According to Aon’s most recent C-Suite Series report Prepare for the expected: Safeguarding value in the era of cyber risk, the cost of global cyber losses is expected to reach US$6 trillion annually by 2021. This staggering figure underlines that for businesses, falling victim to a successful cyber-attack is a case of ‘when’ rather than ‘if’.
Of all the consequences from a cyber-attack, it seems to me that there are two – highlighted in Aon’s report – that are sometimes overlooked, or at least not focused on enough, by the retail sector; business interruption and credit risk.
Closed due to unforeseen circumstances
If we take business interruption first. Retail has traditionally seen the cyber threat coming in the shape of a data breach, largely because many retailers hold significant amount of customer data collected for reasons such as loyalty programmes, online order profiles, and of course, through the use of payment cards. The impact of significant cyber events like WannaCry and NotPetya has started to shift that focus (although some of the more notable recent GDPR fines have made sure that data breach remains in the headlines) and there is a growing awareness of the damage that business interruption can cause. With the use of increasing automation for example, if a warehouse management system goes down, it’s unlikely that the location of all stock can be identified – rather than being in consolidated pick faces, stock is distributed by complex algorithms. An IT outage might mean you can still access the warehouse, but the problem could be electronically ‘seeing’ the stock, taking customer payment, or printing labels and dispatching orders.
Credit rating takes a hit
The impact on a retailer’s credit rating is another, often understated, possible outcome from a cyber-attack. Aon’s cyber report highlights what happened to credit reporting agency Equifax after they experienced a hack compromising up to 147.9 million pieces of personal data. In addition to the costs inflicted on the company for dealing with the attack and compensating their customers – US$1.4 billion according to the company’s last statement – Equifax was also downgraded by Moody’s to a negative financial rating leading to longer term financial issues such as future loss of investment, fall in share price and increased cost of credit. It was the first time that a business had experienced such a downgrade following a cyber-attack, but it won’t be the last.
In an environment where many retailers are struggling and perhaps carrying more debt than they would like or certainly relying on liquidity provided by banks and other lenders, any event that has an impact on credit rating could mean significant extra costs when it comes to borrowing, or even an inability to borrow at all.
How best then for retailers to respond to these and other risks related to cyber?
Identify and quantify
While the retail industry has seen some significant cyber events, the challenge is that many see cyber security as a black hole; you keep pumping money into technical security control and cyber defences and the only way you know it works is if nothing goes wrong. It can be hard to establish whether you’re spending money on the right thing and that you’re actively improving your cyber resilience. As a result, we’re seeing some of the more sophisticated organisations we work with start to identify and quantify their cyber risk so that they can play back to the business and to stakeholders and say, when we invest £10 million in cyber security it’s to target exposure of £2 billion.
This level of quantification gives them the toolset they need to justify their spend on cyber security to stakeholders and shareholders; it empowers the C-suite to make decisions as to whether they accept risk or whether they spend more on cyber security and cyber insurance.
From a directors’ and officers’ liability perspective, if shareholders want to sue in relation to a cyber-attack, the Board can defend its position by saying we articulated our decisions and had a clear process that leveraged analytics and quantification techniques to make us go down a particular route.
As well as the identification and quantification of cyber risk, another critical step for retailers is their incident response preparedness, not least because it’s one of the lower cost measures a business can implement. Beyond having the basic IT disaster recovery capabilities, it’s all about process and organisation. In terms of value for money, you can spend a fortune on technical security controls and you can be unlucky whereas if you are very prepared for a cyber event – when it matters, you can control it and you can contain it. Effective communication of course plays a crucial role here; if you don’t get your message out there on what has happened and how you are dealing with it, social media and / or 24 hr news will fill the vacuum.
A crisis like a cyber-attack and how a business manages it, can have a direct impact on shareholder value. A 2018 study by Pentland Analytics and Aon found that a company’s preparedness to mitigate reputational risk can either add 20% or lose up to 30% of its share price value. It's one key reason that businesses choose to buy cyber insurance – which provides not only balance sheet protection but crucially can also provide access to IT forensic experts as well as legal and public relations experts who can help mitigate the operational and reputational damage.
The Board must tackle their cyber exposure
For retailers, facing a relentless drive to become more efficient and deliver a better customer experience, the use of technology can save millions and generate millions more. But these innovations also have the potential to deliver huge cyber exposures which the C-suite must recognise and manage if they’re not to find themselves managing a D&O legal action from disgruntled shareholders following a badly managed response to a cyber-attack.
To find out more about how to protect your business from the cyber threat, read the full Aon report: Prepare for the expected: Safeguarding value in the era of cyber risk
Aon UK Limited is authorised and regulated by the Financial Conduct Authority. FPNAT.482