Global Payments revises total breach cost estimates upwards, but wait until you see what *didn’t* cost them

In September, I posted Global Payments’ statement from their quarterly filing that dealt with the costs of a breach disclosed in March 2012.  BankInfoSecurity.com has just reported on their most recent filing. Whereas last year,  Global Payments estimated the cost of the breach at about $84 million,  their current 10-Q filing puts the cost of the breach at $93.9 million. Although the total is up, the overall fraud costs resulting from the incident were significantly lower than what they had estimated last year ($35.9 million vs. $67.4 million). Also of note, they report that their losses due to being removed from PCI-DSS compliant status were “immaterial:”

As a result of this event, certain card networks removed us from their list of PCI DSS compliant service providers. Our removal from certain networks’ lists of PCI DSS compliant service providers could mean that certain existing customers and other third parties may cease using, referring or selling our products and services. Also, prospective customers and other third parties may choose to delay or choose not to consider us for their processing needs. In addition, the card networks could refuse to allow us to process through their networks. To date, the impact on revenue that we can confirm related to our removal from the lists has been immaterial. Also the impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial. We continue to process transactions worldwide through all of the card networks.

So what are we to make of their report about the impact – or lack thereof – of  losing PCI-DSS compliant status? Does losing compliant status really not significantly impact a payment processor? If so, then where’s the motivation to comply? Does their insurance depend on PCI DSS compliance? If not, why should they care about compliance if there’s been no material losses due to non-compliance?

The firm provides its updated breakdown of costs:

During the six months ended November 30, 2012, we recorded $9.5 million of expense associated with this incident, bringing the life-to-date total expense to $93.9 million. Of this life-to-date expense, $60.0 million represents costs incurred through November 30, 2012 for professional fees and other costs associated with the investigation and remediation, incentive payments to certain business partners and costs associated with credit monitoring and identity protection insurance. An additional $35.9 million represents our estimate of total fraud losses, fines and other charges that will be imposed upon us by the card networks. We have also recorded $2.0 million of insurance recoveries based on claims submitted to date as discussed below. During the three months ended November 30, 2012, we reduced our estimate of fraud losses, fines and other charges by $31.5 million resulting in a credit of $14.5 million for total processing system intrusion costs for the quarter ended November 30, 2012. We based our initial estimate of fraud losses, fines and other charges on our understanding of the rules and operating regulations published by the networks and preliminary communications with the networks. We have now reached resolution with and made payments to certain networks, resulting in charges that were less than our initial estimates. The primary difference between our initial estimates and the final charges relates to lower fraud related costs attributed to this event than previously expected.

[…]

We have not reached final resolution with certain other networks. As such, the amount of fraud losses, fines and other charges that will be imposed by those networks could differ from the amount we have accrued as of November 30, 2012. Currently we do not have sufficient information to estimate the amount or range of additional possible loss for fraud losses, fines and other charges that will be imposed upon us by those card networks.

We are insured under policies that we believe may provide coverage of certain costs associated with this event. The policies provide a total of $30.0 million in policy limits and contain various sub-limits of liability and other terms, conditions and limitations, including a $1.0 million deductible per claim. Our insurers have been advised of the circumstances surrounding our recent event. During fiscal year 2012, we recorded $2.0 million in insurance recoveries based on claims submitted to date. During the three months ended November 30, 2012 we received assessments from certain networks and submitted additional claims to the insurers. We expect to receive additional recoveries as the insurers complete their assessments of our claims. We will record receivables for such recoveries in the periods in which we determine such recovery is probable and the amount can be reasonably estimated.

We expect to incur additional costs associated with investigation, remediation and demonstrating PCI DSS compliance. We will expense such costs as they are incurred in accordance with our accounting policies for such costs. We currently anticipate that such additional costs may be $25 to $35 million in fiscal 2013 (prior to any potential insurance recovery), including the $9.5 million recorded during the six months ended November 30, 2012. We anticipate that we may receive additional insurance recoveries of up to $28 million although the timing of such recoveries is uncertain and such recoveries may not occur in fiscal 2013.

Litigation costs may also impact the firm, and they note the potential class-action lawsuit filed in April 2012 by Natalie Willingham in the United States District Court for the Northern District of Georgia. Global filed a motion to dismiss in October, but as of today, the court has not ruled on the motion to dismiss. Global Payments notes:

This event could result in additional lawsuits in the future. In addition, governmental entities have made inquiries and may initiate investigations related to the event. We have not recorded any loss accruals related to these items or any other claims (except as described above) that have been or may be asserted against us in relation to this incident as we have not determined that losses associated with any such claims or potential claims are probable. Further, we do not have sufficient information to estimate the amount or range of possible losses associated with such matters. As more information becomes available, if we should determine that an unfavorable outcome is probable on such a claim and that the amount of such probable loss that we will incur on that claim is reasonably estimable, we will accrue our estimate of such loss. If and when we record such an accrual, it could be material and could adversely impact our financial position, results of operations or cash flows.

So…. $93.9 million and counting, but no material losses due to being non-compliant with PCI DSS. Is anyone else surprised by that?

About the author: Dissent