Editor's Note: The following is a guest post from Brian Dunphy, senior managing director and head of insurance and risk management solutions firm Crystal & Company's management and professional risk group.
Both brick-and-mortar and e-commerce retailers are tempting targets for cyber criminals, especially during the busy holiday season. Retailers such as Target, Home Depot, Michael’s and Neiman Marcus have all been victims of cybercrime, exposing the personally identifiable information of hundreds of millions of private citizens in the aggregate and costing these businesses hundreds of millions of dollars collectively on incident investigation and correction, including customer notification of compromised information, public relations and crisis management, and Payment Card Industry Data Security Standards (PCI-DSS) fines, penalties and assessments.
Whether it’s point-of-sale (POS) security issues, distributed denial-of-service (DDOS) attacks, inferior information technology infrastructure or lax information security procedures, breaches are all unique in one way or another. However, retailers at large all face the same risk factors, with varying degrees of severity.
According to a recent report issued by BDO USA, all of the retailers surveyed cite cybersecurity as a potential risk to their business, a significant increase from 55% in 2011 and 26% in 2007. This is not surprising, given that the POS system, not the stored data, is often the main target of hackers. In the Target attack, which occurred the day before Thanksgiving 2013, the malware was designed to attack a POS device’s random-access memory (RAM) when information decryption occurred, immediately stealing unencrypted data from memory.
The Europay, MasterCard and Visa (EMV) system, while an improvement from credit and debit card magnetic stripe technology, is also vulnerable. Although EMV chip-card technology reduces in-person credit card fraud, if improperly configured, it may still be vulnerable to RAM-scraping malware. Further, EMV is an anti-counterfeiting software, not a network security solution: As such, it does nothing to guard against card-not-present issues or e-commerce attacks.
With DDOS attacks, online retailers also face the possibility of having their sites shut down and unable to process daily transactions. Recently, the Mirai malware attack on Dyn, an internet infrastructure firm, shut down dozens of well-known sites including Twitter, Amazon, Spotify, PayPal and Netflix. While a concern, DDOS attacks arguably pose less of a threat to retailers, as cybercriminals only benefit by the continuous flow of transactions (i.e., personally identifiable information) run through POS machines. If there is no flow of information, then nothing can be stolen.
What should retailers do to mitigate losses?
Use the most up-to-date POS hardware and software. Merchants who do not have secure technology in place (like EMV) can now be held liable. To address these security issues, retailers need to adopt a multi-tiered approach for securing payment card transactions, which includes implementing end-to-end encryption and tokenization, a process that replaces sensitive credit card data with a unique placeholder, in conjunction with support for EMV.
Have a proactive cybersecurity strategy. Assume the digital systems already have been breached. Consider the insider as much of threat as the outsider, and convert the external problem into an internal problem to be solved. A robust and proactive cybersecurity strategy should include both a Written Information Security Program (a set of comprehensive guidelines and policies designed to safeguard all confidential and restricted data) and an Incident Response Plan (a set of written instructions for detecting, responding to and limiting the effects of an information security event).
Remember that there is a difference between information technology and information security. Don’t expect your IT admin to also be an expert in cybersecurity. Rather, hire a security analyst who is purely focused on cybersecurity safeguards. Hackers are always going to be a threat to retailers: The only way to stay protected or ahead is to constantly update and upgrade your IT infrastructure and cybersecurity procedures.
Purchase a cyber liability policy. For those instances when your company’s IT and security safeguards are unable to prevent a network security breach, insurance can be a backstop and help mitigate potential losses. However, when purchasing a cyber liability policy, it is imperative to have policy language that is explicit in its coverage for risks like network business interruptions, cyber extortion and PCI fines, penalties and assessments, amongst other nuanced areas of coverage available.
The insurance industry is constantly adapting to evolving cybercrime, and policies are unique based on each individual insurance carrier’s appetite for risk and experience in this arena. As retailers consider cybersecurity exposures on an annual basis, they should give thoughtful review to their existing risk transfer program to assess potential gaps in coverage in consultation with their insurance brokerage partners.