cyber risk for retail industry - health | aon€¦ · cyber risk for retail industry date: ......

Aon Risk Solutions | Global Sales & Marketing SupportProprietary & Confidential

Cyber Risk for Retail Industry

Date: 31 Dec 2015

Aon Risk Solutions | Global Sales & Marketing Support

Proprietary & Confidential2

Table of contents

Cyber risk in retail industry

Data breach statistics

Claims by business sectors

Payment card skimming

Cost of major cyber data breaches

PCI Compliances

Cyber risk for M & A deals

Cyber risk and D & O

Cyber liability: purchase

Cyber liability: adequacy & effectiveness

3

4 - 5

6 - 8

9

10

11 - 12

13

14

15

16



Retail is one of the major industries exposed to cyber risk

According to ‘Breach Level Index’ database, In 2015 therewere 181 data breaches among retailers, accounting for 12%of the total incidents, which was up slightly from 11% in 2014and 8% in 2013

These attacks results in more then 30 million data recordsbeing exposed. That amounted to 8% of all the recordsinvolved in data breaches during the year, compared with55% in 2014 and 29% in 2013

Among the top breaches in the industry were Gaana.com &Times Internet with 10,000,000 records; Rakuten and LineCorp, with 7,850,000 records; VTech Holdings, with5,033,676;TalkTalk, With 4,000,000; and CarphoneWarehouse, with 2,400,000

In its 2015 Data Breach Investigations Report, Verizonreported that the two primary attack vectors affecting retailersin 2014 were point-of-sale intrusions and denial of service.

In 2014, point-of-sale intrusions and denial of servicecombined for 64% of retail attacks. In a dramatic shift, by2015, point-of-sale intrusions alone have accounted for 70%of attacks affecting retailers, whereas denial of serviceattacks were virtually non-existent.

This significant change in just one year is no surprise aspoint-of-sale systems handle the credit card data thathackers desire.

Healthcare34%

Government22%

Technology16%

Others15%

Retail8%

Education5%

Top global data breaches reported by industry, 2015

Number of Breach Incidents By Industry Trend, 2013 - 15

Industry 2013 2014 2015

Healthcare 340 445 332

Financial Services 164 212 235

Government 191 291 251

Retail 98 197 181

Education 31 173 139

Technology 108 137 81

Other Industry 262 276 278



Retailers in USA have witnessed massive data breaches in 2015

Major healthcare data breaches in the world during the year 2015

Month/Year Company/Organization affected Country # of Records Breached Type of Breach Source of Breach

May-5 Gaana.com, Times Internet Pakistan 10,000,000 Malicious Outsider Identity Theft

Apr-17 Rakuten and LINE Corp Japan 7,850,000 Malicious Outsider Account Access

Nov-14 VTech Holdings China 5,033,676 Malicious Outsider Account Access

Oct-22 TalkTalkUnited

Kingdom4,000,000 State Sponsored Identity Theft

Aug-8 Carphone WarehouseUnited

Kingdom2,400,000 Malicious Outsider Financial Access

Major healthcare data breaches in USA during the year 2015


Jun-9 Hanesbrands USA 900,000 Malicious Outsider Financial Access

Sep-1 Apple/ Iphone USA 225,000 Malicious Outsider Account Access

May-15 Bettys & Taylors of Harrogate USA 122,000 Malicious Outsider Account Access

Aug-9 U.S Retailer USA 100,000 Malicious Outsider Account Access

Aug-9 AutoZone USA 50,000 Malicious Outsider Identity Theft

Major healthcare data breaches in Canada during the year 2015


Oct-7 Walmart Canada / PNI Digital Media Canada 60,000 Malicious Outsider Financial Access

May-21 Vancity Metro Vancouver Canada 1,200 Malicious Outsider Financial Access

Jan-7 Superior Blue Link Party Store Canada 200 Malicious Outsider Financial Access

