Target as Target
After fumbling its initial response to a massive data breach, Target Corp. has rebounded, according to experts in crisis management.
However, they said, the retailer still faces challenges in regaining consumer confidence, especially among people directly harmed by the cyber attack, which struck at the height of the holiday shopping season.
In late November and early December, malware lodged in the retailer’s point-of-sale system siphoned off account and personal information for up to 110 million customers. But Minneapolis-based Target is not the only company that may have been struck. Luxury retailer Neiman Marcus suffered a smaller breach, and news reports suggest at least six other retailers have been hit. These other companies likely are keeping a close eye on Target’s handling of the crisis.
Critics have focused, in part, on the company’s early communications. Target appeared initially to underestimate the gravity of the situation, crisis consultants said. For example, Target’s first message to customers apologized for the inconvenience.
“You don’t call something like this an inconvenience,” said Rich Klein, a crisis management consultant in New York City.
Subsequent messages from Target used stronger language, acknowledging customers’ stress and anxiety, he said. Messages also switched from assuming customer confidence to promising to regain it, Klein added, praising the change.
“I would still say it’s so much better to get it right the first time,” he said.
Still, he added, the company made good use of its Twitter feed and Facebook page. Facebook, for example, was used only to communicate about the breach, not to advertise sales, though it also acted as something of a lightning rod for complaints.
Consultants also panned the company’s decision to extend a 10 percent discount to shoppers during the weekend of Dec. 21, a few days after news of the breach first surfaced. While the discount was a nice gesture, it did not adequately address customer concerns and seemed to suggest the crisis had passed, consultants said.
In addition, the company has occasionally appeared to be behind the news, with information trickling out in the media before being revealed by Target, said Jeff Jubelirer, vice president of Philadelphia-based Bellevue Communications Group. “We should expect more from a retailer of that size and that reputation and that level of success.”
A key turning point came on Jan.13 when the company’s CEO, Gregg Steinhafel, appeared on CNBC, apologizing for the breach, reassuring customers and defending the company’s reaction:
Steinhafel should have been giving interviews in December, said Jonathan Bernstein, an independent crisis management consultant in Los Angeles. “They would have suffered less loss of sales and less impact on their stock value if they had been more assertive from the get-go.”
Other observers gave Target high marks for making a relatively quick disclosure of the breach and offering a free year of credit monitoring to customers. The four-day gap between discovery of the breach on Dec. 15 and public disclosure on Dec. 19 was faster than it’s been in other cases, said Alysa Hutnik, an attorney in the Washington, D.C. office of Kelley Drye.
“I haven’t done the math, but I think that would rate somewhere at the very top,” said Hutnik, who specializes in cyber security issues.
Another high point is the prominent role of Target’s CEO, Hutnik said. “He knows there’s work to be done to earn back customer trust, and it looks like he is taking that obligation seriously,” she said, noting that top executives rarely serve as public faces after a data breach.
Other positive steps include Target’s $5 million investment in cyber security education said Michael Soza, a partner in accounting and consulting firm BDO.
“This latest move … is really going on the offensive to show that they really are trying to get out in front of this thing and really attack what is not just a Target problem,” Soza said.
As long as no other damaging details leak out, most customers will remain loyal to the chain, said Daniel Korschun, an assistant professor of marketing at Drexel University in Philadelphia.
But the company will have to work harder to win back customers who suffered directly. They will be hard to find and hard to soothe, especially if they’ve had to spend hours on the phone undoing damage to their credit or bank accounts.
“Those are the ones where the trust has really been lost,” Korschun said.
Manage Expectations, Manage Reputation
The art of managing reputation risk really comes down to shaping the expectations of shareholders, customers, vendors, creditors and investors.
“Not an easy thing to do,” said Nir Kossovsky, chief executive officer, Steel City Re, speaking at the annual RIMS conference in San Diego on April 12.
“Managing expectations involves behavioral economics – shaping what people expect from you and then meeting those expectations.”
