Target as Target
After fumbling its initial response to a massive data breach, Target Corp. has rebounded, according to experts in crisis management.
However, they said, the retailer still faces challenges in regaining consumer confidence, especially among people directly harmed by the cyber attack, which struck at the height of the holiday shopping season.
In late November and early December, malware lodged in the retailer’s point-of-sale system siphoned off account and personal information for up to 110 million customers. But Minneapolis-based Target is not the only company that may have been struck. Luxury retailer Neiman Marcus suffered a smaller breach, and news reports suggest at least six other retailers have been hit. These other companies likely are keeping a close eye on Target’s handling of the crisis.
Critics have focused, in part, on the company’s early communications. Target appeared initially to underestimate the gravity of the situation, crisis consultants said. For example, Target’s first message to customers apologized for the inconvenience.
“You don’t call something like this an inconvenience,” said Rich Klein, a crisis management consultant in New York City.
Subsequent messages from Target used stronger language, acknowledging customers’ stress and anxiety, he said. Messages also switched from assuming customer confidence to promising to regain it, Klein added, praising the change.
“I would still say it’s so much better to get it right the first time,” he said.
Still, he added, the company made good use of its Twitter feed and Facebook page. Facebook, for example, was used only to communicate about the breach, not to advertise sales, though it also acted as something of a lightning rod for complaints.
Consultants also panned the company’s decision to extend a 10 percent discount to shoppers during the weekend of Dec. 21, a few days after news of the breach first surfaced. While the discount was a nice gesture, it did not adequately address customer concerns and seemed to suggest the crisis had passed, consultants said.
In addition, the company has occasionally appeared to be behind the news, with information trickling out in the media before being revealed by Target, said Jeff Jubelirer, vice president of Philadelphia-based Bellevue Communications Group. “We should expect more from a retailer of that size and that reputation and that level of success.”
A key turning point came on Jan.13 when the company’s CEO, Gregg Steinhafel, appeared on CNBC, apologizing for the breach, reassuring customers and defending the company’s reaction:
Steinhafel should have been giving interviews in December, said Jonathan Bernstein, an independent crisis management consultant in Los Angeles. “They would have suffered less loss of sales and less impact on their stock value if they had been more assertive from the get-go.”
Other observers gave Target high marks for making a relatively quick disclosure of the breach and offering a free year of credit monitoring to customers. The four-day gap between discovery of the breach on Dec. 15 and public disclosure on Dec. 19 was faster than it’s been in other cases, said Alysa Hutnik, an attorney in the Washington, D.C. office of Kelley Drye.
“I haven’t done the math, but I think that would rate somewhere at the very top,” said Hutnik, who specializes in cyber security issues.
Another high point is the prominent role of Target’s CEO, Hutnik said. “He knows there’s work to be done to earn back customer trust, and it looks like he is taking that obligation seriously,” she said, noting that top executives rarely serve as public faces after a data breach.
Other positive steps include Target’s $5 million investment in cyber security education said Michael Soza, a partner in accounting and consulting firm BDO.
“This latest move … is really going on the offensive to show that they really are trying to get out in front of this thing and really attack what is not just a Target problem,” Soza said.
As long as no other damaging details leak out, most customers will remain loyal to the chain, said Daniel Korschun, an assistant professor of marketing at Drexel University in Philadelphia.
But the company will have to work harder to win back customers who suffered directly. They will be hard to find and hard to soothe, especially if they’ve had to spend hours on the phone undoing damage to their credit or bank accounts.
“Those are the ones where the trust has really been lost,” Korschun said.
Cyber Trolls Menace Reputation and Revenue
Cyber attacks aren’t always the immediately quantifiable attacks of old when hackers steal customer data, sites are harried by denial of service attacks and computer networks are compromised and hijacked.
A new breed of orchestrated campaigns dubbed “troll attacks” are now in the mix.
These attacks, which feature organized disinformation campaigns augmented by social media posts, create an atmosphere of chaos and economic disruption, and can have ripple effects on a company’s reputation and a downstream impact on revenue.
A recent New York Times story by Adrian Chen details one source for such attacks. A pro-Kremlin company called the Internet Research Agency in St. Petersburg, Russia, faked a story on Sept. 11, 2014, about a chemical plant explosion in St. Mary Parish, La., which is a center for numerous chemical companies.
When word of the bogus disaster spread, there was extensive concern online, enflamed by fictional eyewitness accounts on Twitter about the plant explosion and fire.
“If the Russians want to convince the Western world that something dreadful has happened, they could pretty much hoodwink the world.” — Simon Milner, broker, Miller Insurance
According to a whitepaper published in May 2015 by Hays Cos., cyber attacks were once mostly about individuals stealing money or data but now some attacks are about “brand terrorism” that can create an environment of chaos and economic disruption.
