Target as Target
After fumbling its initial response to a massive data breach, Target Corp. has rebounded, according to experts in crisis management.
However, they said, the retailer still faces challenges in regaining consumer confidence, especially among people directly harmed by the cyber attack, which struck at the height of the holiday shopping season.
In late November and early December, malware lodged in the retailer’s point-of-sale system siphoned off account and personal information for up to 110 million customers. But Minneapolis-based Target is not the only company that may have been struck. Luxury retailer Neiman Marcus suffered a smaller breach, and news reports suggest at least six other retailers have been hit. These other companies likely are keeping a close eye on Target’s handling of the crisis.
Critics have focused, in part, on the company’s early communications. Target appeared initially to underestimate the gravity of the situation, crisis consultants said. For example, Target’s first message to customers apologized for the inconvenience.
“You don’t call something like this an inconvenience,” said Rich Klein, a crisis management consultant in New York City.
Subsequent messages from Target used stronger language, acknowledging customers’ stress and anxiety, he said. Messages also switched from assuming customer confidence to promising to regain it, Klein added, praising the change.
“I would still say it’s so much better to get it right the first time,” he said.
Still, he added, the company made good use of its Twitter feed and Facebook page. Facebook, for example, was used only to communicate about the breach, not to advertise sales, though it also acted as something of a lightning rod for complaints.
Consultants also panned the company’s decision to extend a 10 percent discount to shoppers during the weekend of Dec. 21, a few days after news of the breach first surfaced. While the discount was a nice gesture, it did not adequately address customer concerns and seemed to suggest the crisis had passed, consultants said.
In addition, the company has occasionally appeared to be behind the news, with information trickling out in the media before being revealed by Target, said Jeff Jubelirer, vice president of Philadelphia-based Bellevue Communications Group. “We should expect more from a retailer of that size and that reputation and that level of success.”
A key turning point came on Jan.13 when the company’s CEO, Gregg Steinhafel, appeared on CNBC, apologizing for the breach, reassuring customers and defending the company’s reaction:
Steinhafel should have been giving interviews in December, said Jonathan Bernstein, an independent crisis management consultant in Los Angeles. “They would have suffered less loss of sales and less impact on their stock value if they had been more assertive from the get-go.”
Other observers gave Target high marks for making a relatively quick disclosure of the breach and offering a free year of credit monitoring to customers. The four-day gap between discovery of the breach on Dec. 15 and public disclosure on Dec. 19 was faster than it’s been in other cases, said Alysa Hutnik, an attorney in the Washington, D.C. office of Kelley Drye.
“I haven’t done the math, but I think that would rate somewhere at the very top,” said Hutnik, who specializes in cyber security issues.
Another high point is the prominent role of Target’s CEO, Hutnik said. “He knows there’s work to be done to earn back customer trust, and it looks like he is taking that obligation seriously,” she said, noting that top executives rarely serve as public faces after a data breach.
Other positive steps include Target’s $5 million investment in cyber security education said Michael Soza, a partner in accounting and consulting firm BDO.
“This latest move … is really going on the offensive to show that they really are trying to get out in front of this thing and really attack what is not just a Target problem,” Soza said.
As long as no other damaging details leak out, most customers will remain loyal to the chain, said Daniel Korschun, an assistant professor of marketing at Drexel University in Philadelphia.
But the company will have to work harder to win back customers who suffered directly. They will be hard to find and hard to soothe, especially if they’ve had to spend hours on the phone undoing damage to their credit or bank accounts.
“Those are the ones where the trust has really been lost,” Korschun said.
Reputational Risk – What Is It? Can We Manage It?
Reputational risk is a category unto itself in the enterprise risk management basket. Everyone knows what it means — it’s common sense, right?
Something bad happens and your company or institution gets trashed in the press or on social media. There could be some fallout; sometimes it happens immediately and sometimes the fallout takes years to emerge.
As risk managers, we may often feel there is nothing we can do to address it until it happens — after all, how can we predict what the public and media will do? But, the more important questions are, why does it happen and how can we prevent it?
I would like to posit the idea that most reputational risks arise when the behavior or actions of the company or institution (or their employees) is not aligned with either its stated values or what the public thinks its values ought to be.
The solution is therefore quite simple: Practice what you preach. Follow the rules and play fairly.
The greater the incongruence between what the organization says it will do vs. what happens, the greater the reputational risk and likely fallout.
