Client adivsory: Dealing with increasing retail cyber risks during the COVID-19 crisis

Retailers’ reliance on technology has always been important and now during this time of the coronavirus pandemic it has become even more vital in order to ensure business resiliency in a number of areas of operations.  In recent years, retailers have invested in technologies, strategies and processes to bolster their supply chains, “including cloud-based omni-channel platforms, AI-driven analytics and IoT sensors that reduce forecasting errors; provide real-time insights into machine functioning; track assets all along the supply chain; and achieve order accuracy.” (Source: IDG Insider Pro)

While these technologies have created significant improvements to meet the ever changing needs of consumers, their addition has resulted in some systemic security and privacy risks for the retailer internally — but also due to their intrinsic interconnectedness with suppliers and vendors.

Retail handles a significant amount of sensitive information

As brought to the forefront by large data breaches from years past, retailers are a repository of sensitive information including payment card data, warranty information, consumer preferences and purchasing statistics (geolocation) and loyalty programs details to name a few. 

The regulatory data security environment has continued to change globally (i.e. GDPR) as well as in the US (i.e. CCPA) with more states expanding both their notification and consumer privacy laws (expanding rules under collection, retention and removal of data for example). In response, retailers have needed to amend their procedures and requirements under contracts with vendors and suppliers.

How prepared are retail organizations?

How prepared are retailers to create and enforce cyber security rules? Are they able to act quickly should a cyber-attack occur —  initiate an investigation, deal with claims of financial injury from consumers, and weather the possibility of class action law suits?

Retailers have become more aware and better prepared in recent years, but we have a long way to go before operations of all sizes are prepared for new and more aggressive attacks from cyber-criminal organizations that continue to get smarter and more proficient at finding vulnerabilities.

Midsized organizations are still relatively easy targets. Many of them have adopted cloud technology and digitized their valuable assets. Midsize organizations, however, often have smaller cybersecurity teams, lower organizational security awareness and fewer critical systems to infect — making them easier for cybercriminals to breach and demand ransom.

Cybercriminals still see larger enterprises as the highest-value targets, but midsized organizations, along with their smaller third-party supply chain providers, have become the “low-hanging fruit” that keep the cash flowing for cyber criminals while they work towards the higher payoffs from large companies.

The high cost of technology risks

Here are a few examples of recent cyber issues that have cost retailers in lost revenue, lost opportunity, and hard cash for ransomware, breach response expenses, litigation, forensic accounting costs, and more.

• A national retail chain’s fulfillment system failed leaving it unable to complete customer orders. Full system restoration took more than a month.
• One major U.S. restaurant chain suffered a two-phase malware attack that affected more than 1,000 franchise operations.
• Hackers used stolen credentials from one retail chain to log on to a vendor’s online system, move from there to the retailer’s corporate system and access payment card data for millions of their customers.
• A global wholesale network was literally disabled by ransomware, which paralyzed manufacturing capability for several weeks.

What are the key cyber risks facing retailers?

Point of Sale system exposure
This is a prime avenue for cyber-criminals to attack retailers with some of the industry’s most high-profile data breaches involving new types of malware, which often targeted point of sale (POS) systems

Employee exposure
Errors by well-intentioned (but often under-trained) employees can cause serious harm, as can purposeful attacks by disgruntled, rogue employees. Employee turnover is high, and the typical retailer may have both seasonal and traditional employees, as well as a number of stores and distribution centers — all of which open them up to additional risk.

Health data exposure
If retailers have a pharmacy, drug store or online pharmacy benefit management associated with their business, they face some of the same risks as health care organizations. This information is highly regarded by cyber-criminals, even more so than credit card information. In addition, retailers may collect and share sensitive health information on their employees as part of their benefits offering as well.

Social media exposure
Furloughed employees who have become disgruntled with the company may use their own social media accounts to defame their employer as well as distributing sensitive or even false information. While this may create a media liability risk, some cyber insurance policies will cover it.

Corporate social media accounts can be hijacked to spread misleading claims about the organization. That could produce a negative image, especially if the company is publicly traded.

Why cyber insurance?

There are still unanswered questions around regulatory enforcement and how organizations are prepared for investigations and claims of financial injury from consumers and the ever-creative plaintiffs’ bar, regardless of whether a security or privacy breach occurred. The cyber security insurance marketplace can help address this evolving risk with a number of carriers providing affirmative coverage for wrongful collection events (although the current cyber insurance marketplace typically requires a security or privacy incident trigger).   

Given the continued reliance on emerging technologies, interdependence on vendors and suppliers, the continued existence of sensitive information in a retailers’ care, custody and control, the expanding regulatory environment and with the complications presented by coronavirus, the threat landscape is more uncertain than ever.

Customized policies for retailers

According to the 2019 NetDiligence Claims Study Report, which analyzes actual paid claims, retailers have consistently been among the top four industries from a number of claims perspectives:

• Total breach costs of $240,000 for small-to-medium enterprise retailers
• Total costs of more than $4.2 million for retailers with more than $2 billion in annual revenue
• Breach costs have been increasing due greater frequency and severity of the attacks

Cyber insurance provides a number of solutions to respond to threats.  Marsh & McLennan Agency can design an insurance coverage that provides protection for loss and liability arising out of the use of technology and data in the retail industry. 

    First-Party Cyber Coverages
Business interruption/extra expense: Reimbursement for lost revenue and expenses caused by a technology failure, computer system outage, or cyber-attack, with the option to include:

• Contingent business interruption resulting from a third-party/supply chain event
• Internet of Things products/services used in distribution, inventory, and warehouse operations

Information asset protection: Costs to recreate or reconfigure information and electronic data assets, with option to include cost to replace hardware or to rebuild systems.

Breach/event management: Costs for notification and investigation of privacy and security breaches, including legal and forensic services, with the option to include losses from unauthorized price alteration.

Cyber extortion: Ransom and investigative expenses associated with threats to steal confidential information, introduce malicious code, corrupt computer systems, or hinder system access.

    Third-Party Cyber Coverages
Privacy liability: Failure to prevent breaches of confidential personal information — electronic or hard copy — or to disclose an event, with the option to include coupons, discounts, and goodwill payments in settlements and costs.

Network security liability: Actual or alleged failure of computer security to prevent or mitigate an IoT or computer attack.

Regulatory Defense: Costs to defend regulatory actions and for certain fines and penalties.

Payment Card Information: Fines and penalties for PCI industry settlements, fraud recoveries, chargebacks, and forensic investigations.

MMA is ready to help

Cyber-attacks are likely to increase to take full advantage of the COVID-19 pandemic given that it has forced much of the world onto the internet for shopping, ordering from restaurants, communicating, and more.

The MMA takes a comprehensive approach to helping you manage cyber risk, taking your entire enterprise — operations, compliance, legal, finance, communications and IT — into consideration. After all, everyone in your company has a stake in keeping corporate data and customer information as secure as possible

MMA provides proprietary solutions and best-in-class advisory services to help you understand your cyber risk, vulnerability and threats; measure your exposure with customized tools; and manage your cyber risk using our tailored insurance solutions, education and coaching programs, risk mitigation and loss prevention tools and response planning and performance improvement reviews.

To learn more, talk with your Marsh & McLennan Agency representative.