Cyber insurance for the retail sector

All segments of the economy are vulnerable to cyber-attacks, but those who operate in the retail sector in particular have experienced a significant increase in the number of attacks in recent years.

Cyber criminals and hacktivists are an increasingly foreboding presence in today’s technologically advanced world. With near complete reliance on computer networks and data, cyber incidents have become a pervasive trade-off to the benefits of such technological innovation.

Year after year, data breach studies have drawn a correlation between industry segments like retail, with the greatest volume of confidential information, and likelihood to suffer from a cyber incident.

JLT provides bespoke cyber risk management solutions and cyber liability insurance across the retail sector. Our team of experts will work with you to find the right multi-dimensional cyber security solution to cover your business against cyber attacks.

 

WHAT WE DO

Retail case study pic 1

Cyber risks that retail organisations should consider include:

  • A multitude of consumer and employee information including debit and credit card details stored on company databases
  • Cyber-attacks affecting websites can have significant implications from a revenue and reputation perspective
  • Point-of-sale systems have been massively vulnerable to security issues from vectors ranging from skimming devices to advanced malware
  • A systems glitch or other network intrusion could paralyse work on site or prevent the use of a building

Retail case study pic 2

 

  • Loyalty program information can create privacy issues and can be valuable to hackers on its own merit and as a catalyst for social engineering and phishing attacks
  • In the chain of liability related to payment card fraud and payment card information compromise, the retailer typically experiences the greatest degree of financial loss.

We can provide bespoke cyber risk management solutions and cyber liability insurance across the retail sector. Our team of experts will work with you to find the right cyber security solution against data breaches and cyber attacks.

CYBER Q&A

Information Technology (IT) generally refers to all things computing. Less familiar is Operational Technology (OT), the software and hardware used to monitor and control physical devices. OT is typically found in industry and critical infrastructure, where electron systems operate equipment (such as sensors, valves or controls) in pipelines, refineries and nuclear power plants.

These Industrial Control Systems have been used for decades (and can trace their origins to the beginnings of computing and automation in the 1950s) in a wide range of sectors, such as energy, utilities, manufacturing, chemicals, transport and scientific research. They can collect data, control processes and machinery, as well as measure and manage environmental factors, like temperature, pressure etc.

OT is becoming more and more important with the march of Industry 4.0 and increased levels of automation in industry. Smart systems are being developed for power and utilities, transport and manufacturing that will see more and more industrial control systems and equipment connected to networks, including the cloud.

And with the Internet of Things (IoT), OT will increasingly move beyond the industrial environment, as more and more technology is used to monitor and control devices in other sectors, such as logistics, medicine, building management, telecommunications and entertainment.

However, OT and IT are quite different beasts, and are usually treated separately within organisations. But, according to Gartner, developments in IoT, smart systems, machine learning and automation will see IT and OT systems become more integrated.

But OT and IT systems currently have conflicting priorities. While IT services are primarily concerned with data protection and security, OT has so far prioritised accessibility over security. Many industrial control systems were not designed with security front of mind, but awareness of their vulnerabilities and the potential consequences of cyber attacks have been increasing.</p.>

One of the most high profile attacks using OT involved a steel mill in Germany, where hackers accessed the plants control systems, taking control of the blast furnace. Iranian hackers were also said to have taken control of flood gates at a US damn in 2013.

OT systems are also harder to protect than IT. Many are known to run on unsupported or unpatched operating systems. Such systems are also vulnerable to human error – hackers used targeted emails and social engineering to infiltrate the German steel mill systems.

As cyber criminals and other protagonists increasingly look to target industrial systems, the security of OT is set to become as important as it is in IT.

Companies are becoming increasingly dependent on IT systems - to manage supply chains, communicate with customers and trade - and are therefore exposed to the risk of significant disruption from IT system failures.

Cyber insurance has evolved over recent years and broad forms of system failure coverage are now available. However it is important to examine wordings as significant differences exist between policies.

Cyber insurance can cover business interruption losses from a wide range of systems failures, but will not generally cover outages caused by power supply or telecommunications failures. Depending on the policy, other exclusions may also apply, such as the failure of new software roll-outs or upgrades.

System failure cover typically falls into one of two camps: all risks or named perils. All risks provides the broadest cover, but the market is more limited in terms of insurer options and capacity, and the pricing is frequently higher. Underwriters are also likely to require more information from insureds.

For companies that require system failure it is critical to be aware of the type and scope of cover under their cyber insurance policies. It is also important to work with a specialist broker to understand the implications of wordings.

Cyber espionage is one of the murkier aspects of cyber risk. Few organisations will admit to having been victim of cyber espionage, but many are concerned for a cyber attack that seeks to steal confidential information, like trade secrets or client data.

