United Kingdom

Commoditisation of cyber threat hits retailers

Insurers wary of retailers’ cyber vulnerabilities poises to make insurance placement more demanding

According to Aon’s 2021 Cyber Security Risk Report, a significant number of retail organisations rate as ‘basic’ for their cyber security maturity finding that, “Organisational cyber security risk management practices and technologies are not always formalised. Risk is managed in an ad hoc and sometimes reactive manner. Risk management practices and technologies are not established.” The report also concludes that less than a quarter (24%) of retail organisations have adopted adequate business continuity and disaster recovery measures for the increasing threat of ransomware attacks.

It helps explain the caution cyber insurers are displaying towards the retail sector as they see the costs of claims rise and move to adopt tougher underwriting strategies to restrict their losses. But why is retail lagging in its cyber maturity in comparison to other sectors? And, what can organisations do to help prevent financially and reputationally damaging losses, while ensuring that they can continue to access the insurance market for affordable cyber cover?

Commoditisation of cybercrime

A problem for all industries – not just retail – is the increasing commoditisation of cybercrime, a trend driven by the growth of ransomware. Organised criminal organisations have moved in and created ‘Ransomware as a Service’ type operating models that allow more gangs and individuals access to the tools and methodology necessary to execute a successful cyber hack. Once a business has been hooked, there’s now a ‘professional’ journey that hackers take their victim on including chatrooms and even in some cases, hackers not agreeing to a ransom discount without first talking to their manager.

In turn, the costs of experiencing an attack have spiralled not only from the immediate costs of dealing with the attack itself in order to get systems back up and running, but also in ransom payments and the price of business interruption for every day that normal services are disrupted. Aon’s Cyber Insurance Snapshot reveals that in 2020, of those companies hit by ransomware, many “organisations experienced eight-figure ransomware event-related losses”. Those losses in 2021 have continued to climb in both their frequency and their severity.

Retail landscape

While every industry must defend itself against these new cyber tactics, retail is particularly susceptible for several reasons. The cut-throat competitive nature of the industry means retailers tend to run lean operations, which includes their IT teams. And, at the moment, many of those stretched teams are under pressure to accelerate multi-year digital transformation plans into much shorter timeframes to get ecommerce platforms up and running, particularly given the vulnerability of bricks and mortar to future lockdowns. In turn, that impacts on their ability, for example, to install patches to address known vulnerabilities in systems, or roll out software changes to the live environment without the necessary testing. This rapid digital evolution has left over a third (36%) of retailers reporting that they are extremely vulnerable to network overload and Denial of Service (DoS) attacks.

The complexity of the retail chain from source to customer also adds huge challenges and the potential for disruption that a hacker can cause whether in the distribution centre, a website using third parties to process financial transactions, or the courier fulfilment system. All this leads to multiple points of possible entry for a hacker to exploit; more than half (58%) of retailers have inadequate third-party security measures in place.

In addition, a savvy hacker can exploit retail’s seasonal peaks and troughs to exert more pressure on retailers. A ‘good’ time to unleash a hack for a criminal, for example, might be just before Black Friday because the sales that a retailer loses at that point can’t be clawed back; customers will go elsewhere and the lost sales will simply be soaked up by competitors.

The change from being a store-based retailer to an ecommerce-based retailer also means that any disruption can hit much quicker. If a retailer still has physical stores, even if the distribution centre is put out of action, it has stock in the shops it can use to meet customer demand (provided it can of course still process payments). But a pure ecommerce retailer who has a similar interruption has no buffer to fall back on, resulting in both short-term damage to their bottom line and longer-term damage to their brand and reputation.

Insurers take proactive approach to risk management

In response, insurers who are looking to improve their loss ratios are reacting proactively by looking for vulnerabilities in their insureds’ IT systems – not just at renewal but by scanning during the policy period and searching for known issues like open ports or unpatched software vulnerabilities that can be exploited by hackers. It’s part of a much tougher underwriting approach for retailers when it comes to cyber which also includes a demand for much more information such as the use of ransomware specific questionnaires as they look to understand the risk controls that an organisation has in place.

Work with your broker and insurer

While these demands are another competing factor for scarce resource at a time when retailers are desperate to focus on their customers and bring their post-Covid recovery strategies into play – in areas such as M&A activity, investment in fulfilment, and the development of how their brick and mortar and digital platforms interact – retailers will have to respond if they are to continue to access affordable cyber insurance cover and the industry will need to improve on its ‘basic’ cyber security maturity.

But there is plenty of scope for businesses to work with their broker and insurer to pre-emptively address known vulnerabilities both during their policy period and when it comes to presenting their risk to the insurance market. As Aon’s Cyber Insurance Snapshot concludes, “Cyber underwriting submission preparation is key to differentiate cyber insurance buyers in the market and to maintain access to capital,” further advising that retailers should begin the renewal process early and focus on existing insurer relationships.

For further information on the issues covered by this article, please contact Mike Jacobs

Whilst care has been taken in the production of this article and the information contained within it has been obtained from sources that Aon UK Limited believes to be reliable, Aon UK Limited does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the article or any part of it and can accept no liability for any loss incurred in any way whatsoever by any person who may rely on it. In any case any recipient shall be entirely responsible for the use to which it puts this article.

This article has been compiled using information available to us up to 30 June 2021.