Contacts
Retailers’ reliance on technology has always been important and now during this time of the coronavirus pandemic it has become even more vital in order to ensure business resiliency in a number of areas of operations. In recent years, retailers have invested in technologies, strategies and processes to bolster their supply chains, “including cloud-based omni-channel platforms, AI-driven analytics and IoT sensors that reduce forecasting errors; provide real-time insights into machine functioning; track assets all along the supply chain; and achieve order accuracy.” (Source: IDG Insider Pro)
While these technologies have created significant improvements to meet the ever changing needs of consumers, their addition has resulted in some systemic security and privacy risks for the retailer internally — but also due to their intrinsic interconnectedness with suppliers and vendors.
Retail handles a significant amount of sensitive information
As brought to the forefront by large data breaches from years past, retailers are a repository of sensitive information including payment card data, warranty information, consumer preferences and purchasing statistics (geolocation) and loyalty programs details to name a few.
The regulatory data security environment has continued to change globally (i.e. GDPR) as well as in the US (i.e. CCPA) with more states expanding both their notification and consumer privacy laws (expanding rules under collection, retention and removal of data for example). In response, retailers have needed to amend their procedures and requirements under contracts with vendors and suppliers.
How prepared are retail organizations?
How prepared are retailers to create and enforce cyber security rules? Are they able to act quickly should a cyber-attack occur — initiate an investigation, deal with claims of financial injury from consumers, and weather the possibility of class action law suits?
Retailers have become more aware and better prepared in recent years, but we have a long way to go before operations of all sizes are prepared for new and more aggressive attacks from cyber-criminal organizations that continue to get smarter and more proficient at finding vulnerabilities.
Midsized organizations are still relatively easy targets. Many of them have adopted cloud technology and digitized their valuable assets. Midsize organizations, however, often have smaller cybersecurity teams, lower organizational security awareness and fewer critical systems to infect — making them easier for cybercriminals to breach and demand ransom.
Cybercriminals still see larger enterprises as the highest-value targets, but midsized organizations, along with their smaller third-party supply chain providers, have become the “low-hanging fruit” that keep the cash flowing for cyber criminals while they work towards the higher payoffs from large companies.
The high cost of technology risks
Here are a few examples of recent cyber issues that have cost retailers in lost revenue, lost opportunity, and hard cash for ransomware, breach response expenses, litigation, forensic accounting costs, and more.
- A national retail chain’s fulfillment system failed leaving it unable to complete customer orders. Full system restoration took more than a month.
- One major U.S. restaurant chain suffered a two-phase malware attack that affected more than 1,000 franchise operations.
- Hackers used stolen credentials from one retail chain to log on to a vendor’s online system, move from there to the retailer’s corporate system and access payment card data for millions of their customers.
- A global wholesale network was literally disabled by ransomware, which paralyzed manufacturing capability for several weeks.
What are the key cyber risks facing retailers?
Point of Sale system exposure
This is a prime avenue for cyber-criminals to attack retailers with some of the industry’s most high-profile data breaches involving new types of malware, which often targeted point of sale (POS) systems
Employee exposure
Errors by well-intentioned (but often under-trained) employees can cause serious harm, as can purposeful attacks by disgruntled, rogue employees. Employee turnover is high, and the typical retailer may have both seasonal and traditional employees, as well as a number of stores and distribution centers — all of which open them up to additional risk.
Health data exposure
If retailers have a pharmacy, drug store or online pharmacy benefit management associated with their business, they face some of the same risks as health care organizations. This information is highly regarded by cyber-criminals, even more so than credit card information. In addition, retailers may collect and share sensitive health information on their employees as part of their benefits offering as well.
Social media exposure
Furloughed employees who have become disgruntled with the company may use their own social media accounts to defame their employer as well as distributing sensitive or even false information. While this may create a media liability risk, some cyber insurance policies will cover it.
Corporate social media accounts can be hijacked to spread misleading claims about the organization. That could produce a negative image, especially if the company is publicly traded.
