ALEXANDRIA, Va. (12/10/14)--In a public statement that focused largely on cybersecurity issues, National Credit Union Administration Chair Debbie Matz said retailers should be held to the same high data protection standards that apply to financial institutions.
Addressing the Metropolitan Area Credit Union Management Association Monday night, Matz also called for retailers and other third parties to cover the costs of data theft that occur due to breaches of their systems.
"Financial institutions are required by law to protect sensitive information," Matz said. "Yet it is financial institutions, not retailers, who must shell out as much as $15 for every new card issued to affected cardholders. It is financial institutions, not retailers, who must monitor affected accounts and reassure consumers that those accounts are still safe. Retailers should be held to the same high data protection standards. It is time to end the double standard."
Cybersecurity will continue to be a supervisory priority for the NCUA in 2015, according to Matz.
"Next year, NCUA will expect credit unions to implement controls to better detect cyberattacks, to better protect themselves and their members and to better recover from those attacks," she said. She called such actions as encrypting sensitive data before transmission, applying access controls, and conducting tests to determine resilience to attacks, "basic cybersecurity measures."
In addition to making cybersecurity an examination priority, the agency has created a resource website.
The Credit Union National Association has been assertively advocating on behalf of credit unions on data breach issues. It also has built an arsenal of educational materials such as the Stop the Data Breaches website.
Going forward, CUNA will continue to work to coordinate its efforts with the NCUA's own cybersecurity initiatives. CUNA will continue to work closely with the Financial Services Information Sharing and Analysis Center, the Financial Services Sector Coordinating Council for Critical Infrastructure, CUNA Mutual Group and other key parties to develop data breach resources and to advocate for stricter breach standards for retailers.
CUNA issued nationwide surveys after both the Target data breach and Home Depot breach to identify the costs to credit unions of the merchant-rated breaches. The Target breach cost credit unions about $30 million--and Home Depot about twice that--meaning credit unions have spent at least $90 million on just those two breaches.
Credit unions not only covered the cost of fraud, but also the costs of blocking transactions, reissuing cards, increasing staff at call centers and monitoring members' accounts. The per-card cost was approximately $5.68 per card for the Target breach and higher than that for the Home Depot security failure.