Aon Risk Solutions | Global Sales & Marketing SupportProprietary & Confidential
Cyber Risk for Retail Industry
Date: 31 Dec 2015
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential2
Table of contents
Cyber risk in retail industry
Data breach statistics
Claims by business sectors
Payment card skimming
Cost of major cyber data breaches
PCI Compliances
Cyber risk for M & A deals
Cyber risk and D & O
Cyber liability: purchase
Cyber liability: adequacy & effectiveness
3
4 - 5
6 - 8
9
10
11 - 12
13
14
15
16
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential3
Retail is one of the major industries exposed to cyber risk
According to ‘Breach Level Index’ database, In 2015 therewere 181 data breaches among retailers, accounting for 12%of the total incidents, which was up slightly from 11% in 2014and 8% in 2013
These attacks results in more then 30 million data recordsbeing exposed. That amounted to 8% of all the recordsinvolved in data breaches during the year, compared with55% in 2014 and 29% in 2013
Among the top breaches in the industry were Gaana.com &Times Internet with 10,000,000 records; Rakuten and LineCorp, with 7,850,000 records; VTech Holdings, with5,033,676;TalkTalk, With 4,000,000; and CarphoneWarehouse, with 2,400,000
In its 2015 Data Breach Investigations Report, Verizonreported that the two primary attack vectors affecting retailersin 2014 were point-of-sale intrusions and denial of service.
In 2014, point-of-sale intrusions and denial of servicecombined for 64% of retail attacks. In a dramatic shift, by2015, point-of-sale intrusions alone have accounted for 70%of attacks affecting retailers, whereas denial of serviceattacks were virtually non-existent.
This significant change in just one year is no surprise aspoint-of-sale systems handle the credit card data thathackers desire.
Healthcare34%
Government22%
Technology16%
Others15%
Retail8%
Education5%
Top global data breaches reported by industry, 2015
Number of Breach Incidents By Industry Trend, 2013 - 15
Industry 2013 2014 2015
Healthcare 340 445 332
Financial Services 164 212 235
Government 191 291 251
Retail 98 197 181
Education 31 173 139
Technology 108 137 81
Other Industry 262 276 278
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential4
Retailers in USA have witnessed massive data breaches in 2015
Major healthcare data breaches in the world during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach
May-5 Gaana.com, Times Internet Pakistan 10,000,000 Malicious Outsider Identity Theft
Apr-17 Rakuten and LINE Corp Japan 7,850,000 Malicious Outsider Account Access
Nov-14 VTech Holdings China 5,033,676 Malicious Outsider Account Access
Oct-22 TalkTalkUnited
Kingdom4,000,000 State Sponsored Identity Theft
Aug-8 Carphone WarehouseUnited
Kingdom2,400,000 Malicious Outsider Financial Access
Major healthcare data breaches in USA during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach
Jun-9 Hanesbrands USA 900,000 Malicious Outsider Financial Access
Sep-1 Apple/ Iphone USA 225,000 Malicious Outsider Account Access
May-15 Bettys & Taylors of Harrogate USA 122,000 Malicious Outsider Account Access
Aug-9 U.S Retailer USA 100,000 Malicious Outsider Account Access
Aug-9 AutoZone USA 50,000 Malicious Outsider Identity Theft
Major healthcare data breaches in Canada during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach
Oct-7 Walmart Canada / PNI Digital Media Canada 60,000 Malicious Outsider Financial Access
May-21 Vancity Metro Vancouver Canada 1,200 Malicious Outsider Financial Access
Jan-7 Superior Blue Link Party Store Canada 200 Malicious Outsider Financial Access
Jul-15 CVSphoto Canada Unknown Malicious Outsider Financial Access
Jul-16 Sports Traders Canada Unknown Accidental Loss Identity Theft
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential5
Retailers in UK & Australia have also witnessed massive data breaches in 2015
Major healthcare data breaches in the United Kingdom during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach
Oct-22 TalkTalkUnited
Kingdom4,000,000 State Sponsored Identity Theft
Aug-8 Carphone WarehouseUnited
Kingdom2,400,000 Malicious Outsider Financial Access
Jun-7 Morrison'sUnited
Kingdom100,000 Malicious Insider Identity Theft
Nov-27 HungryhouseUnited
Kingdom10,000 Malicious Outsider Account Access
Oct-29 VodafoneUnited
Kingdom1,827 Malicious Outsider Financial Access
Major healthcare data breaches in Netherlands during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach
Apr-17 MAPP.NL Netherlands 157,000 Malicious Outsider Account Access
Aug-17 Jumbo Netherlands 100 Malicious Insider Account Access
Jun-5 Brabantia Netherlands Unknown Malicious Outsider Account Access
Major healthcare data breaches in Australia during the year 2015
Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach
Oct-30 Aussie Farmers Direct Australia 5,149 Malicious Outsider Account Access
May-31 Woolworths Australia 8,000 Accidental Loss Account Access
Feb-3 SpinTel Australia 426 Accidental Loss Nuisance
Jun-17 Sussan Australia Unknown Malicious Outsider Identity Theft
Oct-2 David Jones Australia Unknown Malicious Outsider Account Access
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential6
Respondents from the ‘Retail’ industry witnessed the 3rd highest number of claims in 2015
NetDeligence conducts study of cyber liability claims everyyear to ascertain the impact of cyber liability by industry,company size etc.