Why cyber insurance?
There are still unanswered questions around regulatory enforcement and how organizations are prepared for investigations and claims of financial injury from consumers and the ever-creative plaintiffs’ bar, regardless of whether a security or privacy breach occurred. The cyber security insurance marketplace can help address this evolving risk with a number of carriers providing affirmative coverage for wrongful collection events (although the current cyber insurance marketplace typically requires a security or privacy incident trigger).
Given the continued reliance on emerging technologies, interdependence on vendors and suppliers, the continued existence of sensitive information in a retailers’ care, custody and control, the expanding regulatory environment and with the complications presented by coronavirus, the threat landscape is more uncertain than ever.
Customized policies for retailers
According to the 2019 NetDiligence Claims Study Report, which analyzes actual paid claims, retailers have consistently been among the top four industries from a number of claims perspectives:
- Total breach costs of $240,000 for small-to-medium enterprise retailers
- Total costs of more than $4.2 million for retailers with more than $2 billion in annual revenue
- Breach costs have been increasing due greater frequency and severity of the attacks
Cyber insurance provides a number of solutions to respond to threats. Marsh & McLennan Agency can design an insurance coverage that provides protection for loss and liability arising out of the use of technology and data in the retail industry.
First-Party Cyber Coverages
Business interruption/extra expense: Reimbursement for lost revenue and expenses caused by a technology failure, computer system outage, or cyber-attack, with the option to include:
- Contingent business interruption resulting from a third-party/supply chain event
- Internet of Things products/services used in distribution, inventory, and warehouse operations
Information asset protection: Costs to recreate or reconfigure information and electronic data assets, with option to include cost to replace hardware or to rebuild systems.
Breach/event management: Costs for notification and investigation of privacy and security breaches, including legal and forensic services, with the option to include losses from unauthorized price alteration.
Cyber extortion: Ransom and investigative expenses associated with threats to steal confidential information, introduce malicious code, corrupt computer systems, or hinder system access.
Third-Party Cyber Coverages
Privacy liability: Failure to prevent breaches of confidential personal information — electronic or hard copy — or to disclose an event, with the option to include coupons, discounts, and goodwill payments in settlements and costs.
Network security liability: Actual or alleged failure of computer security to prevent or mitigate an IoT or computer attack.
Regulatory Defense: Costs to defend regulatory actions and for certain fines and penalties.
Payment Card Information: Fines and penalties for PCI industry settlements, fraud recoveries, chargebacks, and forensic investigations.
MMA is ready to help
Cyber-attacks are likely to increase to take full advantage of the COVID-19 pandemic given that it has forced much of the world onto the internet for shopping, ordering from restaurants, communicating, and more.
The MMA takes a comprehensive approach to helping you manage cyber risk, taking your entire enterprise — operations, compliance, legal, finance, communications and IT — into consideration. After all, everyone in your company has a stake in keeping corporate data and customer information as secure as possible
MMA provides proprietary solutions and best-in-class advisory services to help you understand your cyber risk, vulnerability and threats; measure your exposure with customized tools; and manage your cyber risk using our tailored insurance solutions, education and coaching programs, risk mitigation and loss prevention tools and response planning and performance improvement reviews.
To learn more, talk with your Marsh & McLennan Agency representative.
Related Offerings
Cyber Risk InsuranceYou May Also Be Interested In
- Event
01.26.2021
Webcast | COVID-19 Vaccine – What Employers Need to Know
- Event
02.04.2021
Webcast | Continued Road to the Vaccine: Clinical and Compliance Considerations for Employers
- Event
02.10.2021
Webcast | COVID-19 Sick Leave Laws in 2021 and Return to Work Considerations
- Blog
01.13.2021
Quick Answers to COVID-19 Vaccine Questions
- Blog
01.13.2021
How do you Keep Employees Engaged During the Pandemic?