If an organization consistently and completely aligns its actions with its stated or expected values, even a wrongful act by a rogue employee is mitigated when the organization can demonstrate that the act was unprecedented and the employee was truly a loose cannon.
If only it were as easy as it is simple. I’ll illustrate using an example from higher education.
The public and congress believe that universities should keep students safe and that they should fight sex discrimination. Most institutions have statements of non-discrimination based on gender and statements on harassment prevention.
In addition, the Higher Education Act, Title IX and its subsequent and related reenactments, revisions, regulations and guidance require that institutions not discriminate based on sex and stipulate how they must respond to reports of sexual assault or harassment.
Failure on the part of many institutions to do this has resulted in more than 280 investigations by regulators, lower admission applications for some institutions and increased regulation for the industry overall.
This often boils down to compliance. Baylor University has been in the news quite recently over this — their policies said that they would responsibly investigate and manage claims of sexual assault filed by students.
But when allegations involved star athletes, they backed down, prevented their Title IX coordinator from doing her job and protected the athletes instead of the victims. The scandal (reputational risk) has resulted in the ousting of coaches, athletes and even the president of the university, as well as multiple claims and litigation.
Root cause: the institution’s actions did not align with their stated policies and values.
The greater the incongruence between what the organization says it will do vs. what happens, the greater the reputational risk and likely fallout. Compliance gaps in organizations are the harbingers of reputational risk as well as compliance risk.
Risk managers need to be aware of these gaps and build them into the ERM process for the success and reputation of our organizations.
Mind the Gap in Global Logistics
Manufacturers and shippers are going global.
As inventories grow, shippers need sophisticated systems to manage it all, and many companies choose to outsource significant chunks of their supply chain management to contracted providers. A recent survey by market research firm Transport Intelligence reveals that outsourcing outnumbers nearshoring in the logistics industry by 2:1. In addition, only 16.7 percent of respondents stated they are outsourcing fewer logistics processes today than they were three years ago.
Those providers in turn take more responsibilities through each step of the bailment process, from processing, packaging and labeling to transportation and storage. Spending in the U.S. logistics and transportation industry totaled $1.45 trillion in 2014 and represented 8.3 percent of annual gross domestic product, according to the International Trade Administration.
“Traditionally these outside parties provided one phase of the supply chain process, perhaps transportation, or just warehousing. Today many of these companies are extending their services and product offerings to many phases of supply chain management,” said Mike Perrotti, Senior Vice President, Inland Marine, XL Catlin.
Such companies are known as third-party logistics (3PL) providers, or even fourth-party logistics (4PL) providers. They could provide transportation, storage, pick-n-pack, processing or consolidation/deconsolidation.
As the provider’s logistics responsibilities widen, their insurance needs grow.
“In the past, the underwriters would piecemeal together different coverages for these logistics providers. For instance, they might take a motor truck cargo policy, and attach a warehouse form, a bailee’s form, other inland marine products, and an ocean cargo form. You would have most of the exposures covered, but when you start taking different products and bolting them together, you end up with gaps,” said Alexander McGinley, Vice President, US Marine, XL Catlin.
A comprehensive logistics form can close those gaps, and demand for such a product has been on the rise over the past decade as logistics providers search for a better way to manage their range of exposures.
“Traditionally these outside parties provided one phase of the supply chain process, perhaps transportation, or just warehousing. Today many of these companies are extending their services and product offerings to many phases of supply chain management.”
–Mike Perrotti, Senior Vice President, Inland Marine, XL Catlin
A Complementary Package
XL Catlin’s Logistics Services Coverage Solutions takes a holistic approach to the legal liability that 3PL providers face while a manufacturer’s stock is in their care, custody and control.
“A 3PL’s legal liability for loss or damage from a covered cause of loss to the covered property during storage, packaging, consolidation, shipping and related services would be insured under this comprehensive policy,” McGinley said. “It provides piece of mind to both the owner of the goods and the logistics provider that they are protected if something goes wrong.”
In addition to coverage for physical damage, the logistics solution also provides protection from cyber risks, employee theft and contract penalties, and from emerging exposures created by the FDA Food Modernization Act.
This coverage form, however, only protects 3PL companies’ operations within the U.S., its territories and possessions, and Canada. Many large shippers also have an international arm that needs the same protection.
XL Catlin’s Ocean Cargo Coverage Solutions product rounds out the logistics solution with international coverage.
