Today’s digital technologies allow retail businesses to create in-store management efficiencies, and to connect online with customers around the globe. But those same technologies can make retailers vulnerable to cyber risks — risks that can fatally damage the overall health of your brand and business.
While in-store computer systems and consumer-facing websites are a boon for retailers and their customers, the data they collect and maintain — credit card numbers, personal addresses, and other types of sensitive information — makes them a target for cyber crime.
With this ever-more sophisticated and increasing cyber risk, come obligations —to your customers’ privacy and to keep up with a multitude of global and local regulations governing those obligations.
Despite the best intentions of a retail entity, cyber breaches can happen. Here’s a primer on cyber crime — and some tips on how retailers can mitigate that risk.
To cybercriminals, data is profit. Hackers use vulnerabilities to gain access to a system, using methods and software that are ever changing and ever more sophisticated. Here are a few terms that retailers should know:
Phishing — One of the simplest and most common cyber crimes, this relies on an employee clicking into a phony email. This then releases malicious software (malware) and allows bad actors to access the company’s systems.
Distributed Denial of service (DDoS) attack — Also employing the use of malware, these attacks overload and shut down a retailer’s website to enable access to the system and its data.
Ransomware — Software released into the system to shut it down and take it “hostage.” The cyber criminal then demands ransom (generally in untraceable crypto currency) in exchange for providing a key to “release” the system.
What all of these have in common is that they disrupt business and can cost retailers hundreds of thousands of dollars in lost revenues, legal expenses, fines, and reparation costs. Reparations usually necessitate not only technical and financial experts, but also public relations professionals, because of the potential damage to customer trust and brand loyalty. In all, the resourcing and the expense can be enough to seriously cripple or even shut down a retail business.
For more key cyber security terms, check out Cyber Security Terms You Need To Know.
Of course, the best defence against cybercrime is to be on the offence. Here are some tips to protect against this ever more present and growing threat:
Create a data map and a data retention policy that allow employees to understand what data your organization collects and maintains, how long it should be kept, etc. This is crucial information for risk assessment and, in the event of a breach, a critical part of a cyber response plan.
You have an obligation to take defensive measures to protect your retail systems and your customers’ personal and financial information. Data security measures include: installing two-factor authentication for employees and customers; using chip-enabled card technology; and employing end-to-end encryption.
A retailer’s regulatory burden can be complex and varies greatly depending on the products, the physical locations of the business, and where its customers are located. Globally, the regulations are changing as quickly as the cyber threats. Understanding the specific laws and regulations to which your operation is subject is critical to ensuring compliance and avoiding sanctions or fines.
Outsourcing part of your operation may not outsource your liability. If your vendors are exposed, you may be exposed and ultimately liable for any loss, so it is important to choose partners who demonstrate strong cyber vigilance and who invest in a comprehensive cyber insurance policy.
The majority of retail cyber breaches originate internally. Poor employee cyber hygiene — like repeating passwords, email laxity, and failure to use a secure internet — is a proven cause. Written and enforced cyber security policies and regular staff training can greatly lower this risk.
When the worst happens, knowing what and who your resources are can mean the difference between quick and efficient response time, and excessive business days and profits lost. The response team may be both internal and external — I.T. staff, risk manager, cyber response consultant, forensic accountant, insurer, crisis P.R. team, etc.
A global insurance company with both retail and cyber expertise can help assess and manage your risk, customize a policy aligned with your business, understand local regulations, provide resources to train your employees, connect you to cyber response and reparation professionals — and, of course, mitigate any business losses or expenses.
This document is advisory in nature and is offered as a resource to be used together with your professional insurance advisors in maintaining a loss prevention program. It is an overview only, and is not intended as a substitute for consultation with your insurance broker, or for legal, engineering or other professional advice.
Chubb is the marketing name used to refer to subsidiaries of Chubb Limited providing insurance and related services. For a list of these subsidiaries, please visit our website at www.chubb.com. Insurance provided by Chubb Insurance Company of Canada or Chubb Life Insurance Company of Canada (collectively, “Chubb Canada”). All products may not be available in all provinces or territories. This communication contains product summaries only. Coverage is subject to the language of the policies as actually issued.
Contact a Broker today.