Consumer behavior following a breach
A recent blog post by PCIGuru points us to a new study sponsored by the Merchant Acquirers’ Committee that seeks to understand how customers behave after a retail breach. PCIGuru cautions retailers against assuming that they can downplay credit card breaches. According to the study, a majority of shoppers return to transacting with the retailer within three to six months of a credit card breach.
In this article, I describe the results of a risk analysis I conducted to evaluate the impact of customer behavior following a credit card breach, in dollars and cents. The results are clear: retailers cannot assume that the loss exposure is excusable on the basis that "customers are likely to continue shopping regardless of a credit card breach".
There were four main findings in the study:
- Awareness of breaches is poor in general, with a few notable exceptions (ex.: Target, Home Depot)
- Consumers are relatively quick to return to breached merchants
- Consumers continue to favor payment cards over cash or check
- The biggest reason for not returning to the merchant was not directly related to the breach
Of these, the most interesting to us at RiskLens is the second one. When we forecast the exposure to credit card data breaches, we often calculate the effect of lost customers as reputation loss. Reputation loss can be significant for the following reasons:
- The valuation of customer relationships: we have seen this dollar figure fall between $45 and $4,000 in retail.
- The likelihood that customers will take their business elsewhere: this is expressed as a percentage of total affected customers that are likely to permanently take their business elsewhere.
I conducted a risk analysis using RiskLens' CyberRisk Quantification (CRQ) application, and incorporated the parameters described above. The risk scenario can be defined as cyber criminals seeking to exfiltrate credit card data from a retailer.
Prior to running the analysis, I needed to identify key assumptions. For illustrative purposes, I used the following inputs:
- Average valuation of customers relationship: $575
- Maximum unique customers affected: 70 million customers
- Propensity of customers to permanently leave: described as a distribution between .01% at the minimum and 2% at the maximum (the minimum draws on RiskLens research; the maximum on the study results)
Analysis 1: Risk With Capturing Lost Customers
Figure 1 shows the annualized exposure accounting for lost customers. The average exposure is approximately $494 million.
Figure 2 shows the average materialized exposure by the form of loss. Not surprisingly, the costs associated with privacy liability are the highest.
The key bar in Figure 2 is reputation; approximately $201 million at the average. Below, we will contrast these outcomes to outcomes without lost customers.
Analysis 2: Risk Without Capturing Lost Customers
To know the difference in exposure between the two scenarios, we can re-run the prior analysis without the distribution in assumption 3 above.
Figure 3 shows that the average annualized exposure is approximately $298M. This is instrumental in understanding the total change in loss exposure. However, it does not tell us whythe exposure is different.
For that, we turn to Figure 4. Here, we can clearly see that almost all the reputation loss from the first analysis is gone, when we do not account for lost customers.
Finally, we compare the outcomes directly using the built-in CRQ reporting. Figure 5 shows the comparison of the two analyses at the average, while Figure 6 shows the overlapping distributions.
These reports highlight the differences in loss exposure with and without the notion of lost customers. It is, at the average, a $195.8M difference; or approximately an unaccounted 40% of total loss exposure. Failing to account for this data, may lead to incorrect decisions regarding the prioritization of risk mitigation efforts.
Armed with the knowledge of the comparative analysis, executive management can determine if the resulting loss exposure difference is acceptable or if it is something that needs to be dealt with.