This article is provided by BRC Associate Member Aon.


Empowering Retail Leaders in the Digital Era

Aon and Mastercard cyber experts came together in a recent Cyber Resilience Forum held by the British Retail Consortium to explore how retailers can build an effective cyber resilience approach. Areas covered included: the importance of quantifying the risk; the need to have the right controls in place; why incident response planning is key; and, how to address potential third-party cyber vulnerabilities.

The latest British Retail Consortium Crime Survey revealed that 57% of retailers reported an increase in cyber attacks over the previous years, with nearly a third (30%) of retailers seeing cyber as one of the top three threats to their business. Similarly, Aon’s 2023-2024 Global Risk Management Survey put cyber attacks/data breaches at the top of retailers’ top ten business risks. But, while it might be the number one risk, it’s instructive to consider how cyber can impact other risks on that top ten including supply chain or distribution failure, damage to reputation or brand, business interruption, and also tech or system failure.

What’s driving this concern in retail?

One area is the increasing use and collection of customer data. “There's more data at risk, whether that's personal data or otherwise,” said Aon’s Alex Hornsby – Director, Cyber Risk Advisory, Cyber Solutions UK. “And that's something we've absolutely seen as loyalty programs become front and centre for a number of retailers.”

Other areas driving cyber risk include the digitalisation of the supply chain – more automated systems within not just factories, but also warehouses and distribution centres which creates opportunity for retailers, but also risk – as well as increased use of digital store technology, and AI.

Future trends such as geopolitical instability leading to hacktivist attacks and AI usage by attackers as they look to improve the effectiveness of their phishing campaigns will also serve to make the cyber risk landscape increasingly hazardous for retailers.

Quantify the Risk

Given this threat how should retailers approach the management of cyber risk? One critical step is in understanding the potential impact of cyber risk and moving from a qualitative approach to a quantitative assessment of the financial cost of an attack. That means asking questions like:

  • What's the business interruption cost?
  • What's the revenue loss?
  • What third parties have been impacted and how?
  • What regulatory fines or penalties are being imposed?
  • What resources are being deployed to remediate the situation?

“The importance of going through this kind of risk-based approach is that you're able to be more strategic than just putting a finger in the air. It's more of a logical, systematic method to understanding cyber risk,” said Hornsby.

With a better understanding of the risk, a retailer can then consider whether it has the right controls in place to facilitate an effective risk transfer through insurance.

Focusing on the cyber insurance market, Aon’s Laura Graham – Associate Director, Cyber & Tech E&O, Global Broking Centre, reported a market that saw a huge spike in ransomware events from 2019-2020 with a corresponding increase in insurance claims and insurance premiums.

Incident rates reduced again throughout 2022 and while premiums reduced to reflect that drop in early 2023, they have not yet reversed in the light of an “uptick in events” in late 2023 and 2024. “We are seeing insureds being able to achieve, in some cases, quite significant premium reductions, but also, I think, more importantly, expansion in coverage,” said Graham.

Implementing the Right Controls

Insurers continue to understand which risks are better than others through a robust submissions process and a sharpened focus on the controls they want to see in place. With the insurance submission process starting three to six months before cover begins, insurers want detail on three areas in particular: business and security team overview (in areas like revenues, policies and budget); internal security controls; and business continuity arrangements.

For business continuity, Graham said: “If something does go wrong, underwriters are really interested in how the business can recover. Do you have backups in place? Do you have a plan B? Are the backups offline and can't be impacted by a potential cyber event?”

On controls, there are typically a dozen or so which insurers are most interested in, ranging from endpoint detection and response (EDR), to email filtering and security, cyber awareness training, and vulnerability scanning and patch management.

The Best Response is in the Planning

Moving on to incident response and business continuity planning, preparedness and planning is key to an organisation’s resilience against the cyber threat, said Zainab Ali Majid – Senior Consultant, Digital Forensics and Incident Response, Cyber Solutions UK at Aon. “When I jump on to incident response cases and join calls, it becomes abundantly clear incredibly quickly as to which clients have proactively planned for an incident and which clients haven't. I think all breaches are undoubtedly incredibly stressful situations, but when sufficient planning has taken place, the level of stress can decrease quite significantly.”

That means, for example, understanding how to plan for different scenarios such as having all possible services down or no employees being able to access endpoints, or the need for a mass password reset.

“Resilience is a state of preparedness and capability that is achieved through a strong orchestration of incident response, IT disaster recovery, crisis and claims management and business continuity programmes,” said Majid.  

Addressing Third-Party Vulnerabilities

Focusing on third-party risk management, the huge growth of technology and collection of data by retailers provides far more scope for infiltration by criminals who have “recognised that the supply chain is often the weakest link” said Mastercard’s Steve Brown – VP of Cyber Security and Resilience.

Recent high-profile incidents – such as the MOVEit ransomware attack – against service providers have shown how third-party disruptions have become more common and more of a challenge for retailers.

“With this increase in vendor susceptibility…we need to be able to put into practice the processes and new technologies that allow us to be able to assess and identify vulnerabilities, not only in our own organisations but those of our suppliers,” said Brown.

To help address this risk, the use of third-party risk management tools, supplemented by AI and machine learning capability, can drive automation and enable more risk-based decision-making.

“At MasterCard, for example, we have over 10,000 suppliers. I can't send out questionnaires to each and every one of them and then rely on those answers being truthful, honourable and timely. So, automation is just not about setting a certain process in place; it's about how we inform that process and ensure that automation provides us with a continuous and objective assessment of the cybersecurity hygiene of our supply chain,” said Brown, who added that it’s not just about assessing the risk with third parties either, but as much about the fourth and fifth-party suppliers too.

People First

Finishing the webinar with a Q&A, the speakers were asked what characteristics marks out the businesses with a good cyber security posture. Ownership of cyber risk at a board level was seen as critical, particularly given the impact that has on the cyber security culture of the business. The combination of people, process and technology is vital, but it’s about people “first and foremost”.

Watch the full Cyber Resilience Forum.

While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

This article has been compiled using information available to us up to 2024. Aon UK Limited is authorised and regulated by the Financial Conduct Authority. Registered in England and Wales. Registered number: 00210725. Registered Office: The Aon Centre, The Leadenhall Building, 122 Leadenhall Street, London EC3V 4AN. Tel: 020 7623 5500.