In 2015, Retail was the 3rd most affected sector with 21claims, Next to Healthcare with 34 claims, and Financialservice with 27 claims
Retail industry accounted for 13% of total claims in the year2015
Retail Industry witnessed the 4th highest number of claimsvis-a-vis other industries and accounted for 10% of total inthe year 2014
Healthcare21%
Financial Services
17%
Retail13%
Technology9%
Professional Services
8%
Non - Profit4%
Others Industries
28%
NetDiligence study - percentage claims by business sectors, 2015
Healthcare23%
Financial Services
22%
Professional Services
10%
Retail10%
Non-Profit9%Others
Industries26%
NetDiligence study - percentage claims by
business sectors, 2014
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential7
Retail sector accounted for the majority of records exposed in 2015
Of the 104 claims that reported number of records exposed,the Retail sector accounted for the vast majority of recordsexposed (71%), although that sector was responsible for only13% of the claims in our dataset. This was a massive jumpfrom 2014 when Retail industry accounted for only 1% of totalnumber records exposed by industry.
In 2014, the Entertainment sector accounted for the majorityof records exposed (52%), although that sector wasresponsible for only 5% of the claims in the dataset.Technology came in second, accounting for 39% of recordsexposed. Retail industry accounted for a miniscule 1% oftotal number of records exposed by industry.
Healthcare28%
Retail71%
All other Sectors
1%
NetDiligence study - Records Exposed, 2015
Entertainment52%
Retail1%
Technology39%
All other Sectors
8%
NetDiligence study - Records Exposed, 2014
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential8
Retail industry reported the 2nd maximum number of data breaches from 3rd
party vendors in 2015
According to the study by NetDiligence, about 25% of thetotal respondents (total sample size: 160) attributed claimevents to 3rd parties for the year 2015.
Financial services industry was the most affected sector(which accounted for 30% of total claim incidents) and retailindustry accounted for 18% of total claim incidents for theyear 2015.
According to the study by NetDiligence, about 20% of thetotal respondents (total sample size: 111) attributed claimevents to 3rd parties for the year 2014.
Financial services industry was the most affected sector(which accounted for 32% of total claim incidents) and retailindustry accounted for 5% of total claim incidents for the year2014
Financial Services
30%
Retail18%
Technology18%Healthcare
13%
Energy10%
Others Industries
11%
NetDiligence study - third party breaches induced claims by business sectors, 2015
Financial Services
32%
Healthcare18%
Professional Services
14%
Retail5%
Other Industries
22%
NetDiligence study - third party breaches induced claims by business sectors, 2014
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential9
Discovery of Payment Card Skimming usually ranges from few hours to few days
According to ‘Verizon 2015 Data Breach Investigations’ report, in majority of the cases, the discovery of payment card skimmers usually ranges from few hours to few days
A small portion (about 28%) of the data breach cases consumed weeks and months together for discovery.
However, as the saying: ‘Every cloud has a silver lining’, the detection/discovery times are getting better as the majority of incidents may be discovered within few days of the breach.
