Damage from Data Breaches in the Retail Sector is Diminishing, But Progress is a Mixed Bag

Transcription

1 Damage from Data Breaches in the Retail Sector is Diminishing, But Progress is a Mixed Bag Retailers were well represented on the list of The 10 Most Expensive Data Breaches compiled by Lori Widmer in LifeHealthPro (June 18, 2015). The Hannaford Bros, Target, TJ Maxx, and Home Depot breaches represented a combined estimated cost of $722 million, according to Widmer. As contingent third party losses trickle in and become adjudicated, that number could well climb much higher over time. In addition to direct monetary costs, retailers run the risk of losing customers to competitors and other channels. In his New York Times article, A Hacking Epidemic That Hits Few Consumers in the Wallet, Nathaniel Popper writes that, according to The Nilson Report, criminals made $7.8 billion in fraudulent purchases in 2014, with retailers paying 38% of the cost ($3.0 billion) that portion which banks did not pay. As we enter 2016, retail breaches seem to make fewer headlines, so prevention and detection systems would appear to be working better. But there are still some key areas that should be addressed to improve security, including having up-to-date contingency plans. Fraudulent use of customers credit card information is only one of the areas requiring improvement as criminals There were $7.8 billion in fraudulent purchases in 2014, with retailers paying 38% of the cost, or $3 billion. become more sophisticated. Consequently, retailers and their customers are being exposed to new risks. Impact of a Data Breach One way to measure the impact of data breaches on retailers is to look at their per capita costs. This is calculated based on the number of people impacted plus any costs associated with repairing the data breach, including notification, forensics, reputational repair and crisis communication. The $165 per capita cost of data breaches in retail is well below the median cost of $215 per capita for all industry sectors (which is skewed upward by high costs for health and education related breaches), but remains slightly above the cross-industry mean cost of $154 per capita. (Ponemon Institute 2015 Cost of Data Breach Study: Global Analysis.) However, the $165 cost to retailers in 2015 represents a dramatic increase from a per capita cost of $105 in The Ponemon study, which included 37 retailers, generally attributes this increase to retailers spending more to address the consequences of data breaches, such as breach escalation, lost business, and post-breach costs.

2 Even though the cost per capita and customer churn for data breaches rose last year, retailers continue to whittle away at many of the blind spots that bedevil companies in every industry sector (which we ll discuss shortly) but the industry still has a long way to go. Another way to measure the impact of a data breach is the loss of customers to competitors and other channels. Abnormal customer churn for retailers (after data breaches that compromise personally identifiable information) is still well below customer churn rates in the healthcare, pharmaceutical and financial services sectors. However, between 2014 and 2015 abnormal churn increased appreciably to 2.1% from 1.3%, a 62% increase. So while churn is still a challenge for retailers, it s not quite as bad as in other industries. What Are Retailers Doing Better? Merchants are partnering with banks and credit card issuers to develop new methods to detect fraudulent purchases as a reasonable way to deal with apportioning liability for credit card fraud. They are working Merchants are to delineate responsibility for partnering with the Sisyphean task of trying to banks and credit protect credit card numbers card issuers to which may be essentially unprotectable because, as develop new one writer said, credit card methods to numbers are an asset that detect fraudulent have to be shared in order purchases. to be used, and which can be abused simply by knowing what they are. Banks and new enterprises are helping by creating alternative secure payment infrastructures, and replacing traditional (mag stripe) credit cards with those with E.M.V. chips (the Europay, MasterCard, and Visa technical standard for smart cards). These techniques, which are focused more on protection, are making a difference. Identity Theft Resource Center and Javelin Strategy and Research reported in the New York Times that, while data breaches are up, the total cost of identity fraud across all industries is down in the U.S. from $32 billion in 2009 to $16 billion in The average out-of-pocket cost per identity fraud victim during this period has dropped from $388 to $115. What s Still Needed Continued Emphasis on Prevention and Detection Retailers should watch their insiders. A majority of cyberattacks are thought to be triggered by inadvertent or malicious insider activity. In Crowd Research Partners 2015 Insider Threat Spotlight Report, 62% of polled security professionals think insider attacks are on the rise because of cloud applications, insufficient A majority of cyberattacks are thought to be triggered by insider activity. data protection, and lack of training. Privileged users (IT administrators and staff), the report tells us, represent the biggest risk (said 59% of respondents), followed by contractors, consultants, and temporary workers, and then regular employees. Insider hacks are expensive because they take an average of seven months to detect. For attacks triggered by malicious insiders, focus on deterrence (access control, encryption and policies), detection (monitoring), and analysis and forensics, and on carefully managing permissions and rights that are granted to your technical staff, so they can only access those portions of your technical and data infrastructure that their roles require. Encryption (of data at rest, in transit and in storage) reduces the $165 cost per capita for retail data breaches by $12 (Ponemon). For attacks caused by human error and carelessness, retailers should work to improve security awareness, training and policies, so employees are more risk aware and become partners in prevention. Employee training is said to reduce the per capita cost of breaches to retailers by another $8 (Ponemon).

