Target as Target
After fumbling its initial response to a massive data breach, Target Corp. has rebounded, according to experts in crisis management.
However, they said, the retailer still faces challenges in regaining consumer confidence, especially among people directly harmed by the cyber attack, which struck at the height of the holiday shopping season.
In late November and early December, malware lodged in the retailer’s point-of-sale system siphoned off account and personal information for up to 110 million customers. But Minneapolis-based Target is not the only company that may have been struck. Luxury retailer Neiman Marcus suffered a smaller breach, and news reports suggest at least six other retailers have been hit. These other companies likely are keeping a close eye on Target’s handling of the crisis.
Critics have focused, in part, on the company’s early communications. Target appeared initially to underestimate the gravity of the situation, crisis consultants said. For example, Target’s first message to customers apologized for the inconvenience.
“You don’t call something like this an inconvenience,” said Rich Klein, a crisis management consultant in New York City.
Subsequent messages from Target used stronger language, acknowledging customers’ stress and anxiety, he said. Messages also switched from assuming customer confidence to promising to regain it, Klein added, praising the change.
“I would still say it’s so much better to get it right the first time,” he said.
Still, he added, the company made good use of its Twitter feed and Facebook page. Facebook, for example, was used only to communicate about the breach, not to advertise sales, though it also acted as something of a lightning rod for complaints.
Consultants also panned the company’s decision to extend a 10 percent discount to shoppers during the weekend of Dec. 21, a few days after news of the breach first surfaced. While the discount was a nice gesture, it did not adequately address customer concerns and seemed to suggest the crisis had passed, consultants said.
In addition, the company has occasionally appeared to be behind the news, with information trickling out in the media before being revealed by Target, said Jeff Jubelirer, vice president of Philadelphia-based Bellevue Communications Group. “We should expect more from a retailer of that size and that reputation and that level of success.”
A key turning point came on Jan.13 when the company’s CEO, Gregg Steinhafel, appeared on CNBC, apologizing for the breach, reassuring customers and defending the company’s reaction:
Steinhafel should have been giving interviews in December, said Jonathan Bernstein, an independent crisis management consultant in Los Angeles. “They would have suffered less loss of sales and less impact on their stock value if they had been more assertive from the get-go.”
Other observers gave Target high marks for making a relatively quick disclosure of the breach and offering a free year of credit monitoring to customers. The four-day gap between discovery of the breach on Dec. 15 and public disclosure on Dec. 19 was faster than it’s been in other cases, said Alysa Hutnik, an attorney in the Washington, D.C. office of Kelley Drye.
“I haven’t done the math, but I think that would rate somewhere at the very top,” said Hutnik, who specializes in cyber security issues.
Another high point is the prominent role of Target’s CEO, Hutnik said. “He knows there’s work to be done to earn back customer trust, and it looks like he is taking that obligation seriously,” she said, noting that top executives rarely serve as public faces after a data breach.
Other positive steps include Target’s $5 million investment in cyber security education said Michael Soza, a partner in accounting and consulting firm BDO.
“This latest move … is really going on the offensive to show that they really are trying to get out in front of this thing and really attack what is not just a Target problem,” Soza said.
As long as no other damaging details leak out, most customers will remain loyal to the chain, said Daniel Korschun, an assistant professor of marketing at Drexel University in Philadelphia.
But the company will have to work harder to win back customers who suffered directly. They will be hard to find and hard to soothe, especially if they’ve had to spend hours on the phone undoing damage to their credit or bank accounts.
“Those are the ones where the trust has really been lost,” Korschun said.
Cyber Trolls Menace Reputation and Revenue
Cyber attacks aren’t always the immediately quantifiable attacks of old when hackers steal customer data, sites are harried by denial of service attacks and computer networks are compromised and hijacked.
A new breed of orchestrated campaigns dubbed “troll attacks” are now in the mix.
These attacks, which feature organized disinformation campaigns augmented by social media posts, create an atmosphere of chaos and economic disruption, and can have ripple effects on a company’s reputation and a downstream impact on revenue.
A recent New York Times story by Adrian Chen details one source for such attacks. A pro-Kremlin company called the Internet Research Agency in St. Petersburg, Russia, faked a story on Sept. 11, 2014, about a chemical plant explosion in St. Mary Parish, La., which is a center for numerous chemical companies.
When word of the bogus disaster spread, there was extensive concern online, enflamed by fictional eyewitness accounts on Twitter about the plant explosion and fire.
“If the Russians want to convince the Western world that something dreadful has happened, they could pretty much hoodwink the world.” — Simon Milner, broker, Miller Insurance
According to a whitepaper published in May 2015 by Hays Cos., cyber attacks were once mostly about individuals stealing money or data but now some attacks are about “brand terrorism” that can create an environment of chaos and economic disruption.
“Our clients have seen various types of malicious or mischievous activity, although not to the extent described in the New York Times article,” said Dave Wasson, cyber liability practice leader for Hays Cos., based in Chicago.
