses and not objective data. Your analysis seems more realistic to me.