- Blog
01.12.2021
COVID-19 Communications for Senior Housing Facilities
- Blog
01.07.2021
COVID-19 Vaccine Employer Fact Sheet
- Blog
12.29.2020
A Coronavirus Update for Employers
- Blog
12.23.2020
Solarwinds Cyber Incident
- Event
12.16.2020
Webcast | Road to the Vaccine
- Event
11.12.2020
Webcast | 2020 Election Results: The Impact to Benefit Plans
- Event
10.21.2020
Webinar | Telemedicine: Permanent Solution or Temporary Fix
- Blog
10.20.2020
Containing Health Care Costs While Trying to Contain the Coronavirus
- Blog
10.19.2020
Client Advisory: Increasing Cyber Risks in the Transportation Industry
- Blog
10.16.2020
Client Advisory: Dealing with Increasing Cyber Risks in the Biotech Industry
- Blog
10.14.2020
Client Advisory: Dealing with Increasing Cyber Risks in Manufacturing
- Blog
10.14.2020
Cyber Risk in Our New World
- Blog
10.12.2020
Client Advisory: Dealing with Increasing Cyber Risks in the Health Care Industry
- Blog
10.09.2020
Client Advisory: Dealing with Increasing Cyber Risks in the Construction Industry
- Event
10.08.2020
Webcast | A Tale of Two Breaches
- Blog
10.07.2020
Cybersecurity: Managing Risk in the COVID-19 Era
- Blog
10.05.2020
Why HR is a Key Stakeholder in Cyber Risk Management
- Blog
10.02.2020
Potential Employment-Related Claims Resulting from COVID-19
- Blog
10.02.2020
Network Security & Privacy Considerations When Organization Shift from WFH to Office Environment
- Blog
09.30.2020
Elements of Cyber Insurance Coverage
- Event
09.29.2020
Webinar | Ergonomics and the Stress of Working From Home
- Blog
09.28.2020
Cyber Security and Privacy Concerns: COVID-19
- Blog
09.24.2020
DOL Issues New FFCRA Leave Guidance
- Event
09.16.2020
Webinar | Cyber Incident Response
- Event
08.11.2020
Webinar | UMass Memorial Health Care: COVID-19 Response, Recover, Reimagine
- Blog
08.05.2020
Forum Launches "Tell Me How": COVID-19 Mental Health Videos & Resource Website
- Blog
07.22.2020
The Rise of State Individual Mandates - July 2020
- Event
07.21.2020
Webcast | Senior Care - The New Normal
- Event
07.14.2020
Webinar | Cyber Security-The Complex & Inevitable Exposure
- Event
06.25.2020
Webcast | Navigating the Cyber Liability as Organizations Return to the Workplace
- Event
06.25.2020
Webinar | Paycheck Protection Program- Q & A Town Hall
- Blog
06.19.2020
California Insurance Commissioner Issues Decision on Special Regulatory Filing
- Event
06.18.2020
Webcast | Navigating the D&O Market Through Unprecedented Times
- Blog
06.16.2020
COVID-19 Plan Administration Relief: The Good, the Bad, and the Ugly
- Event
05.28.2020
Webcast | COVID-19 Update: Navigating the Coronavirus, Vaccines, Testing and Wellbeing
- Blog
05.26.2020
Workplace Wellness: Transform the Five Areas of Wellbeing
- Blog
05.21.2020
COVID-19 – One More Reason to Address Mental Health
- Event
05.19.2020
Webinar | Legal and Compliance Return to the Workplace: Considerations for Employers
- Blog
05.19.2020
WCIRB Recommendations Offer CA Employers Temporary Relief from Workers' Comp Claims Related to COVID-19
- Blog
05.18.2020
Q1/2020 Business Insurance Marketplace
- Event
05.14.2020
Webcast | Navigating the Coronavirus & Keeping Your Plans Compliant
- Blog
05.13.2020