Cyber espionage topped the list of major threat concerns for global business, according to a survey by Trend Micro. One in five global organisations surveyed ranked cyber espionage as the most serious threat to their business while 20% of US companies were said to have suffered a cyber espionage related attack in the last year.

Cyber espionage is a broad term to describe the theft of information related to individuals, companies and governments, using hacking techniques. Foreign governments, state-affiliated hackers and even business rivals will all potentially have an interest in stealing valuable data, such as military secrets, technology or research.

In its broader sense, cyber espionage can also refer to attempts to disrupt critical infrastructure or services by foreign governments or state-backed hackers. For example, a cyber attack in Ukraine targeted power stations in December 2015, causing wide-spread outages. 

As more and more critical data and intellectual property moves online, cyber espionage is likely to become a more pressing issue. At the same time, nation states and state backed hacking groups tend to be better resourced and use more sophisticated methods than cyber criminals.

A recent report from Lloyd’s identified energy, telecommunications and the public sector as the three sectors most susceptible to cyber espionage, followed by manufacturing and professional services. Foreign governments and their agents target these sectors as they seek to steal sensitive information on politically exposed persons, intellectual property and key infrastructure.

Lloyd’s also noted that cyber espionage techniques are also evolving, with traditional tactics now being repurposed by criminals to attack banks and financial infrastructure via Advanced Persistent Threats.

Cyber threat analysis can help companies better understand whether they are a likely target of cyber espionage and how best to defend against it. Cyber insurance can also help companies respond quickly and effectively to the consequences of a cyber espionage attack, limiting the commercial and reputational damage.

Patches are software updates, usually released to improve the performance or fix bugs and security vulnerabilities in software already installed on computers, IT systems and devices.

Software is far from perfect and glitches and vulnerabilities are readily exploited by hackers who use them to carry out cyber attacks, spread viruses, malware, ransomware and to create armies of botnets.

More sophisticated cyber attacks use unknown vulnerabilities – called zero-day exploits – but the majority rely on known vulnerabilities. Analysis suggests that zero-day vulnerabilities account for as little as 1% of vulnerabilities in Microsoft software.

In fact most exploits involve vulnerabilities that were patched more than a year ago. According to Fortinet’s recent Threat Landscape Report, 90% of organisations recorded exploits for vulnerabilities that were three or more years old. Some 60% of firms were still seeing attacks for vulnerabilities dating back 10 years or more.

The WannaCry and Petya ransomware attacks in 2018 demonstrate the extent to which not-patching can leave companies vulnerable. Both used known vulnerabilities to spread through networks and encrypt data, and despite the availability of a patch, the malware infected hundreds of thousands of computers.

Regular patching is known to be an effective form of defence against cyber attacks, and yet companies take on average 100 days or more to update their systems.

In an ideal world, every organisation would apply the latest security patches and updates to their IT systems as soon as they are released. But in reality there are many good reasons why companies do not keep software up-to-date, not least because of the complexity and interdependencies of software and the reliance on critical IT systems.

Installing patches can create more problems than they solve, and are known to have caused systems to crash catastrophically. In 2015, trading ceased on the New York Stock Exchange for nearly four hours after a technology upgrade went wrong, while a failed upgrade left thousands of banking customers unable to access their accounts at Australia-based St George’s Bank.

Keeping connected devices like industrial control systems updated can also be challenging, especially for older or legacy systems. According to Sans, only 46% of firms regularly apply vendor-validated patches to their industrial control systems. In some cases software will no longer be supported by vendors while patching is often unpractical.

Yet many cyber insurance policies contain wordings that exclude losses arising from a ‘failure to maintain’ systems and apply regular patches and updates. Given that updates may take time to install or would not be practical, this exclusion can be problematic.

In some instances it is possible to have a ‘failure to maintain’ exclusion deleted, but clients will need to provide underwriters with quality information on updating procedures. Insurers will want to see processes that ensure updates are applied in a timely manner, but that also prevent business interruption and usability issues.

Silent cyber refers to potential cyber exposures contained within traditional property and liability insurance policies, which may not implicitly include or exclude cyber risks.

Unlike specialist standalone cyber insurance, which clearly defines the parameters of cyber cover, traditional insurance policies were not designed with cyber exposures in mind. In many cases, traditional policies will not specifically refer to cyber and could theoretically pay claims for cyber losses in certain circumstances.

This is particularly true for all risk property coverages that do not exclude cyber risk - also known as ‘non-affirmative’ cyber - and is particularly relevant for marine, aviation, transport and property lines, although it is also present in some liability covers.

For example, a study by the UK’s Prudential Regulation Authority (PRA) in 2016 found that the aviation insurance sector has to date been comfortable providing implicit cyber cover and the market has not witnessed a move to introduce exclusions.

Similarly, there are currently no widespread cyber exclusions in the property market. However, underwriters have acknowledged the potential for cyber aggregation resulting from cyber attacks on high-profile commercial or industrial targets, or from smart-house technology, the PRA said.