“The Internet has provided incredible transparency for sharing information on an anonymous basis and that can often be viewed as one of the best attributes of the Internet. But that transparency cuts both ways in that the Internet provides an equal transparency for sharing misinformation.”
Simon Milner, a broker with Miller Insurance in London, began working in the cyber space nearly 20 years ago and says troll attacks have relatively low frequency but are potentially damaging “blunt instruments.”
Former Soviet Republics — Russia, Estonia, and Latvia — are behind many of these orchestrated efforts, as detailed in the New York Times investigation, he said.
“If the Russians want to convince the Western world that something dreadful has happened, they could pretty much hoodwink the world.”
“I don’t necessarily believe that reputation and revenue can be fully distinguished,” added Wasson.
“Consumers will choose companies they trust and part of that trust is the company’s security. The math underlying reputational harm is very difficult to measure.
“For public companies, we have stock prices, although that certainly doesn’t make valuation easy. It’s still more difficult to measure the financial impact of a diminished reputation for a privately held, nonprofit, or government entity.”
So what insurance solutions should risk managers look for? That depends on the potential exposure, according to James Murtaugh, managing director for BDO Consulting, based in New York City.
Coverage for any kind of cyber attack might fall under a wide variety of policies, including business interruption, GL, property, E&O, D&O and EPLI, depending on how the event affected the company’s revenue and reputation.
He noted that cyber-specific coverages have a shorter waiting period but the loss can be more substantial in a shorter period of time.
“With cyber attacks, the numbers could be too big, in the billions of exposure,” he said.
“Every cyber loss is a very complicated event.”
There are also challenges when trying to explain to the C-suite how troll attacks might impact a company financially, said Murtaugh, who specializes in calculating maximum foreseeable losses from business interruption claims, particularly related to supply chains.
“With cyber attacks, the numbers could be too big, in the billions of exposure.” — James Murtaugh, managing director, BDO Consulting
He advises risk managers to use enterprise risk management (ERM) language to treat reputation risk the same as any property peril, and to get away from the notion that this is all IT-related, because it is not.
“We’re seeing the turning point where people are still definitely uncomfortable about their exposure but understand they have to get more comfortable about it instead of keeping their heads in the sand,” said Michael Born, vice president of global technology and privacy practice for Lockton Cos., based in Kansas City, Mo.
“They need to get their arms around it, and have discussions about what are the exposures [and] what they can do about it. It’s becoming more of a discussion because of the [overall] discomfort about the topic of cyber risks.”
Whether such attacks could harm an individual company’s reputation enough to impact revenue is the open question.
For Born, naming the perils in a troll attack could consist of a media attack (either planted stories on real media or all-out fake media sites), bogus social media posts and fake websites.
“The [cyber] exposures that we’re talking about are changing so fast that it’s hard to keep up with them even when you’re in the business 24/7,” said Born, who advises companies to look for consulting firms that provide constant vigilance over online reputation and business intelligence.
“For a company not in the business of cyber security, it’s very, very difficult to keep up with all that stuff.”
“In event that there was an attack by a Russian-backed troll organization,” Milner said, “our products would pay for a PR consultancy to rehab the image of the policyholder and should there be a significant BI loss, that would also be covered.”
Finally, how can risk managers protect against such attacks, aside from insurance?
Wasson advises high-profile companies — those that are involved in critical infrastructure or have controversial political, religious or ideological stances or activities — to plan for malicious troll attacks as they would for any business continuity, disaster recovery or incident response.
“It doesn’t currently seem that an entity can materially change their exposure to this risk, so the two main things an entity can do are prepare their response plan and, onerous as it may be, treat all information assets as mission-critical,” he said.
“There are certain tools a company can use to check if they are being mentioned on the dark web, but it’s not a given that dark web chatter will precede such an event.”
Detention Risks Grow for Traveling Employees
It used to be that most kidnapping events were driven by economic motives. The bad guys kidnapped corporate employees and then demanded a ransom.
These situations are always very dangerous and serious. But the bad guys’ profit motive helps ensure the safety of their hostages in order to collect a ransom.
Recently, an even more dangerous trend has emerged. Governments, insurgents and terrorist organizations are abducting employees not to make money, but to gain notoriety or for political reasons.
Without a ransom demand, an involuntarily confined person is referred to as ‘detained.’ Each detention event requires a specialized approach to try and negotiate the safe return of the hostage, depending on the ideology or motivation of the abductors.
And the risk is not just faced by global corporations but by companies of all sizes.
“The world is changing. We see many more occasions where governments are getting involved in detentions and insurgent/terrorist groups are growing in size and scope. It’s the right time for a discussion about detention risks.”
— Tom Dunlap, Assistant Vice President, Liberty International Underwriters (LIU)
“Practically any company with employees traveling abroad or operations overseas can be a target for a detention risk,” said Tom Dunlap, assistant vice president at Liberty International Underwriters (LIU). “Whether you are setting up a foreign operation, sourcing raw materials or equipment overseas, or trying to establish an overseas sales contract, people are traveling everywhere today for so many reasons.”
