The retail sector has work to do to better understand its exposure to cyber risk

A recent cyber attack on IT supplier Swan Retail was reported to have hit the ability of 300^[1] independent retailers to trade normally in August. The incident confirms that the retail sector continues to be an attractive target for cyber criminals, whether directly via methods such as ransomware and phishing, or indirectly through attacks on their supply chain. But how well prepared are retailers to counter the threat?

According to Aon’s 2023 Cyber Resilience Report, retail scores a possible 2.6 out of 4 when it comes to its measured cyber maturity which edges it into the category of ‘managed’ from 2022’s category of ‘basic’. However, retail scored lower in its cyber maturity than several other industries including professional services (2.9), healthcare (2.7) and real estate (2.7). To lift that score, there is a need for retailers to promote the importance of a comprehensive cyber risk assessment and quantification exercise, and understand how best to use the results from that exercise, to inform an effective cyber risk management strategy.

Data theft and operational damage

Retailers will, of course, view the cyber exposure differently depending on their own sub sector. For a luxury brand it might all be about the reputational damage from the loss of their customer data, while for a small grocery firm, the potential loss of their electronic point of sale system could be devastating if they have no operational fallback in place. Regardless of the variation in threat, cyber continues to be a high priority risk for retail brands and particularly given the advancement of digitalisation, ecommerce, and the greater storage of sensitive customer data.

Cyber hackers have for many years shown they are keen to get hold of and monetise customer and transactional data, while a switch to more automated processes in fulfilment to drive efficiencies has created greater risk for operational systems. The rise of ransom and extortion demands that span across reputational issues and business interruption leads to multiple different ways a retail business could suffer.

Supply chain cyber attacks have also become more prominent in retail. Aon’s Cyber Risk and Resilience Report found, “One of the greatest challenges with managing cyber attacks across today’s supply chain is understanding the extended enterprise’s threat profile and base controls.” For retail, when it comes to managing its maturity for third party management, it scored only 2.2 in Aon’s report, which ranks it as ‘basic’. Given retailers’ margins are under pressure more than ever, it remains vital that resource and due diligence are retained to protect the business and balance sheet.

Conduct a cyber quantification assessment

In this uncertain environment, the importance of fully assessing and understanding the cyber risk a retailer faces has become ever more critical both in terms of the controls they have in place, but also in providing an understanding of what an event could cost. Many retail brands, however, don’t have a full understanding of their risk / vulnerabilities and can be too reliant on their IT providers. This is where a Cyber Impact Analysis helps to quantify the exposure by identifying critical IT assets and the potential cyber risk events that could impact the business, as well as revealing the most likely threat actors and attack vectors, and what the commercial impact of each cyber risk scenario would be.

Every retailer’s board needs to be aware of the potential cyber risk to the business to ensure if they are attacked, they are able to evidence the decision-making process and prevent potential action from shareholders; a Cyber Impact Analysis shows a retailer has been through exposure analysis and demonstrates an understanding of the risk. Of course, it also allows a business to make informed decisions around cyber insurance and risk mitigation.

Based on the findings from a Cyber Impact Analysis, a retailer might decide they are happy to have a larger deductible – the amount they are prepared to pay for any incident – but need cyber insurance for that catastrophic loss. Alternatively, the business might decide it needs the help and incident support available from a cyber insurance policy for every claim that happens. A Cyber Impact Analysis helps the business make that decision as well as how much overall cover to buy, but it also helps provide insurers with comfort that a business is taking its cyber risk seriously.

Insurers need to have confidence in the risk

Insurers need to have confidence that a retailer’s leadership team has appropriate governance and controls in place around its cyber security to help prevent an incident happening and to reduce the impact in the event of a breach. As part of the renewal process, significant value and impact can be gained from the senior management team, CISO and IT team of a business articulate to insurers what they are doing in terms of proactively managing the risk – a strategy that plays a central part in driving a better result from the insurance placement in terms of both coverage and price.

Manage the loop

With exposure to cyber risks continuing to be a threat to the retail sector, now is a good time for every retailer to refresh its cyber risk management approach across assessment and quantification of the risk, mitigation and controls, as well as risk transfer through insurance. It’s an opportunity to realign how a business is spending its investment in cyber and optimising how it performs throughout the Cyber Loop risk cycle of assess, mitigate, transfer and recovery in the event of an incident.

Action

As we head into the peak period for many businesses, the evolving cyber exposure and threat level needs to be clearly identified with appropriate mitigation, response protocols’ and risk transfer strategy in place.  Does your senior management team have the data to make informed decisions?

^{[1] Retail Week}

Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.

This article has been compiled using information available to us up to 14/11/23. Aon UK Limited is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500.