While Ocean Cargo coverage typically serves the owner of a shipment or their customers, it can also be provided to the internationally exposed logistics provider to cover the cargo of others while in their care, custody, and control.
“This covers a client’s shipment that they’re buying from or selling to another party while it’s in transit, by any type of conveyance, anywhere in the world,” said Andrew D’Alessio, National Ocean Cargo Product Leader, XL Catlin. “When provided to the logistics company, they in turn insure the shipment on behalf of the owner of the cargo.”
The international component provided by ocean cargo coverage can also eliminate clients’ fears over non-compliance if admitted insurance coverage is purchased. Through its global network, XL Catlin is uniquely positioned as a multi-national insurer to offer locally admitted coverages in over 200 countries.
“In the past, the underwriters would piecemeal together different coverages for these logistics providers. For instance, they might take a motor truck cargo policy, and attach a warehouse form, a bailee’s form, other inland marine products, and an ocean cargo form. You would have most of the exposures covered, but when you start taking different products and bolting them together, you end up with gaps.”
–Alexander McGinley, Vice President, US Marine, XL Catlin
A Developing Need
The approaching holiday season demonstrates the need for an insurance product that manages both domestic and international logistics exposures.
In the final months of the year, lots of goods will be shipped to the U.S. from major manufacturing nations in Asia. Transportation providers responsible for importing these goods may require two policies: ocean cargo coverage to address risks to shipments outside North America, and a logistics solution to cover risks once goods arrive in the United States or Canada.
“These transportation providers are expanding globally while also shipping throughout the U.S. That’s how the need for both domestic and international logistics coverage evolved. Until now there have been few solutions to holistically manage their exposures,” D’Alessio said.
In another example, D’Alessio described one major paper provider that expanded its business from manufacturing to include logistics management. In this case, the paper company needed coverage as a primary owner of a product and as the bailee managing the goods their clients own in transit.
“That manufacturer has a significant market share of the world’s paper, producing everything from copy paper to Bible paper, wrapping paper, magazine paper, anything you can think of. Because they were so dominant, their customers started asking them to arrange freight for their products as well,” he said.
“These transportation providers are expanding globally while also shipping throughout the U.S. That’s how the need for both domestic and international logistics coverage evolved. Until now there have been few solutions to holistically manage their exposures.”
–Andrew D’Alessio, National Ocean Cargo Product Leader, XL Catlin
The global, multi-national paper company essentially launched a second business, serving as a transportation and logistics provider for their own customers. As the paper shipments changed ownership through the bailment process, the company required two totally different types of insurance coverage: an ocean cargo policy to cover their interests as the owner and producer of the product, and logistics coverage to address their exposures as a transportation provider while they move the products of others.
“As a bailee, they no longer own the products, but they have the care, custody, and control for another party. They need to make sure that they have the appropriate insurance coverage to address those specific risks,” McGinley said.
“From a coverage standpoint, this is slowly but surely becoming the new standard. A logistics form on the inland marine side, combined with an international component, is becoming something that a sophisticated client as well as a sophisticated broker should really be asking for,” McGinley said.
The old status quo method of bolting on coverage forms or additional coverages as needed won’t suffice as global shipping needs become more complex.
With one underwriting solution, the marine team at XL Catlin can insure 3PL clients’ risks from both a domestic and international standpoint.
“The two products, Ocean Cargo Coverage Solutions and Logistics Service Coverage Solutions, can be provided to the same customer to really round out all of their bailment, shipping, transportation, and storage needs domestically and around the globe,” D’Alessio said.
The information contained herein is intended for informational purposes only. Insurance coverage in any particular case will depend upon the type of policy in effect, the terms, conditions and exclusions in any such policy, and the facts of each unique situation. No representation is made that any specific insurance coverage would apply in the circumstances outlined herein. Please refer to the individual policy forms for specific coverage details. XL Catlin, the XL Catlin logo and Make Your World Go are trademarks of XL Group Ltd companies. XL Catlin is the global brand used by XL Group Ltd’s (re)insurance subsidiaries. In the US, the insurance companies of XL Group Ltd are: Catlin Indemnity Company, Catlin Insurance Company, Inc., Catlin Specialty Insurance Company, Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., and XL Specialty Insurance Company. Not all of the insurers do business in all jurisdictions nor is coverage available in all jurisdictions. Information accurate as of December 2016.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with XL Catlin. The editorial staff of Risk & Insurance had no role in its preparation.