Michael Barba and Jeff Hall discuss the most pressing cyber-threats facing retailers and what companies can do in the event of a cyber breach, data loss or claim. Mr. Barba is a managing director and Mr. Hall is a senior manager with BDO Consulting.
2. Technology – Connecting the world…
9 billon connected devices predicted
to rise to 24 billion by 2020
If Facebook were a country, it would
be the 3rd largest in the world
Facebook kicks off over 1000 users per
day because they are too young
In 2011, more video was uploaded to
YouTube in a two month time period
than if ABC, CBS, and NBC had been
airing new content 24/7/365 since:
1948
Page 2
4. Recent Studies
2013 Trustwave Global Security Report
• Retail industry made up 45% of data breach investigations studied (15%
increase from 2011)
• E-commerce sites were #1 targeted asset, accounting for 48% of all
investigations
Symantec
• Cumulative bill for cyber crimes in 24 countries totaled $388 billion last year
• 431 million adults experienced some form of cyber crime last year, equating
to nearly 1.2 million people per day or 14 per second
Page 4
5. Why Should Retailers Be Concerned?
Retail industry is now the top target for cybercriminals
Annual U.S. retail e-commerce spending has surged 143% since 2004 to
$161.52 billion last year. In fact, a report from IRMG indicates that
internet/mobile shopping increased 15% in 2013.
Early estimates indicate that 20% of the upcoming holiday sales will be
online
E-commerce attacks are emerging as a growing trend, surpassing the
amount of point-of-sale attacks
Financial cost of a cyber attack is higher for businesses that sell
products on the front-end, such as retailers
The SEC is pushing to require that companies disclose data breaches in
their financial statements
Page 5
6. What Must Retailers Protect?
Page 6
Credit card
information
Private
employee
data
Intellectual
Property
Customer
Information
Reputation
and
good will
Confidential
business
information
7. How Breaches Occur
Criminal Act
by Outsider
Vendor
Error
Human Error
Page 7
Technology
Failure
Employee
Misconduct
9. What are the options for handling the risk?
Retain
Allocate
Transfer
Page 9
Keep the risk within the organization
Involve counsel to shift risk to suppliers
and business partners
Transfer the risk to another entity
11. Costs
Types
• Hard
• Soft
• Time
Retail companies see much more
significant costs around cyber attacks
According to Neustar’s May 2012 report:
• 65% of businesses said a site outage
would cost them up to $10,000 an hour
• 21% said it would cost $50,000/hour
• 13% would lose $100,000/hour
Page 11
12. What Do You Know About Your Data?
Location
• Cloud
• Physical environment
• Is your data co-located?
Service Level Agreements
• Breach notification
Law enforcement considerations need to be considered and addressed:
• Requests to maintain secrecy or limit knowledge
• Maintaining control of the investigation
Communications with insurers presumably are not privileged
Page 12
13. Actions Following a Breach
Functional Steps
Deploy
Preserve
Identify
Notify
DEPLOY AN INCIDENT RESPONSE TEAM
PRESERVE SYSTEM LOGS
IT Director
CIO
Human Resources
Legal
Internal or external security experts
Date, time, duration, and location of
Page 13
breach
14. Actions Following a Breach (Continued)
Functional Steps
Deploy
Preserve
Identify
IDENTIFY THE FOLLOWING
NOTIFY
How was the breach discovered?
By whom?
Any additional details:
• Entry and exit points
• Compromised systems
• Data deleted vs. modified vs.
Public relations
Insurance carrier
viewed
Identify and understand details of the
affected data
Page 14
Notify
15. Insurance Recovery Considerations in the Face of a
Security Breach or Data Loss or Claim
Timely notice of claim (claims made and reported?)
Involvement of counsel (internal & external) to review how coverage
may respond. Consent to incur prudent or necessary expenses may be
required:
• Costs of crisis stage or legal compliance such as breach
notification, credit monitoring, call center, forensics are vast
majority of the expense on per record figures ($194 /record)
• Defense expenses (private claims, regulatory claims)
Communications with insurers presumably are not privileged
“Labeling” of first party costs/categorization
Page 15
16. Who Provides Services Around Cyber Risk?
Preventative/
Proactive
Assessment
Technology/
Data
Analytics
Legal
Page 16
Data Hosting/
Monitoring
Forensic
Accounting
Public
Relations
17. CONTACT
Michael Barba, CISSP, CPP, DFCP, CNE, EnCE
Managing Director, BDO USA, LLP
mbarba@bdo.com
212-885-8120
Jeff Hall
Senior Manager, BDO USA, LLP
jhall@bdo.com
212-885-7339
Page 17