Diversification: A COVID-19 Survival Tactic for Transportation Companies
- Blog
05.13.2020
NCCI Rule Excludes Payroll to Furloughed Workers from Workers’ Comp Premiums
- Blog
05.11.2020
IRS and DOL Extend Filing Deadlines Due to COVID-19
- Blog
05.05.2020
Return-to-Work FAQ
- Event
04.30.2020
Webcast | COVID-19: Managing the Impact- Weekly Update 4.30.20
- Blog
04.28.2020
Employee Mental Health: More Vulnerable Than Ever During the COVID-19 Crisis
- Blog
04.27.2020
COVID-19 Impact on Self-Funded, Employer-Sponsored Health Plans
- Blog
04.20.2020
IRS Extends Deadlines Due to COVID-19
- Blog
04.20.2020
Face Masks
- Event
04.16.2020
Webcast | COVID-19: Managing the Impact- Weekly Update 4.16.20
- Blog
04.10.2020
CARES Act Signed Into Law
- Event
04.09.2020
Webcast | COVID-19: Managing the Impact- Weekly Update 4.9.20
- Blog
04.09.2020
COVID-19 Employee Resource Guide
- Blog
04.09.2020
Client Alert Effective Immediately: Minnesota workers’ compensation bill to protect first responders and others is now law
- Blog
04.08.2020
COVID-19 Implications for EPA’s Enforcement
- Event
04.07.2020
WEBINAR | Ask the Experts: A Virtual Round-Table Discussion for Plan Sponsors
- Event
04.06.2020
WEBCAST | Cares Act Overview
- Event
04.02.2020
Webcast | Update on COVID-19: Navigating the Coronavirus and Managing the Impact
- Event
03.30.2020
WEBCAST | Employee Benefits & 401K Compliance During The Coronavirus Outbreak
- Blog
03.30.2020
CARES Act Provisions Expand Retirement Plan Access for Individuals Impacted by COVID-19
- Blog
03.27.2020
FFCRA Employee Rights Poster Notification Poster Available
- Event
03.26.2020
WEBCAST | COVID-19: Navigating Insurance Implications
- Blog
03.26.2020
Client Advisory: Private Company Directors and Officers, Employment Practices Concerns: COVID-19
- Event
03.25.2020
Webinar | The Investment Implications of COVID-19
- Blog
03.24.2020
MMA COVID-19 Coverage 2020
- Blog
03.24.2020
DOT Guidance on Drug & Alcohol Testing
- Blog
03.03.2020
Preparing your Business for Coronavirus: Access Resources Here
- Blog
01.08.2020
The 2020 Cyber Outlook
- Event
10.15.2019
Webinar | New Cyber Privacy Regulations & Risks Affecting U.S. Businesses
- Blog
10.07.2019
The State of Cyber Security
- Blog
09.03.2019
12 Best Practices to Secure and Protect Passwords
- Blog
03.11.2019
Protect Your Business from these 5 Cybersecurity Risks
- News
12.21.2018
Social Engineering Fraud
- Blog
12.19.2018
Does Your Company Know What To Do After a Cyber-Attack?
- Blog
11.26.2018
Five Critical Risks Impacting Public Sector Organizations Today
- Event
10.25.2018
Framework of a Cyber Breach
- Blog
10.19.2018
IoT-connected Devices Are Increasing Cyber Risk Exposure
- Blog
09.04.2018
15 Best Practices to Protect Your Website From Malware & Cyber-Hacking
- Blog
08.28.2018
Why Manufacturing Companies are Now More Susceptible to Data Breaches
- Blog
06.19.2018
2018 Cyber & Data Security Risk Survey Report
- Blog
05.08.2018
GDPR is Coming. Are You Ready?
- Blog
04.04.2018
Electronic Logging Devices - A Hacker's New Window?
- Blog
10.06.2017
The 4 Myths of IT Data Security
- Blog
09.15.2017
Cyber Breach - Equifax
- Blog
06.08.2016
2015 & 2016 Cyber & Data Security Risk Survey Report