Emerging Threats Driven By New Groups Using New Tools
Many of the groups who pose the most dangerous detention threats are well versed in how to use the Internet and social media for PR, recruiting and communication. ISIS, for example, generates worldwide publicity with their gruesome videos that are distributed through multiple electronic channels.
Bad guys leverage their digital skills to identify companies and their employees who conduct business overseas. Corporate websites and personal social media often provide enough information to target employees who are working abroad.
And if executives are too well protected to abduct, these tools can also be used to identify and target family members who may be less well protected.
The explosion of new groups who pose the most dangerous risks are generally classified into three categories:
Insurgents – Detentions by these groups are most often intended to keep a government or humanitarian group from delivering services or aid to certain populations, usually in a specific territory, for political reasons. They also take hostages to make a political statement and, on occasion, will ask for a ransom.
In other cases, insurgent groups detain aid workers in order to provide the aid themselves (to win over locals to their cause). They also attempt prisoner swaps by offering to trade their hostages for prisoners held by the government.
The most dangerous groups include FARC (Colombia), ISIS (Syria and Iraq), Boko Haram (Nigeria), Taliban (Pakistan and Afghanistan) and Al Shabab (Somalia).
Governments – Often use detention as a way to hide illegal or suspect activities. In Iran, an American woman was working with Iranian professors to organize a cultural exchange program for Iranian students. Without notice, she was arrested and accused of subversion to overthrow the government. In a separate incident, a journalist was thrown in jail for not presenting proper credentials when he entered the country.
“Government allegations against detainees vary but in most cases are unfounded or untrue,” said Dunlap. “Often these detentions are attempts to prevent the monitoring of elections or conducting inspections.”
Even local city and town governments present an increased detention risk. In one recent case, a local manager of a foreign company was arrested in order to try and force a favorable settlement in a commercial dispute.
Ideology-driven terrorists – Extremist groups such as Boko Haram and ISIS are grabbing most of today’s headlines with their public displays of ultra-violence and unwillingness to compromise. The threat from these groups is particularly dangerous because their motives are based on pure ideology and, at the same time, they seek media exposure as a recruiting tool.
These groups don’t care who they abduct — journalist, aid worker, student or private employee – they just need hostages.
“The main idea here is to shock people and show how governments and businesses are powerless to protect their citizens and employees,” observed Dunlap.
Mitigating the Risks
Even if no ransom demands are made, an LIU kidnap and ransom policy will deliver benefits to employers and their employees encountering a detention scenario.
For instance, the policy provides a hostage’s family with salary continuation for the duration of their captivity. For a family who’s already dealing with the terror of abduction, ensuring financial stability is an important benefit.
In addition, coverage provides for security for the family if they, too, may be at risk. It also pays for travel and accommodations if the family, employees or consultants need to travel to the detention location. Then there are potential medical and psychological care costs for the employee when they are released as well as litigation defense costs for the company.
LIU coverage also includes expert consultant and response services from red24, a leading global crisis management assistance firm. Even without a ransom negotiation to manage, the services of expert consultants are vital.
“We have witnessed a marked increase in wrongful detentions involving the business traveler. In some regions of the world wrongful detentions are referred to as “business kidnappings.” The victim is often held against their will because of a business dispute. Assisting a client who falls victim to such a scheme requires an experienced crisis management consultant,” said Jack Cloonan, head of special risks for red24.
Without coverage, the fees for experienced consultants can run as high as $3,000 per day.
Given the growing threat, it is more important than ever to be well versed about the country your company is working in. Threats vary by region and country. For example, in some locales safety dictates to always call for a cab instead of hailing one off the street. And in other countries it is never safe to use public transportation.
LIU’s coverage includes thorough pre-travel services, which are free of charge. As part of that effort, LIU makes its crisis consultants available to collaborate with insureds on potential exposures ahead of time.
Every insured employee traveling or working overseas can access vital information from the red24 website. The site contains information on individual countries or regions and what a traveler needs to know in terms of security/safety threats, documents to help avoid detention, and even medical information about risks such as pandemics, etc.
“Anyone who is a risk manager, security director, CFO or an HR leader has to think about the detention issue when they are about to send people abroad or establish operations overseas,” Dunlap said. “The world is changing. We see many more occasions where governments are getting involved in detentions and insurgent/terrorist groups are growing in size and scope. It’s the right time for a discussion about detention risks.”
For more information about the benefits LIU kidnap and ransom policies offer, please visit the website or contact your broker.
Liberty International Underwriters is the marketing name for the broker-distributed specialty lines business operations of Liberty Mutual Insurance. Certain coverage may be provided by a surplus lines insurer. Surplus lines insurers do not generally participate in state guaranty funds and insureds are therefore not protected by such funds. This literature is a summary only and does not include all terms, conditions, or exclusions of the coverage described. Please refer to the actual policy issued for complete details of coverage and exclusions.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty International Underwriters. The editorial staff of Risk & Insurance had no role in its preparation.