By CYRIL TUOHY, managing editor of Risk & Insurance®
With credit transaction volumes spiking and retailers ringing up surging sales this holiday season, the question isn't whether their computer networks will be breached -- they will.
The question isn't even if retailers can defend themselves against extortionists and network shutdowns with iron-clad defenses -- they can't, particularly with take-up rates for network risk coverage still relatively low.
The real question for retailers is how far contractual governance with vendors/suppliers will dictate who bears the liability and the amount of indemnity at stake in the event of a network "break-in."
"More revenue being generated per hour creates the potential to lose more per hour should the network go down from a distributed denial of service (DDoS) attack," said Brian J. Branner, managing director of insurance with Risk Analytics, an Overland Park, Kan., network security and insurance firm. "Same goes for the number of credit-card transactions."
Many small companies with whom big retailers do business -- credit-card processors or inventory management subcontractors, for example -- often have limited coverage with narrowly defined indemnity provisions in case of mishaps, Branner said.
Other retail industry suppliers and vendors go with no coverage at all, either because a supplier has not suffered a previous breach, or because coverage is too expensive, Branner said.
Because of the lapses on the part of subcontractors, retailers are sometimes on the hook and don't even know it, until the networks go down, retailers suffer from a denial-of-service attack, and the retailer and the vendor end up in a dispute over a claim.
Beth Diamond, a claims manager with the specialist insurer Beazley, said that "40 percent of what we do will involve vendor error." The weakest links in the transaction chain come from human errors, losing a laptop computer or misplacing backup drives, for example.
Retailers collect mountains of data from online or in-store transactions. Customers give stores their credit card numbers, security codes and home addresses. Employees also give retailers loads of information, from social security numbers to personal details, which are entered in to database when employees apply for jobs.
"A number of retailers will believe that they can lean on vendor but sometimes the vendor is more powerful than the retailer and they don't want to pay," Diamond said. "Others say we don't have any money or we're at a breaking point."
Branner recommends retailers carry a separate network liability policy of their own, and not rely solely on the policy of a vendor. Point-of-service machines should also transmit over dedicated encrypted lines, he said.
He also said retailers were pushing back on their service providers for better and more specific indemnification and better insurance to back the indemnification in case of a breach.
"Carriers can be very good at managing their own exposures to an insured's loss through the exclusions and the sublimits," Branner said. Risk managers should request that there be "no sublimits for anything."
"They paid for the policy and it should respond with the full limit," he said.
He also advised risk managers to insist that terrorism exclusions not apply to acts of foreign governments as many "crimeware command and control" sites are located in foreign countries.
"Avoid policy coverage triggers that require one of the state breach laws to be broken," he said. "Just because a particular state doesn't classify a particular exposure of information as 'a breach' and therefore doesn't mandate notification to the public, doesn't mean it isn't a good idea to voluntarily notify the public anyway."
Spikes in transaction volumes tend to increase the risk of breakdowns in safety and loss prevention because of higher demands placed on seasonal employees and computer networks, said Richard C. Betterley, principal of Betterley Risk Consultants Inc.
Retail risk managers should think about insurance coverage for fines imposed by credit-card companies in the event of a data breach, he said. Risk managers should also consider foreign notifications coverage, which covers retailers that notify customers abroad of a data breach.
"Some of the policies are not clear," Betterley said. "I would want my carrier to answer the question, 'Would voluntary foreign notifications be covered?' "
So far, 2011 is shaping up to be a banner retail season. Cyber Monday, the Monday after Thanksgiving when people shop online from computers, saw online traffic surge 43 percent over the Monday after Thanksgiving last year, according to a report citing figures from content delivery network Akamai.
Online sales were up 33 percent this year over Cyber Monday 2010, according to IBM Smarter Commerce. Cyber Monday mobile sales reached 6.6 percent, up from 2.3 percent in 2010, IBM Smarter Commerce also said.
A separate survey conducted on behalf of the National Retail Federation found that 28.7 million people shopped online and at stores on Thanksgiving Day, up from 22.2 million last year.
Sales from the five weeks from Thanksgiving to the end of the year represent more than 40 percent of the income generated by retailers during the entire year.
December 5, 2011
Copyright 2011© LRP Publications