3 It s not safe online. As online sales grow at the expense of bricks and mortar, these transactions are being increasingly targeted by hackers. As mobile devices take market share from traditional desktop PCs for online transacting, security risks are increasing yet again so mobile security is paramount. A 2015 Gartner report says that over 75% of mobile apps will fail a basic security test. And Veracode welcomes retailers to social media with the warning at the average global enterprise has 2,400 unsafe apps installed in its mobile environment. So retailers have to do double duty to match the ease of use they build into mobile shopping with significant mobile security expenditures. Beware the myth of standards. They are important and legally helpful, but they need to be supplemented with relentless behavioral work training, awareness campaigns, effective policies, and an enterprise risk management approach to the daunting threat that cyberrisk continues to represent to retailers. So meeting the Payment Card Industry (PCI) standard, managing cybersecurity to the ISO/IEC 27001:2013/27002:2013 standards, and implementing ISO compliant business continuity plans certainly do help but are insufficient by themselves. Balancing Prevention with Response and Recovery Retailers should aspire to prevent hacks but plan as if data breaches are inevitable. To do that, retailers must move toward a better balance in their IT security spend between prevention and detection on the one hand, and response and recovery on the other. This means developing a team that focuses on recovery. Start with Board-level involvement; educate and engage Board members and involve them in decision-making recognizing that cybersecurity is not just a technical issue but a fundamental element of the governance, compliance and risk management framework of the enterprise. As such, cybersecurity should be controlled by a CISO (Chief Information Security Officer). The CISO probably should not report to the technical leadership (CIO, CTO)--as is the case in 94% of surveyed companies but to the Chief Risk Officer (CRO). This alignment transitions the CISO into more of an independent and credibly funded compliance role instead of a subordinate role in the IT shop, where the objectives of efficiency and up-time can understandably clash. When the Board becomes actively involved in cybersecurity risk management and the company installs a CISO, Ponemon tells us that breach cost per capita of $165 for retailers is reduced by over $10. It s also important to develop a strong business continuity management (BCM) governance framework, and implement a standards-based business continuity plan (BCP) and IT disaster recovery plan (DRP). Ponemon s 2015 study indicates that without these plans, the mean time to identify (MTTI) and the mean time to contain (MTTC) cyber-attacks increase appreciably, leading to greater costs from data loss and operational downtime. Having a good BCP and DRP contributes significantly to the incident response process and promotes an orderly and less costly recovery, reduces the likelihood of a material data breach, and reduces the per capital breach cost to retailers by over $7. As part of their BCM regime, retailers with a strong and well-prepared incident response team at the ready reduce the per capita cost another $12-$13. There has been some talk in insurance circles that if major breaches continue in the retail sector the industry could become uninsurable and would have to rely on captive self-insurance structures. Regardless, retailers should purchase stand-alone or cyber coverage as part of their E&O, commercial general liability, property or D&O policies. The RIMS Cyber Survey of 283 companies (including 15 retailers) in May 2015 tells us that only 51% of companies buy this stand-along cybersecurity coverage. These companies top three first party exposures are business interruption, reputational harm and data breach response and notification costs. To mitigate those kinds of damage have a business continuity plan, a good crisis communications partner, and a cyber-incident response plan in place.

4 New Threats (and Hopes) on the Horizon As if we needed further evidence of how costly major hacks can be, cumulative expenses accrued by Target in connection with its massive data breach in late 2013 topped $250 million through 2014, of which only $90 million has been reimbursed by insurers, while financial institutions claim more than $200 million in card replacement costs and related expenses associated with the breach. Several banks that had previously filed a class action lawsuit against Target recently agreed to a nearly $40 million settlement to resolve breach-related claims for cost reimbursement, following Target s $67 million settlement with Visa back in August. And the book isn t yet closed. Nilson s warning that retailers paid almost $3 billion of the fraudulent purchases made in 2014 is an alarming statistic. However, in a recent New York Times piece David Robertson, publisher of The Nilson Report, is quoted as suggesting that the five-year plan for the bad guys is not data breaches and stealing credit cards. It involves stealing all the information [they] can and opening legitimate accounts in people s names with this trove of pilfered personally identifiable information. Yet Robertson provides a positive and hopeful outlook when he comments, The bad guys are getting good and the good guys are getting even better.

5 Authors Bob Duffy Global Leader Corporate Finance Steve Coulombe Christa Hart Keith Jelinek Scott Corzine Managing Director Duane Lohn Managing Director Disclosure: The views expressed in this piece are those of the author(s) and are not necessarily the views of FTI Consulting, its management or its subsidiaries. About FTI Consulting FTI Consulting, Inc. is a global business advisory firm dedicated to helping organizations protect and enhance enterprise value in an increasingly complex legal, regulatory and economic environment. FTI Consulting professionals, who are located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges in areas such as investigations, litigation, mergers and acquisitions, regulatory issues, reputation management and restructuring FTI Consulting, Inc. All rights reserved.