He said expectations typically revolve around six key areas: safety, ethics, quality, security, sustainability and innovation. Failing to meet any of those expectations creates vulnerability for a company, opening up an opportunity for shareholders or special interest activists to come after the board of directors as the culpable party.
Increasingly, directors and officers are the true casualties of reputation damage.
Dissatisfied customers or partners know that “the court of public opinion is much more effective than the court of law,” Kossovsky said, so they will bring allegations against the board and force a public response.
“Managing expectations involves behavioral economics – shaping what people expect from you and then meeting those expectations.” – Nir Kossovsky, chief executive officer, Steel City Re
The best way to mitigate reputation risk, then, is to proactively communicate the board’s awareness of a company’s exposures, and acknowledge its duties to deliver on expectations related to the six key areas.
“Communication is critical,” said Todd Marumoto, director of risk management, Mattel, Inc. “There needs to be some sense of a plan for how the board will respond to a reputation event.”
Without a quick response, the silence is filled by the white noise of unsubstantiated opinion, Kossovsky said. That weakens the board’s credibility.
“Facts are available without much of a down payment. Allegations brought against the board don’t necessarily have to be true and can’t always be validated.”
Conflicting expectations make reputation risk management even harder.
Customers expect, for example, near impossible standards of quality and customer service, while shareholders expect strong profit and growth, and creditors expect swift payment.
While many believe that marketing and press coverage can be the tool for the messaging needed to mold expectations through public perception, the most effective way to mitigate reputation risk is through enterprise risk management that strives for excellence, the speakers said.
In other words, expectations should be set by a company’s performance.
Kossovsky offered the example of BP, which claimed to be “beyond petroleum.”
Despite impressive initiatives to use cleaner energy, BP was still, in fact, heavily reliant on petroleum. The Deepwater Horizon spill of 2010 sparked so much anger because people expected BP to be above such environmentally dangerous accidents.
ExxonMobil, on the other hand, acknowledged to its shareholders that a spill was always a real threat, but demonstrated the steps it was taking to minimize the risk. Shareholders thus had more realistic expectations of the company and are harder to disappoint.
Presenting to the C-Suite
Risk managers can bring the importance of reputation risk to the C-suites’ attention by demonstrating its financial impact.
“Expenses could come from having to replace a vendor, from a government penalty, litigation and class action lawsuits, or having to implement a new management process,” Marumoto said.
Overall, costs associated with remediating a reputational event can be two to seven times higher than costs related to the operational failure that caused the reputation damage in the first place.
“With reputation risk, it’s not always about right or wrong, but about getting the right outcome to satisfy shareholders and customers.” — Todd Marumoto, director of risk management, Mattel, Inc.
“It affects every line item of the P&L,” Kossovsky said.
The impact on D&O effectiveness will also certainly grab senior management’s attention.
“A typical board member makes about $250,000 per year to sit on the board for a term usually of about three years, and he’s usually sitting on three different boards,” Kossovsky said.
“He’s looking at a personal loss of over $2 million” if a reputational hit leads to him being asked to step down from those boards.
According to Marumoto, risk managers can influence outcomes of a reputational event by working internally with investor relations and marketing to ensure the company is sending a consistent message, and to develop a coordinated response plan.
“Ultimately, you have to be responsible for all things that pass in front of you,” he said. “Partner with vendors you trust, be transparent in your efforts to mitigate risks, and develop relationships with government agencies.
“With reputation risk, it’s not always about right or wrong, but about getting the right outcome to satisfy shareholders and customers.”
Helping Investment Advisers Hurdle New “Customer First” Government Regulation
This spring, the Department of Labor (DOL) rolled out a set of rule changes likely to raise issues for advisers managing their customers’ retirement investment accounts. In an already challenging compliance environment, the new regulation will push financial advisory firms to adapt their business models to adhere to a higher standard while staying profitable.
The new proposal mandates a fiduciary standard that requires advisers to place a client’s best interests before their own when recommending investments, rather than adhering to a more lenient suitability standard. In addition to increasing compliance costs, this standard also ups the liability risk for advisers.