Jul-15 CVSphoto Canada Unknown Malicious Outsider Financial Access

Jul-16 Sports Traders Canada Unknown Accidental Loss Identity Theft



Retailers in UK & Australia have also witnessed massive data breaches in 2015

Major healthcare data breaches in the United Kingdom during the year 2015


Oct-22 TalkTalkUnited

Kingdom4,000,000 State Sponsored Identity Theft

Aug-8 Carphone WarehouseUnited

Kingdom2,400,000 Malicious Outsider Financial Access

Jun-7 Morrison'sUnited

Kingdom100,000 Malicious Insider Identity Theft

Nov-27 HungryhouseUnited

Kingdom10,000 Malicious Outsider Account Access

Oct-29 VodafoneUnited

Kingdom1,827 Malicious Outsider Financial Access

Major healthcare data breaches in Netherlands during the year 2015


Apr-17 MAPP.NL Netherlands 157,000 Malicious Outsider Account Access

Aug-17 Jumbo Netherlands 100 Malicious Insider Account Access

Jun-5 Brabantia Netherlands Unknown Malicious Outsider Account Access

Major healthcare data breaches in Australia during the year 2015


Oct-30 Aussie Farmers Direct Australia 5,149 Malicious Outsider Account Access

May-31 Woolworths Australia 8,000 Accidental Loss Account Access

Feb-3 SpinTel Australia 426 Accidental Loss Nuisance

Jun-17 Sussan Australia Unknown Malicious Outsider Identity Theft

Oct-2 David Jones Australia Unknown Malicious Outsider Account Access



Respondents from the ‘Retail’ industry witnessed the 3rd highest number of claims in 2015

NetDeligence conducts study of cyber liability claims everyyear to ascertain the impact of cyber liability by industry,company size etc.

In 2015, Retail was the 3rd most affected sector with 21claims, Next to Healthcare with 34 claims, and Financialservice with 27 claims

Retail industry accounted for 13% of total claims in the year2015

Retail Industry witnessed the 4th highest number of claimsvis-a-vis other industries and accounted for 10% of total inthe year 2014

Healthcare21%

Financial Services

17%

Retail13%

Technology9%

Professional Services

8%

Non - Profit4%

Others Industries

28%

NetDiligence study - percentage claims by business sectors, 2015

Healthcare23%

Financial Services

22%


10%

Retail10%

Non-Profit9%Others

Industries26%

NetDiligence study - percentage claims by

business sectors, 2014



Retail sector accounted for the majority of records exposed in 2015

Of the 104 claims that reported number of records exposed,the Retail sector accounted for the vast majority of recordsexposed (71%), although that sector was responsible for only13% of the claims in our dataset. This was a massive jumpfrom 2014 when Retail industry accounted for only 1% of totalnumber records exposed by industry.

In 2014, the Entertainment sector accounted for the majorityof records exposed (52%), although that sector wasresponsible for only 5% of the claims in the dataset.Technology came in second, accounting for 39% of recordsexposed. Retail industry accounted for a miniscule 1% oftotal number of records exposed by industry.

Healthcare28%

Retail71%

All other Sectors

1%

NetDiligence study - Records Exposed, 2015

Entertainment52%

Retail1%

Technology39%

All other Sectors

8%

NetDiligence study - Records Exposed, 2014



Retail industry reported the 2nd maximum number of data breaches from 3rd

party vendors in 2015

According to the study by NetDiligence, about 25% of thetotal respondents (total sample size: 160) attributed claimevents to 3rd parties for the year 2015.

Financial services industry was the most affected sector(which accounted for 30% of total claim incidents) and retailindustry accounted for 18% of total claim incidents for theyear 2015.

According to the study by NetDiligence, about 20% of thetotal respondents (total sample size: 111) attributed claimevents to 3rd parties for the year 2014.

Financial services industry was the most affected sector(which accounted for 32% of total claim incidents) and retailindustry accounted for 5% of total claim incidents for the year2014

Financial Services

30%

Retail18%

Technology18%Healthcare

13%

Energy10%

Others Industries

11%

NetDiligence study - third party breaches induced claims by business sectors, 2015

Financial Services

32%

Healthcare18%


14%

Retail5%

Other Industries

22%

NetDiligence study - third party breaches induced claims by business sectors, 2014



Discovery of Payment Card Skimming usually ranges from few hours to few days

According to ‘Verizon 2015 Data Breach Investigations’ report, in majority of the cases, the discovery of payment card skimmers usually ranges from few hours to few days

A small portion (about 28%) of the data breach cases consumed weeks and months together for discovery.

However, as the saying: ‘Every cloud has a silver lining’, the detection/discovery times are getting better as the majority of incidents may be discovered within few days of the breach.

4.50% 4.50%

27.30%

36.40%

18.20%

9.10%

0.00% 0.00%

Verizon 2015 Data Breach Investigations Report, Time to Discovery within Payment Card Skimmers Pattern for Retail Industry



Despite the many breaches suffered by retailers and the clearly tempting repository of data they hold for cybercriminals, wholesale and retail are not hit with the highest fines and penalties, according to Advisen data

Cost of Major Cyber Data Breaches

Year Company Breach Cost Description

2007 TJX $250 MillionThe parent company of well know US retail brands like TJ Maxx and Marshalls had 46

million credit card credentials stolen over an 18 month period by a hacker called Albert

Gonzalez. This data breach resulted in damages of $250m

2013 Target Stores $148 Million

This US retailer discovered that its payment card readers are infected with malware that

had been harvesting credit card details throughout the Thanksgiving and pre-Xmas

shopping season. Some 110m customers records were compromised in the attack

forcing the CEO to resign and costing the company $148 m, but at least it was able to

claim $38m back in insurance.