“Our clients have seen various types of malicious or mischievous activity, although not to the extent described in the New York Times article,” said Dave Wasson, cyber liability practice leader for Hays Cos., based in Chicago.
“The Internet has provided incredible transparency for sharing information on an anonymous basis and that can often be viewed as one of the best attributes of the Internet. But that transparency cuts both ways in that the Internet provides an equal transparency for sharing misinformation.”
Simon Milner, a broker with Miller Insurance in London, began working in the cyber space nearly 20 years ago and says troll attacks have relatively low frequency but are potentially damaging “blunt instruments.”
Former Soviet Republics — Russia, Estonia, and Latvia — are behind many of these orchestrated efforts, as detailed in the New York Times investigation, he said.
“If the Russians want to convince the Western world that something dreadful has happened, they could pretty much hoodwink the world.”
“I don’t necessarily believe that reputation and revenue can be fully distinguished,” added Wasson.
“Consumers will choose companies they trust and part of that trust is the company’s security. The math underlying reputational harm is very difficult to measure.
“For public companies, we have stock prices, although that certainly doesn’t make valuation easy. It’s still more difficult to measure the financial impact of a diminished reputation for a privately held, nonprofit, or government entity.”
So what insurance solutions should risk managers look for? That depends on the potential exposure, according to James Murtaugh, managing director for BDO Consulting, based in New York City.
Coverage for any kind of cyber attack might fall under a wide variety of policies, including business interruption, GL, property, E&O, D&O and EPLI, depending on how the event affected the company’s revenue and reputation.
He noted that cyber-specific coverages have a shorter waiting period but the loss can be more substantial in a shorter period of time.
“With cyber attacks, the numbers could be too big, in the billions of exposure,” he said.
“Every cyber loss is a very complicated event.”
There are also challenges when trying to explain to the C-suite how troll attacks might impact a company financially, said Murtaugh, who specializes in calculating maximum foreseeable losses from business interruption claims, particularly related to supply chains.
“With cyber attacks, the numbers could be too big, in the billions of exposure.” — James Murtaugh, managing director, BDO Consulting
He advises risk managers to use enterprise risk management (ERM) language to treat reputation risk the same as any property peril, and to get away from the notion that this is all IT-related, because it is not.
“We’re seeing the turning point where people are still definitely uncomfortable about their exposure but understand they have to get more comfortable about it instead of keeping their heads in the sand,” said Michael Born, vice president of global technology and privacy practice for Lockton Cos., based in Kansas City, Mo.
“They need to get their arms around it, and have discussions about what are the exposures [and] what they can do about it. It’s becoming more of a discussion because of the [overall] discomfort about the topic of cyber risks.”
Whether such attacks could harm an individual company’s reputation enough to impact revenue is the open question.
For Born, naming the perils in a troll attack could consist of a media attack (either planted stories on real media or all-out fake media sites), bogus social media posts and fake websites.
“The [cyber] exposures that we’re talking about are changing so fast that it’s hard to keep up with them even when you’re in the business 24/7,” said Born, who advises companies to look for consulting firms that provide constant vigilance over online reputation and business intelligence.
“For a company not in the business of cyber security, it’s very, very difficult to keep up with all that stuff.”
“In event that there was an attack by a Russian-backed troll organization,” Milner said, “our products would pay for a PR consultancy to rehab the image of the policyholder and should there be a significant BI loss, that would also be covered.”
Finally, how can risk managers protect against such attacks, aside from insurance?
Wasson advises high-profile companies — those that are involved in critical infrastructure or have controversial political, religious or ideological stances or activities — to plan for malicious troll attacks as they would for any business continuity, disaster recovery or incident response.
“It doesn’t currently seem that an entity can materially change their exposure to this risk, so the two main things an entity can do are prepare their response plan and, onerous as it may be, treat all information assets as mission-critical,” he said.
“There are certain tools a company can use to check if they are being mentioned on the dark web, but it’s not a given that dark web chatter will precede such an event.”
The Quality Assurance Journey
Not too long ago, if you were planning a trip, you would buy a map or an atlas and draw out the route you would take. If you continued to drive this route repeatedly, you might discover better ways to avoid a heavily congested area or take advantage of a new highway.
Similarly, a third party administrator (TPA) draws on years of experience to develop best practices for claims handling, discovering better routes and avoiding areas of delay. Payers trust their TPA to formalize these best practices, and to develop a Quality Assurance (QA) program that helps ensure claims are effectively managed. Like a roadmap, a QA program tracks the journey to the desired destination.
Mark Siciliano defines a quality assurance program.
