Protect your retail business and boost cyber resilience

A string of recent cyber attacks and data breaches against U.S. retailers have caused business interruptions and impacted customers. A few of those recent incidents include the following:

One of the largest U.S. publicly traded health food wholesalers and the primary distributor for Whole Foods and other grocery chains, announced in a June 9 regulatory filing that they became aware of an incident in its information technology systems on June 5, which caused “temporary disruptions to their business operations.” The breach of their systems disrupted their ability to fulfill orders, leaving many stores without certain items.
A U.S. based lingerie, beauty and clothing retailer was forced to bring down its website and some in-store services as a safety precaution after experiencing a prolonged security incident, which began on May 24. According to the company’s CFO, the breach is expected to siphon about $10 million from their Q2 operating income, excluding any insurance payment. The company has been relatively silent about the incident and the threat actor’s identity, whether ransomware was deployed and if the company has received any extortion demands, remains unreported. No big ransomware gang has claimed responsibility for the breach, but it seems possible that the prolific ransomware group Scattered Spider, which has been linked to cyber attacks targeting U.K. retailers, could be involved.
An athletic shoe and apparel brand acknowledged in a May 23 notice that a third-party vendor suffered a breach, resulting in unauthorized access to consumer data. The company posted this information on both its German and English websites. However, no specific region or number of affected individuals has been confirmed. The company’s statement did clarify that no payment information, such as credit card details, nor passwords were included in the breach. Data obtained reportedly includes names, phone numbers, email addresses and dates of birth. While this might seem limited compared to financial data, this type of information can be exploited for phishing scams and identity theft.

To help protect your retail business, in this Q&A, our cyber risk and retail industry specialists answer your most urgent questions following the recent cyber attacks targeted at businesses in the retail sector.

Q: Can my business avoid being hit by cyber attacks?

A: While avoiding cyber attacks altogether may be unrealistic, the National Cyber Security Center (NCSC) has issued some useful guidance on best practice precautions. In summary, the NCSC recommends businesses should:

Deploy multi-factor authentication (MFA) across your organization, which reduces the risk of unauthorized access by adding an extra layer of verification that makes it harder for attackers to compromise accounts
Enhance monitoring against unauthorized account misuse
Pay special attention to employees with higher-privilege access to your IT infrastructure, including domain admin, enterprise admin and cloud admin accounts, and checking their access is legitimate
Review helpdesk password reset processes — IT help desks are increasingly targeted in search of credentials to penetrate organization networks, so, in addition to regular training, having a robust policies and processes on verifying employees’ identities is essential
Identify logins from unusual sources
Monitor threat intelligence in real time and respond rapidly to alerts

Any suspicious activity can signal unauthorized network access. You need to be vigilant over possible social engineering attacks, which impersonate help desk interactions to infiltrate your organization’s IT systems.

You should also regularly revoke active sessions (meaning users have to authenticate themselves regularly for continued access to IT systems) and identify when individuals have created suspicious accounts.

Further, the athletic wear brand incident illustrates the additional risks retailers face from third-party relationships. Despite having strong internal security measures, retailers can still be vulnerable if their partners are compromised.

Q: If a cyberattack hits your business, how can you restore operations quickly?

A: Developing and regularly testing a robust incident response plan can help minimize the impact of any cyber incident and restore your operations quickly.

Your incident response plan should set out how you define a ‘cyber incident,’ as well as the procedures for identifying and reporting them. Your plan should also include processes for containing incidents to prevent further damage and outline steps to restore systems. It should also establish how you plan to learn lessons from any cyber incident.

While no simulation can fully replicate the pressure associated with a real crisis, cyber incident workshops can prove vital in testing your incident response plans. In particular, testing and simulations can help key decision-makers identify any issues with cybersecurity or gaps in planning, which they can then address to help the business recover rapidly after any incident.

Q: Are you insured against the types of losses emerging from the cyber attacks recently impacting retailers?

A: The answer here will depend on the specifics of your coverage and the circumstances of any attack. However, based on publicly available material, the spate of cyberattacks against retailers would ordinarily fall within the scope of a typical cyber policy (although other non-cyber policies might also contain some form of coverage for the impacts following a cyber attack).

If you’re not clear on the scope of cover and whether it’s fit for the intended purposes, now is the time to stress-test it. Are there any gaps and what measures can you take to plug them?

Q: Is the amount of insurance you’ve purchased adequate?

A: Even if you evaluate your type of cover as fit-for-purpose, you should also assess the adequacy of your limits against all the potential financial implications of cyber attacks, for example, business interruption, ransom payments and notification costs.

Underinsurance not only presents a balance sheet problem, but may also leave your directors exposed to shareholder actions. Boards can face allegations of failure to ensure robust IT systems or inadequate handling of cyber risk, which can include failure to maintain adequate cyberinsurance.

Q: Do you understand the cyber risks most likely to impact your business and the financial damages you could face?

A: Identifying and quantifying your specific cyber risks is the first step to finding the most efficient way to mitigate them. Cyber risk quantification analytics that use industry and organization-specific scenarios can give you a detailed picture of the financial consequences of cyber incidents. With this insight, you can plot a course to the most effective and efficient combinations of risk controls, transfer and insurance limits.

The cyber insurance market is more competitive than it has been in recent years, meaning now’s a good time to investigate your options. To understand and ensure your cyber risks more effectively, or to strengthen your incident response planning, get in touch with our cyber risk and retail industry specialists

Disclaimer

WTW hopes you found the general information provided here informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, WTW offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).

Authors

Jason D. Krauss

Cyber/ E&O Thought & Product Coverage Leader, FINEX North America

email Email phone +1 212 915 8374

Matt Danielak

FINEX NA Cyber/E&O Head of Broking

email Email

Related capabilities

List of website locations and languages available in Americas
Location	Languages Available
Argentina	Spanish
Bermuda	English
Brazil	Portuguese
Canada	English French
Chile	Spanish
Colombia	Spanish
Costa Rica	Spanish
El Salvador	Spanish
Guatemala	Spanish
Honduras	Spanish
Mexico	Spanish
Nicaragua	Spanish
Panama	Spanish
Peru	Spanish
United States	English
Venezuela	Spanish

List of website locations and languages available in Asia-Pacific
Location	Languages Available
Australia	English
China	Simplified Chinese
Hong Kong (China, SAR)	English
India	English
Indonesia	English
Japan	Japanese
Korea	Korean
Malaysia	English
New Zealand	English
Philippines	English
Singapore	English
Taiwan	Traditional Chinese
Thailand	English Thai
Vietnam	English Vietnamese

List of website locations and languages available in Europe
Location	Languages Available
Austria	German
Belgium	English French Flemish
Croatia	English Croatian
Czech Republic	English Czech
Denmark	Danish
Finland	Finnish
France	French
Germany	German
Greece	Greek
Hungary	Hungarian
Ireland	English
Italy	Italian
Kazakhstan	Kazakh Russian
Luxembourg	French
Netherlands	Dutch English
Norway	Norwegian
Poland	Polish
Portugal	Portuguese
Romania	Romanian
Serbia	Serbian
Slovakia	Slovak
Spain	Spanish
Sweden	English Swedish
Switzerland	English French German
Turkey	Turkish
Ukraine	Ukrainian
United Kingdom	English

List of website locations and languages available in Middle East and Africa
Location	Languages Available
Cameroon	English French
Congo	French
Egypt	English
Ghana	English
Ivory Coast	French
Israel	English
Jordan	English
Kenya	English
Kuwait	English
Mauritius	English
Nigeria	English
Saudi Arabia	English
Senegal	French
South Africa	English
UAE	English
Uganda	English