Casualty lines may also have significant exposure to silent cyber losses, reflecting the fact that exclusions are not widely used or because some policies cannot exclude cyber losses, such as mandatory coverages like motor. Directors and officers, professional indemnity, financial institutions and general liability products are likely to be exposed to various degrees to ‘silent’ risks due to a lack of use of effective exclusions, the PRA said.

How the market approaches silent cyber exposures will have a direct impact on coverage and the way in which the market reacts to very large and systemic losses. 

Cyber-attacks against digital supply chains are on the rise. Supply chain compromises typically seek to introduce security flaws or exploitable features into hardware, software, or digital services, which are then passed on to customers. 2017 saw some significant examples of supply chain attacks, including the compromise of managed service providers (MSPs) and several software products.

In 2017, suspected Chinese hackers compromised several global MSPs, which deliver outsourced IT, HR and business services. It is thought that the attackers obtained commercially sensitive data from the MSPs and their clients, which included government agencies.

According to the National Cyber Security Centre (NCSC), MSPs represent a particularly attractive target as they have links to thousands of customers worldwide. Even if a client has strong cyber security, it may find itself vulnerable if a trusted network link to an MSP is compromised.

Between 15 August and 12 September 2017, downloads of a free computer clean-up tool known as CCleaner were infected with malware. The incident is thought to have affected over two million downloads by both individuals and businesses, and resulted in further attacks against large technology and telecommunications companies in the UK, Taiwan, Japan, Germany and the US.

NotPetya, the global malware attack that caused major disruption in June 2017, was also a supply chain attack.

Attackers managed to introduce malware into MeDoc, a legitimate software application widely used by businesses in Ukraine for handling tax returns. The compromised MeDoc update infected users of the application, while the malware was then able to spread itself within networks.

Supply chain cyber attacks are seen as an increasing threat by cyber security agencies and cyber security firms. Analysis from Symantec identified a 200% increase in attacks where hackers injected malware into the software supply chain. This equated to one attack every month last year, compared to four attacks in all of 2016. 

Cyber war games simulate the experience of a real cyber-attack, enabling organisations to test their cyber response procedures, capabilities and governance in a safe and controlled environment.

Cyber war games differ from traditional penetration testing, which typically looks for vulnerabilities in IT systems, networks and websites. Cyber war games are a much more involved exercise, aimed at testing an organisation’s overall response to a cyber incident, including the decision making of senior managers and the effectiveness of communications.

War games use specially developed scenarios – like a malware or spear phishing attack – to simulate an attack. Simulations can be a simple ‘table top’ exercise or a full-blown simulation. The former would see participants briefed on the attack scenario, whereas participants in a simulation are given very little information and have to work through problems as they arise.

The exercise should, however, be cross functional, involving IT, risk management, business continuity, legal, corporate communications, marketing and customer care. This helps build relationships in advance of a cyber incident and tests the flow of information, including an organisation’s ability to share information effectively and quickly, both internally and externally.

Companies can employ a third party to design and run the war game on their behalf. War games can involve an organisation’s key business partners, suppliers and contractors; while incorporating third party services, including breach response, crisis management and even insurance. 

WHY JLT

Retail
Retail

We are aware that you have a choice of who represents you, so why choose JLT?

  • We stay close to the pulse of the vibrant London insurance market and leverage our relationships and knowledge
  • Our deep technical knowledge means that we do not accept any insurer's standard policy form and will work tirelessly to ensure you receive a differentiated result
  • Claims advocacy is a vital part of our offering to clients. We link it to placing and wording to ensure that clients receive a full circle and joined up approach. Our claims advocates will provide you with tailored policy wordings, advising you about notification and coverage, and work with you and your insurers to achieve successful resolution of all claim-related matters
  • We host training workshops and establish regular meetings with clients 
  • We create content that highlights the latest risk trends and aims to simplify concepts that may seem confusing to individuals with limited experience in technology. This includes our monthly newsletter, Cyber Decoder, in- depth whitepapers as well as a wide range of educational videos and materials
  • We know we can’t do it all (penetration testing, incident response drilling, technical security advice) and so we seek unique partnerships, to bring you cutting edge solutions.

CYBER LOSS

RETAIL DATA BREACH

In 2014 one of the largest US-based retailers suffered a data breach in which it saw 109 million records exposed including 50 million of its customers’ credit card numbers and email addresses. The five-month long attacks on the company’s payment terminals highlighted the cyber security vulnerabilities retailers face on account of the point-of-sale systems used at branches. The loss is estimated to cost the company USD 1 billion.

Costs to the company would include notification and credit monitoring costs for those customers affected by the breach. Costs would also include regulator investigation expenses and possible fines, non-compliance fines from the payment card industry, forensic investigation, crisis management and PR consultants, as well as defence expenses and settlements.