2014 Home Depot $80 Million

This US based DIY store found its point-of-sales systems had been infected with

malware that was masquerading as anti virus software but was actually stealing credit

card details. Some 56 million cards were compromised, costing the company an

estimated $80m before insurance reimbursements. Sales growth remained strong

however, implying that customers were not overly concerned.

2014 eBay $200 Million

It took this online retailer six months to discover that they had been hacked with 230m

customers credentials being compromised. Their slow and misleading response to this

crisis was widely criticized, but eBay maintain that the damage was slight, that stolen

passwords were encrypted anyway and that no financial data was compromised.

Nevertheless, class action suits and regulatory fines will probably cost the company

around $200m



Security and PCI Compliance for Retail Industry

The PCI DSS Requirements are follow:

Install and maintain a firewall configuration to protect cardholder data

Do not use vendor-supplied defaults for system passwords and other security parameters

Protect stored cardholder data

Encrypt transmission of cardholder data across open, public networks

Use and regularly update antivirus software

Develop and maintain secure systems and applications

Restrict access to cardholder data by business need to know

Assign a unique ID to each person with computer access

Restrict physical access to cardholder data

Tract and monitor all access to network resources and cardholder data

Regularly test security systems and processes

Maintain a policy that addresses information security

FFIEC Retail Transaction Guidelines

Financial institutions core providers for most retail payment instruments and services

Implement appropriate physical controls

Implement logical security controls

Use of authentication technologies and methods should depend on risk assessments

Note: Federal Financial Institution Examination Council (FFIEC); Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS requirements are very expensive to implement, confusing to comply with, and ultimately subjective, both in

their interpretation and in their enforcement. It is often stated that there are only twelve Requirements for PCI compliance. In

fact there are over 220 sub-requirements; some of which can place an incredible burden on a retailer and many of which are

subject to interpretation



Retailers who don't meet the compliance requirements and experience a data breach may be subject to heavy fines from $100,000 to $500,000 or more

Penalties for PCI non-compliance

The Payment Card Industry has established fines of up to $500,000 per incident for security breaches when merchantsare not PCI compliant.

In addition, it is required that all individuals whose information is believed to have been compromised must be notified inwriting to be on alert for fraudulent charges. As such, the potential cost of a security breach can far exceed $500,000when the cost of customer notification and recovery is calculated.

Potential cost of a security breach

Fines of $500,000 per incident for being PCI non-compliant

Increased audit requirements

Potential for campus wide shut down of credit card activity by our merchant bank

Cost of printing and postage for customer notification mailing

Cost of staff time (payroll) during security recovery

Cost of lost business during register or store closures and processing time

Decreased sales due to marred public image and loss of customer confidence



Mergers & acquisitions require complex integration of IT systems which may become susceptible to data breaches and cyber exposures

Global consumer mergers and acquisitions (M&A) had a combined transaction value of $202.5 billion in the first half (H1) of2015, according to research from Mergermarket. The value represents a 42.8% increase over H1 2014 totals.

Of the consumer subsectors involved, retail ($105 billion) and food ($80.2 billion) experienced a year-over-year increase intransactions of 129.9% and 106.9%, respectively. The overall boost in retail deal value represents the highest on record.

In 2014, across cross vertical cyber criminals have been discovered hacking more than 100 companies, investment advisers andlaw firms in search of market-moving information about deals, according to researchers at cyber security company FireEye.

Cyber risk poses increased threat in mergers and acquisitions in various industries such as Media, pharma, automotive, financialservices and retail

More than two-thirds of the targets are in the pharmaceutical industry and limited incidents witnessed on retail industry over thepast few years

In May 2015, the Ascena Retail Group said it will buy Ann Taylor parent Ann Inc., making the owner of Lane Bryant one of thenation’s largest apparel retailers, amounting to an estimated $7.3 billion in sales and nearly 5,000 stores

In February 2015, Macy’s revealed plans to buy beauty chain Bluemercury for $210 million.

The retail landscape is poised for a spate of mergers and acquisitions, according to EY’s 12th Global Capital ConfidenceBarometer, a biannual survey of more than 1,600 executives in 54 countries, including the U.S.

More than half (53%) of retail and consumer products companies (CPR) across the globe are expected to pursue acquisitions inthe next 12 months, up from 39% in October 2014, according to EY, which bills itself as a global leader in assurance, tax,transaction and advisory services.