4.50% 4.50%
27.30%
36.40%
18.20%
9.10%
0.00% 0.00%
Verizon 2015 Data Breach Investigations Report, Time to Discovery within Payment Card Skimmers Pattern for Retail Industry
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential10
Despite the many breaches suffered by retailers and the clearly tempting repository of data they hold for cybercriminals, wholesale and retail are not hit with the highest fines and penalties, according to Advisen data
Cost of Major Cyber Data Breaches
Year Company Breach Cost Description
2007 TJX $250 MillionThe parent company of well know US retail brands like TJ Maxx and Marshalls had 46
million credit card credentials stolen over an 18 month period by a hacker called Albert
Gonzalez. This data breach resulted in damages of $250m
2013 Target Stores $148 Million
This US retailer discovered that its payment card readers are infected with malware that
had been harvesting credit card details throughout the Thanksgiving and pre-Xmas
shopping season. Some 110m customers records were compromised in the attack
forcing the CEO to resign and costing the company $148 m, but at least it was able to
claim $38m back in insurance.
2014 Home Depot $80 Million
This US based DIY store found its point-of-sales systems had been infected with
malware that was masquerading as anti virus software but was actually stealing credit
card details. Some 56 million cards were compromised, costing the company an
estimated $80m before insurance reimbursements. Sales growth remained strong
however, implying that customers were not overly concerned.
2014 eBay $200 Million
It took this online retailer six months to discover that they had been hacked with 230m
customers credentials being compromised. Their slow and misleading response to this
crisis was widely criticized, but eBay maintain that the damage was slight, that stolen
passwords were encrypted anyway and that no financial data was compromised.
Nevertheless, class action suits and regulatory fines will probably cost the company
around $200m
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential11
Security and PCI Compliance for Retail Industry
The PCI DSS Requirements are follow:
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update antivirus software
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Tract and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security
FFIEC Retail Transaction Guidelines
Financial institutions core providers for most retail payment instruments and services
Implement appropriate physical controls
Implement logical security controls
Use of authentication technologies and methods should depend on risk assessments
Note: Federal Financial Institution Examination Council (FFIEC); Payment Card Industry Data Security Standard (PCI DSS)
The PCI DSS requirements are very expensive to implement, confusing to comply with, and ultimately subjective, both in
their interpretation and in their enforcement. It is often stated that there are only twelve Requirements for PCI compliance. In
fact there are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are
subject to interpretation
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential12
Retailers who don't meet the compliance requirements and experience a data breach may be subject to heavy fines from $100,000 to $500,000 or more
Penalties for PCI non-compliance
The Payment Card Industry has established fines of up to $500,000 per incident for security breaches when merchantsare not PCI compliant.
In addition, it is required that all individuals whose information is believed to have been compromised must be notified inwriting to be on alert for fraudulent charges. As such, the potential cost of a security breach can far exceed $500,000when the cost of customer notification and recovery is calculated.
Potential cost of a security breach
Fines of $500,000 per incident for being PCI non-compliant
Increased audit requirements
Potential for campus wide shut down of credit card activity by our merchant bank
Cost of printing and postage for customer notification mailing
Cost of staff time (payroll) during security recovery
Cost of lost business during register or store closures and processing time
Decreased sales due to marred public image and loss of customer confidence
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential13
Mergers & acquisitions require complex integration of IT systems which may become susceptible to data breaches and cyber exposures
Global consumer mergers and acquisitions (M&A) had a combined transaction value of $202.5 billion in the first half (H1) of2015, according to research from Mergermarket. The value represents a 42.8% increase over H1 2014 totals.
Of the consumer subsectors involved, retail ($105 billion) and food ($80.2 billion) experienced a year-over-year increase intransactions of 129.9% and 106.9%, respectively. The overall boost in retail deal value represents the highest on record.
In 2014, across cross vertical cyber criminals have been discovered hacking more than 100 companies, investment advisers andlaw firms in search of market-moving information about deals, according to researchers at cyber security company FireEye.
Cyber risk poses increased threat in mergers and acquisitions in various industries such as Media, pharma, automotive, financialservices and retail
More than two-thirds of the targets are in the pharmaceutical industry and limited incidents witnessed on retail industry over thepast few years
In May 2015, the Ascena Retail Group said it will buy Ann Taylor parent Ann Inc., making the owner of Lane Bryant one of thenation’s largest apparel retailers, amounting to an estimated $7.3 billion in sales and nearly 5,000 stores
In February 2015, Macy’s revealed plans to buy beauty chain Bluemercury for $210 million.
