Search      Advanced Search | Browse By Topic
Magazine Content
Home
Features
Columnists
Industry Risk Reports
In-Depth Series
Special Reports
Point/Counterpoint
R&I One® Content
News & Analysis
Editor's Choice Stories
Resources and Tools
Power Broker® Directory
Risk InnovatorTM
Emerging Risks
Top Employee Benefits Consultant
Executives To Watch
Insights
Industry Events
WorkersComp Forum
Award Nominations
Webinars
RSS
R&I Information
Subscription Center
Advertiser Information
About Us
Contact Us
 

Newsletter Sign-up

Click on the name of the free newsletter below to preview:

R&I One®
WORKERSCOMP Forum TM Update
HTML Text
E-Mail Address:


Click here to unsubscribe
Privacy Policy
Preferences
 

The Front Lines of the Cyberwar: Retail

The Front Lines of the Cyberwar: Retail | Risk & Insurance Retailers focus more on loss prevention than risk transfer, according to survey. Are risk managers involved then?

Print Email Add to Facebook Add to Twitter Add to LinkedIn Write to the Editor Reprints

By MATTHEW BRODSKY, senior editor/Web editor

Who should know best about cyberliability and ways to mitigate it? You would think those risk managers in the industry perhaps most exposed to digital data and online exposures: the retail industry. Insurance brokerage Aon recently attempted to distill the experience and practices of 25 of these retail risk managers (including those at firms that do not use Aon as a broker).

The resulting survey covered other issues besides cyberliability, but some of the most intriguing findings dealt with e-exposures. For instance, 59 percent of respondents said they do not purchase cyberliability insurance and instead rely on loss prevention measures.

"I wasn't really surprised," said Len Churnetski, managing director of Aon's retail practice.

STANDARDS SET HIGH

Why? Retailers have tough outside standards to meet, such as the Payment Card Industry (or PCI) Data Security Standards, which were established by the credit card industry to protect its customers' private data, according to Churnetski.

Then came the T.J. Maxx incident, when a loss from a data breach snowballed into the hundreds of millions in losses for the discount-store operator. It caught everyone by surprise, said Churnetski.

Now board members at retail firms are going down to their IT departments and saying, "Hey, we are complying with all these standards, aren't we?" said Churnetski.

Retail risk managers concern themselves with their in-house IT security and also must make sure their vendors are meeting the PCI standards. If not, they might even induce them to purchase cyberliability insurance.

"That's what drives them to decide, 'Well, do we need some kind of risk transfer for this exposure, or have we absolutely done everything to make certain that we have the best possible standards in place?' " said Churnetski.

The broker added that Aon is coaching retail clients to consider risk transfer as an alternative and has seen increased interest in proposals and quotes for coverage.

But he still understands the retailers' loss-prevention-first mindset. After all, even if a retailer has insurance to cover a cyberbreach, an event would still damage its organization--say, with a hit to its reputation.

MORE SURPRISES

Churnetski was surprised and amazed by the level of effort that goes into protecting data and the talent that retailers have in-house to do it--though oftentimes, it's not the risk manager he was talking about.

Without naming names of course, Churnetski mentioned one retail risk manager he's spoken with who told him that, when it came to IT, "I have no idea what we have in place internally."

At another retailer, though, Churnetski found out that the risk manager had a seat on the company's privacy council. That retailer views customer data as "sacred," said Churnetski.

"They really drive it through the organization," the broker said.

January 19, 2009

Copyright 2009© LRP Publications
 
 
 
 
 
 
 
 
 
 
 
RISK logo
 

Back to top

Entire contents copyright © 2013 Risk and Insurance® All rights reserved. May not be reproduced in any form without written permission.