With today’s technology, a cumbersome map is replaced with a GPS; just follow the step-by-step instructions. Sometimes the technology works flawlessly, and other times, it doesn’t deliver the best route.
Likewise, many QA programs have developed a checklist mentality, listing the steps to take. Such QA programs typically involve a small team reviewing a limited number of claims to ensure that key standards are consistently applied. While important, this doesn’t necessarily guarantee claims are optimally handled, or uncover ways to improve claim workflows and performance.
Mark Siciliano explains how Helmsman’s QA approach differs from the industry’s standard “checklist” mentality.
A New Process
Helmsman Management Services LLC, a third-party claims administrator and a member of Liberty Mutual Insurance, began to re-examine its QA program with the help of its clients several years ago. In doing so, they developed a new methodology that is a welcome departure from robotic checklist behavior.
“Our QA program dives deeper to find actionable ways we can improve claims outcomes, the performance of claims professionals, and the entire claims management process,” noted Mark Siciliano, vice president and managing director of Helmsman Management Services. “We conduct more in-depth reviews on a higher volume of claims – more than 80,000 each year – at key points in the lifecycle. We involve over 800 field claims professionals and engage individual claims handlers and their managers through an online dashboard that reports performance and highlights opportunities to improve performance through additional training and coaching.”
Mark Siciliano discusses the Helmsman approach to quality assurance.
The new approach to QA was successful, enabling Helmsman to improve the overall quality of its clients’ claims by eight points in 2014. In fact, 92.7 percent of the claims Helmsman managed met or exceeded the TPA’s service standards in the fourth quarter of 2014, up from 84.5 percent in the first quarter of that year.
“Re-engineering our QA program and moving it beyond the standard industry checklist approach took our claims management from really good to great,” said Siciliano. “And, it is helping us drive further improvements.”
One of the reasons for that improvement is Helmsman’s QA process keeps adjustors focused on what works best.
“We looked at the common characteristics of really great outcomes and worked backwards,” said Siciliano. “We found that when our claims professionals start with an empathetic approach, they are better able to connect with the injured employee and deliver better outcomes, both for the claimant and her or his employer.”
Like blindly following GPS instructions, a claims professional can easily fall into a pattern of completing tasks and forget that an injured person may be experiencing a very challenging time in their life. Helmsman trains its claims professionals to treat the injured worker as if they are dealing with a family member. It’s not just asking questions and moving through a checklist; it’s answering an injured worker’s questions, providing important information, and doing so with a level of compassion.
Once a conversation has begun and the injured worker is more at ease, the claims professional can ask questions beyond what might be in the process to really understand the injury, the individual, and the claim, and to find that best route to the ultimate destination of return to work. This inquisitive nature of the claims professional also allows for early discovery of any specific challenges in the claim – such as co-morbid conditions or psycho-social issues – paving the way for intervention to get the claim back on track.
“We call it humanistic common sense,” said Siciliano. “We know we have to ask the tough questions and protect our clients’ financial interests, but when we do so through a positive and supportive lens, it permeates throughout the entire process, facilitating the journey.”
Building a relationship with medical providers using this same approach can also assist the claim.
“Re-engineering our QA program and moving it beyond the standard industry checklist approach took our claims management from really good to great. And, it is helping us drive further improvements.”
— Mark Siciliano, Vice President and Managing Director, Helmsman Management Services
In the case of light duty restrictions, instead of ‘check’ and move on after the initial call with the treating physician, Helmsman asks for more details on what the injured worker can do, and helps the physician understand the claimant’s duties and the temporary jobs available. Helmsman might ask the doctor to join them for a site visit to better understand the work environment.
As a result, light duty jobs become gainful and meaningful work for the injured worker because they are tailored to their capabilities.
“We’re not just asking for medical information and work capacity; we’re actually working with our clients and the physicians to create a return-to-work environment that works for the injured worker, employer, and physician,” said Siciliano.
Evolution of Change
A QA program that delivers a high level of value to the employer and improves outcomes for the injured worker is just the beginning. QA is more than a program—it’s a process. Quality assurance programs are critical for tracking and improving performance. It’s a continuous cycle of training, learning, client feedback, and process improvement.
“Our enhanced QA program helps us better service our clients, but we know it’s an ongoing process,” said Siciliano. “Our continuous improvement process is built around the investment that we put in our people, systems, and technology. It’s also response to the changing landscapes around us, and how well we adapt to them.”
Mark Siciliano describes characteristics of effective quality assurance programs.
As a result, quality assurance programs are not working towards just a destination; they’re working towards the evolution of change, and how risk managers, brokers, and TPAs respond to it. The QA process becomes that journey.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Helmsman Management Services. The editorial staff of Risk & Insurance had no role in its preparation.