The retail landscape is poised for a spate of mergers and acquisitions, according to EY’s 12th Global Capital ConfidenceBarometer, a biannual survey of more than 1,600 executives in 54 countries, including the U.S.
More than half (53%) of retail and consumer products companies (CPR) across the globe are expected to pursue acquisitions inthe next 12 months, up from 39% in October 2014, according to EY, which bills itself as a global leader in assurance, tax,transaction and advisory services.
The increasing recent trends like merger & acquisitions in retail industry pose a cyber threat to retailers. Currently most of thehackers are targeting M&A deals and talks.
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential14
Data breaches have led to lawsuits against board of directors.
It would be an interesting to ascertain if cyber exposures or data breaches can possibly lead to lawsuits against Directors andofficers. According to ‘The D & O Dairy’ the Board of Directors of ‘Target Corp’. and ‘Wyndham Worldwide’ were sued soon afterthese companies witnessed high – profile data breaches.
It’s interesting to ascertain the possibility of cyber liability leading to D & O liability. D & O policies are witnessing changes interms of scope & coverage since the possibilities of data breaches leading to lawsuits against directors & management areopening up.
Its quite unclear if cyber/data liability/security claims be covered under traditional lines of insurance such as: property, generalliability etc. However few Court rulings shed some light on decisions where in cyber liabilities were covered under traditional linesof businesses. Although the companies involved in lawsuits belong to industries other than healthcare it would be interesting tounderstand the treatment of liability.
In the lawsuit: “Retail Systems, Inc. v. CNA Insurance Co” the Court of Appeals of Minnesota compared a data storage tape to amotion picture and held that data on a missing computer tape was of permanent value and was integrated completely with thephysical property of the tape.
Generally Commercial General Liability (CGL) policies offer broad liability insurance coverage under two insuring agreements:‘Coverage A’ (bodily injury and property damage) and ‘Coverage B’ (personal and advertising injury). In the case: “Eyeblaster, Inc.v. Federal Insurance Co”, the U.S. Court of Appeals for the Eighth Circuit held that a cyber liability claim was covered underCoverage A notwithstanding that “any software, data or other information that is in electronic form” was expressly excluded from“tangible property”.
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential15
Around Half of the ‘Retail’ industry respondents most likely to buy cyber coverage
In Aon’s 2015 survey, about 50% of respondents from retailtrade industry were most likely to buy cyber coverage
According to Aon’s Global Risk Management Survey 2015report, 50% of the respondents from the retail industry hadalready purchased cyber insurance.
However, 24% of respondents had neither purchased cyberinsurance and nor had plans to purchase. A significant portionof respondents (26%) had plans of buying cyber insurance
57% 50% 49% 42% 39% 35% 35% 32%
42%
24% 36%37% 46% 49% 55%
43%
2%
26%15% 21% 14% 15% 10%
26%
Aon Global Risk Management Survey 2015, Purchase of Cyber Insurance Coverage by Industry
Plan toPurchase
Notpurchased &No Plans toPurchase
InsuranceCurrentlyPurchased
57%50% 49%
42% 39% 35% 35% 32%
Aon Global Risk Management Survey 2015, Organizations Most Likely To Buy Cyber Coverage
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential16
Majority of the respondents from the ‘Retail’ industry felt existing cyber policy offered effective & adequate coverage
83% 85% 89%100%
73% 76%
57%
87%
Aon Global Risk Management Survey 2015, Effectiveness of Current Cyber Insurance by Industry
63%
48%
95%
71%64%
76%
57%67%
Aon Global Risk Management Survey 2015, Adequacy of Current Cyber Insurance by Industry
According to Aon’s Global Risk Management Survey 2015report, about 85% respondents from ‘Retail’ industry werepleased with the effectiveness of existing cyber liability.
About 48% of respondents from ‘Retail Trade’ industry feltthat current cyber coverage wasn't adequate to provide coverfrom cyber liability
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential17
Sources used for the study:
Breach Level Index database.
NetDiligence Cyber Claims Study – 2014 & 2015
Prnewswire publication
Internet Retailer Publication
Reuters publication
Aon Global Risk Management Survey 2015
Top Related