All around the globe, retailers are scrambling to put systems and processes in place to avoid the next data breach. While you might think cyber security has made great strides, businesses are more vulnerable than ever and the threat is increasing exponentially.
Internet security firm Symantec reports that the incidence of so-called "mega-breaches" – defined as those in which at least 10 million people were exposed – jumped 700% in 2013. The good guys working on cyber security measures are smart and hardworking, but the reality is they're slipping farther behind the bad guys. Laws typically follow need.
Most American retailers have point of sale exposures because they utilize magnetic swipe cards for payments. These are far more vulnerable than European "smart cards," a system towards which American retailers are headed. However, in the meantime they are vulnerable.
Take last year's data breach at Target Corp. Analysts have said the cost to the company could be more than a billion dollars. In many ways, 2014 has been the year of data insecurity with personal information exposed, whether private photos or credit card digits. Given this wave of data breaches, retailers must build up their defenses against data hacks. This goes for smaller businesses too – you don't have to be a national chain to be targeted by cyber criminals. Even if you have a world-class IT team that has implemented the very latest security systems and processes, there is a very real possibility that your seals are not tight enough. That's why organizations must also have cyber insurance to back up IT security precautions.
Cyber risk defined
When we talk about cyberattacks, we're usually talking about the taking of information. Approximately 80% of cyberattacks are focused on theft or loss of information. It is rarely a "worm" designed to take down a system. Executives need to realize that cyber security is central to safeguarding their most precious assets—intellectual property, customer information, financial data and employee records. Not doing so can be disastrous. This is serious business.
In addition to deploying appropriate enterprise risk management, organizations should also consider the purchase of cyber insurance. Many businesses know this and have done so. However, it pays to look more closely at that insurance policy. Cyber insurance is a relatively new coverage area for carriers and therefore policies vary dramatically. There are numerous stories about businesses purchasing boilerplate cyber coverage only to realize that is virtually useless when criminals strike. These policies often have major gaps that leave the client ostensibly uninsured. When it comes to cyber insurance, businesses often don't realize what they need and what they don't have.
There are several reasons cybercrime is on the rise, and they all have to do with increased vulnerability:
- The proliferation of cloud computing
- The rise of mobility, including the mobility of data through thumb drives and other storage devices
- More people using credit cards
(Photo: Shutterstock)
Cyber insurance as a cash-flow tool
Executives should think about cyber insurance as a cash-flow tool. If a business system is attacked and high-priced consultants have to be hired to fix the problem, a significant cash flow will be required to cover the expense. There could be lawsuits by customers to deal with and significant loss of revenue, not to mention hard-to-overcome reputation damage. The risk is real. The loss can happen in the blink of an eye. And if you aren't properly insured, the result can be catastrophic. If it happens, will you be prepared?
This isn't just about retailers
When you've seen the news reports about major retailers getting hacked and losing huge amounts of consumer credit card information, you likely thought, thank goodness that would never happen to me. The reality is that B2B companies, non-profits and public entities are very much in the crosshairs of cyber risk, and you need to take precautions immediately. A study last year showed that Android phone users have taken no security precautions at all. If your employees use Android phones, do they fall into this unprotected group? And if they do, what impact might that have on the security of your IT infrastructure?
Cyber security is central to safeguarding an enterprise's most precious assets: intellectual property, customer information, financial data and employee records. Not doing so can be disastrous. Damages may vary depending on the size of the targeted company, according to the latest report from IT security firm Kapersky – on average, a cyber incident costs an enterprise more than $2.5 million; they cost small businesses an average of $84,000. Regardless of the size of your retail business, you're likely looking at those numbers and thinking there go the holiday season profits.
Not all cyber risk insurance is created equal
Here's the problem with cyber insurance—a substandard policy can leave a business exposed. A good cyber insurance policy will include first party or business interruption coverage. In many instances, coverage is for liability only, but that's not going to be good enough when your organization comes to a standstill. And while business owners may be covered for lawsuits, they will not see any coverage for lost revenues. Additionally, businesses must pay close attention to the exclusions in their policy; particularly with cyber insurance, exclusions can leave you with a policy full of holes.
Unlike property insurance or workers' compensation, there are no standardized cyber insurance policies, which means business owners must pay close attention to their coverage.
Remember, there's a one in seven chance your business will be attacked this year. Will you be able to recover if it happens?
James W. Gow, Jr. is senior vice president, P&C practice for Corporate Synergies.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.