The rule changes will also disrupt the traditional broker-dealer model by pressuring firms to do away with commissions and move instead to fee-based compensation. Fee-based models remove the incentive to recommend high-cost investments to clients when less expensive, comparable options exist.
“Broker-dealers currently follow a sales distribution model, and the concern driving this shift in compensation structure is that IRAs have been suffering because of the commission factor,” said Richard Haran, who oversees the Financial Institutions book of business for Liberty International Underwriters. “Overall, the fiduciary standard is more difficult to comply with than a suitability standard, and the fee-based model could make it harder to do so in an economical way. Broker dealers may have to change the way they do business.”
As a consequence of the new DOL regulation, the Securities and Exchange Commission (SEC) will be forced to respond with its own fiduciary standard which will tighten up their regulations to even the playing field and create consistency for customers seeking investment management.
Because the SEC relies on securities law while the DOL takes guidance from ERISA, there will undoubtedly be nuances between the two new standards, creating compliance confusion for both Registered Investment Advisors (RIAs)and broker-dealers.
To ensure they adhere to the new structure, “we could see more broker-dealers become RIAs or get dually registered, since advisers already follow a fee-based compensation model,” Haran said. “The result is that there will be likely more RIAs after the regulation passes.”
But RIAs have their own set of challenges awaiting them. The SEC announced it would beef up oversight of investment advisors with more frequent examinations, which historically were few and far between.
“Examiners will focus on individual investments deemed very risky,” said Melanie Rivera, Financial Institutions Underwriter for LIU. “They’ll also be looking more closely at cyber security, as RIAs control private customer information like Social Security numbers and account numbers.”
Demand for Cover
In the face of regulatory uncertainty and increased scrutiny from the SEC, investment managers will need to be sure they have coverage to safeguard them from any oversight or failure to comply exactly with the new standards.
In collaboration with claims experts, underwriters, legal counsel and outside brokers, Liberty International Underwriters revamped older forms for investment adviser professional liability and condensed them into a single form that addresses emerging compliance needs.
The new form for investment management solutions pulls together seven coverages:
- Investment Adviser E&O, including a cyber sub-limit
- Investment Advisers D&O
- Mutual Funds D&O and E&O
- Hedge Fund D&O and E&O
- Employment Practices Liability
- Fiduciary Liability
- Service Providers D&O
“A comprehensive solution, like the revamped form provides, will help advisers navigate the new regulatory environment,” Rivera said. “It’s a one-stop shop, allowing clients to bind coverage more efficiently and provide peace of mind.”
Ahead of the Curve
The new form demonstrates how LIU’s best-in class expertise lends itself to the collaborative and innovative approach necessary to anticipate trends and address emerging needs in the marketplace.
“Seeing the pending regulation, we worked internally to assess what the effect would be on our adviser clients, and how we could respond to make the transition as easy as possible,” Haran said. “We believe the new form will not only meet the increased demand for coverage, but actually creates a better product with the introduction of cyber sublimits, which are built into the investment adviser E&O policy.”
The combined form also considers another potential need: cost of correction coverage. Complying with a fiduciary standard could increase the need for this type of cover, which is not currently offered on a consistent basis. LIU’s form will offer cost of correction coverage on a sublimited basis by endorsement.
“We’ve tried to cross product lines and not stay siloed,” Haran said. “Our clients are facing new risks, in a new regulatory environment, and they need a tailored approach. LIU’s history of collaboration and innovation demonstrates that we can provide unique solutions to meet their needs.”
For more information about Liberty International Underwriters’ products for investment managers, visit www.LIU-USA.com.
Liberty International Underwriters is the marketing name for the broker-distributed specialty lines business operations of Liberty Mutual Insurance. Certain coverage may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds and insureds are therefore not protected by such funds. This literature is a summary only and does not include all terms, conditions, or exclusions of the coverage described. Please refer to the actual policy issued for complete details of coverage and exclusions.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty International Underwriters. The editorial staff of Risk & Insurance had no role in its preparation.