The increasing recent trends like merger & acquisitions in retail industry pose a cyber threat to retailers. Currently most of thehackers are targeting M&A deals and talks.



Data breaches have led to lawsuits against board of directors.

It would be an interesting to ascertain if cyber exposures or data breaches can possibly lead to lawsuits against Directors andofficers. According to ‘The D & O Dairy’ the Board of Directors of ‘Target Corp’. and ‘Wyndham Worldwide’ were sued soon afterthese companies witnessed high – profile data breaches.

It’s interesting to ascertain the possibility of cyber liability leading to D & O liability. D & O policies are witnessing changes interms of scope & coverage since the possibilities of data breaches leading to lawsuits against directors & management areopening up.

Its quite unclear if cyber/data liability/security claims be covered under traditional lines of insurance such as: property, generalliability etc. However few Court rulings shed some light on decisions where in cyber liabilities were covered under traditional linesof businesses. Although the companies involved in lawsuits belong to industries other than healthcare it would be interesting tounderstand the treatment of liability.

In the lawsuit: “Retail Systems, Inc. v. CNA Insurance Co” the Court of Appeals of Minnesota compared a data storage tape to amotion picture and held that data on a missing computer tape was of permanent value and was integrated completely with thephysical property of the tape.

Generally Commercial General Liability (CGL) policies offer broad liability insurance coverage under two insuring agreements:‘Coverage A’ (bodily injury and property damage) and ‘Coverage B’ (personal and advertising injury). In the case: “Eyeblaster, Inc.v. Federal Insurance Co”, the U.S. Court of Appeals for the Eighth Circuit held that a cyber liability claim was covered underCoverage A notwithstanding that “any software, data or other information that is in electronic form” was expressly excluded from“tangible property”.

http://www.dandodiary.com/2015/09/articles/cyber-liability/data-breach-related-derivative-lawsuit-filed-against-home-depot-directors-and-officers/

http://www.reedsmith.com/Cyber-Data-Security-Liability-Claims-Coverage-Under-Traditional-Lines-of-Insurance/

http://www.reedsmith.com/Cyber-Data-Security-Liability-Claims-Coverage-Under-Traditional-Lines-of-Insurance/



Around Half of the ‘Retail’ industry respondents most likely to buy cyber coverage

In Aon’s 2015 survey, about 50% of respondents from retailtrade industry were most likely to buy cyber coverage

According to Aon’s Global Risk Management Survey 2015report, 50% of the respondents from the retail industry hadalready purchased cyber insurance.

However, 24% of respondents had neither purchased cyberinsurance and nor had plans to purchase. A significant portionof respondents (26%) had plans of buying cyber insurance

57% 50% 49% 42% 39% 35% 35% 32%

42%

24% 36%37% 46% 49% 55%

43%

2%

26%15% 21% 14% 15% 10%

26%

Aon Global Risk Management Survey 2015, Purchase of Cyber Insurance Coverage by Industry

Plan toPurchase

Notpurchased &No Plans toPurchase

InsuranceCurrentlyPurchased

57%50% 49%

42% 39% 35% 35% 32%

Aon Global Risk Management Survey 2015, Organizations Most Likely To Buy Cyber Coverage



Majority of the respondents from the ‘Retail’ industry felt existing cyber policy offered effective & adequate coverage

83% 85% 89%100%

73% 76%

57%

87%

Aon Global Risk Management Survey 2015, Effectiveness of Current Cyber Insurance by Industry

63%

48%

95%

71%64%

76%

57%67%

Aon Global Risk Management Survey 2015, Adequacy of Current Cyber Insurance by Industry

According to Aon’s Global Risk Management Survey 2015report, about 85% respondents from ‘Retail’ industry werepleased with the effectiveness of existing cyber liability.

About 48% of respondents from ‘Retail Trade’ industry feltthat current cyber coverage wasn't adequate to provide coverfrom cyber liability



Sources used for the study:

Breach Level Index database.

NetDiligence Cyber Claims Study – 2014 & 2015

Prnewswire publication

Internet Retailer Publication

Reuters publication

Aon Global Risk Management Survey 2015

http://breachlevelindex.com/

http://www.prnewswire.com/news-releases/healthcare-cyber-security-market-worth-1085-billion-by-2022-grand-view-research-inc-558746981.html

http://www.reuters.com/article/us-allergan-m-a-pfizer-idUSKBN0TB0UT20151124#mXmsHPXHuBdV6UJj.97

cyber risk for retail industry - health | aon€¦ · cyber risk for retail industry date: ......

Documents