Protecting Against the Enemies You Cannot See

Security breaches are prevalent for retail and consumer product (RCP) companies, and they often go undetected and wreak havoc for extended periods of time. These breaches cause not only irreparable reputational damage but also to have significant monetary considerations in the form of class-action lawsuits. Companies should also bear in mind that hackers are not the only source of network risk, employee mishaps, disgruntled current and terminated employees, and loose internal security controls are also to blame. While there is no way for a company to avoid cybersecurity risk, many RCP companies are leveraging insurance to transfer associated risks and limit cyber liability.

Overconfident, Underprepared

Most RCP companies significantly overestimate their ability to detect a data breach. According to a 2014 Dimensional Research Survey, which surveyed 154 retailers on data breach preparedness, 42% of surveyed companies believed they could detect a data breach within 48 hours, another 18% believed they could do so in 72 hours, and 11% believed they would know in one week. The reality is that these breaches go undetected and uncontained for far longer than a week. In fact, The Mandiant 2014 Threat Report indicated that the average time for a company to detect a breach in 2013 was 229 days. Even more alarming is that a Symantec/National Cyber Security Alliance survey found that two-thirds of small and medium-sized businesses are forced out of business within six months of being attacked.

Retailers in the down economy have been focused largely on cost containment and expanding online presence and have not invested heavily in security technology, particularly around protecting customer data. According to technology advisory firm IDC Retail Insights, retail spending on overall technology was expected to increase 4% annually between 2012 and 2017, with only an estimated 2% allocated to security. In fact, of the $36.34 billion dollars those retailers anticipate spending on technology in 2014, only $720.3 million will be spent on security.


  • Assess your lifestyle

After you have taken a closer look at where you stand, you need to understand how you’ve come to the point.

Dive into your spending habits to understand your financial position better. Are you spending more than you should? Your first step should be to create a plan that ensures you are not spending more than your income. Otherwise, it is easy to rack up debt quickly.

If you find that you are spending more than you should, then look for ways to cut back without sacrificing your quality of life. Unfortunately, you may need to make some adjustments to your spending.

However, you should look at this as a new challenge to be creatively frugal instead of cutting all of the fun out of your life. You need to understand where your money is going in order to start saving money successfully.

  • Retailers Are Painfully Vulnerable

RCP companies are exceptionally susceptible to cyber-attacks across multiple channels, each with unique inherent risks. In the case of the Target breach, hackers gained access to the network using credentials obtained from an HVAC vendor—leading to the personal information theft of more than 100 million people.

With attacks against RCP companies on the rise, consumers are holding companies accountable for the breaches. According to a Brunswick Group survey, which polled 750 respondents in light of the Target breach, 61% of consumers hold the retailers responsible, and 34% of respondents said they no longer shop at a specific retailer due to past data breach issues. The average cost of data theft in 2012 was $188 per customer account, according to Ponemon Institute, a Michigan-based research center focusing on privacy and security. In the case of TJX Cos, the owner of TJ Maxx and Marshalls, 46 million customer records were stolen in 2012 with an estimated $180 million in damages.

The Retail Industry Leaders Association (RILA) believes it is time for retailers, banks, and credit networks to work together to develop security measures. According to William Hughes, Senior Vice President of Government Affairs for RILA, “While retailers understand and manage their internal systems and security, they have little or no influence over the actions taken by other players in the payments universe, actions with enormous implications on fraud.” With the increasingly interconnected supply chain, hackers have made an easy prey to weak links created by loose integration with business partners—particularly with respect to payment systems, including banks and card networks.

RCP Companies continue to realize that mitigating cyber risk is only part of the solution; transferring the risk through the use of insurance is the missing piece.

  • Not All Policies Are Built the Same 

RCP companies have taken notice of the necessity for cyber insurance, with the number of policies bought jumping significantly from the prior year. Many insurers require the RCP company to demonstrate baseline security measures and good-faith adherence to regulations prior to underwriting. All RCP companies take credit cards, and whether or not the card numbers are taken online or at a physical retail location,
they are already required to be Payment Card Industry (PCI) compliant (security standards for payment merchants). Many companies and organizations are also required by government and industry regulations to complete security self-assessment questionnaires and third-party intrusion tests and undergo onsite IT audits.

Companies should be cognizant that cyber policies often include coverage gaps in key areas, leaving the organization unduly exposed, according to UIC Insurance Consulting. The key to a good policy is sufficient coverage at an appropriate cost. Cyber liability insurance is relatively new to the market and continues to evolve at a rapid pace. UIC has developed extensive in-depth security assessment tools in this area. Noted below are a few examples of key cyber coverage points often missed in general business liability policies:

  • Fines and penalties: Policies typically cover governmental fines and penalties, but they are often subject to sub-limits.

  • Stolen credit card information: This exclusion is for PCI fines and penalties. Typically, when credit card information is stolen, MasterCard/Visa/AMEX charges a re-issuance fee which is not covered unless the policy is expressly endorsed. The insurer will inherently try to submit damages; it is imperative to understand this exposure and negotiate the best coverage terms.

  • Coverage should be broad enough to account for violations of all governmental privacy laws such as HIPAA, FACTA, and the HITECH Act.

  • Gaps in computer system coverage: Many policies do not explicitly cover laptops, smartphones, memory sticks, etc., and the loss caused by the theft of these items. This type of incident is considered a loss leader in cyber insurance.

An Example

UIC Inc. evaluated a retailer of soft goods to determine whether their current cybersecurity insurance policy sufficiently covered their exposure and PCI compliance. We leveraged its cybersecurity checklist to identify program deficiencies and prioritized them by risk. In addition, we evaluated the company’s risk management program to ascertain that a solid infrastructure, including disaster recovery and data backup, was in place. Once we completed an analysis of the retailer’s environment, we were able to redesign the insurance specification to close the gap without increasing costs through an extensive bidding process. At a later date, the client’s infrastructure was compromised through a malware (malicious software intended to disrupt operations) intrusion, with the attacker obtaining a significant number of client records. Due to UIC’s suggested policy changes, however, the client had appropriate coverage and ultimately saved more than $1 million in damages.


What Does UIC Inc. Think?

Cybersecurity attacks on RCP companies are inevitable; it’s how these risks are mitigated and transferred that determines the extent of the damage—financial and otherwise. Don’t wait for a breach to occur; preparation and a solid framework can make all the difference with challenges regarding compliance, insurance, and legal defense matters. Most large retailers continue to strengthen cybersecurity capabilities and security frameworks. UIC Inc. believes that mitigating risk is only part of the solution; transferring risk through comprehensive cyber insurance can significantly reduce company risk.




UIC, Inc. is not affiliated with any brokers nor holds any agreements with insurers. This affords them the objectivity to provide advice for the sole benefit of their clients. Their depth of knowledge and innovative solutions provide their wide variety of clients with comprehensive, cost-effective, yet flexible risk management programs for their specific needs. UIC, Inc.’s annual insurance consulting retainers, their only source of income, consistently help clients achieve insurance premium savings averaging 25-40%, offering a significant ROI while at the same time providing appropriate insurance coverage for each company’s specific needs and risk profile.