Target as Target
After fumbling its initial response to a massive data breach, Target Corp. has rebounded, according to experts in crisis management.
However, they said, the retailer still faces challenges in regaining consumer confidence, especially among people directly harmed by the cyber attack, which struck at the height of the holiday shopping season.
In late November and early December, malware lodged in the retailer’s point-of-sale system siphoned off account and personal information for up to 110 million customers. But Minneapolis-based Target is not the only company that may have been struck. Luxury retailer Neiman Marcus suffered a smaller breach, and news reports suggest at least six other retailers have been hit. These other companies likely are keeping a close eye on Target’s handling of the crisis.
Critics have focused, in part, on the company’s early communications. Target appeared initially to underestimate the gravity of the situation, crisis consultants said. For example, Target’s first message to customers apologized for the inconvenience.
“You don’t call something like this an inconvenience,” said Rich Klein, a crisis management consultant in New York City.
Subsequent messages from Target used stronger language, acknowledging customers’ stress and anxiety, he said. Messages also switched from assuming customer confidence to promising to regain it, Klein added, praising the change.
“I would still say it’s so much better to get it right the first time,” he said.
Still, he added, the company made good use of its Twitter feed and Facebook page. Facebook, for example, was used only to communicate about the breach, not to advertise sales, though it also acted as something of a lightning rod for complaints.
Consultants also panned the company’s decision to extend a 10 percent discount to shoppers during the weekend of Dec. 21, a few days after news of the breach first surfaced. While the discount was a nice gesture, it did not adequately address customer concerns and seemed to suggest the crisis had passed, consultants said.
In addition, the company has occasionally appeared to be behind the news, with information trickling out in the media before being revealed by Target, said Jeff Jubelirer, vice president of Philadelphia-based Bellevue Communications Group. “We should expect more from a retailer of that size and that reputation and that level of success.”
A key turning point came on Jan.13 when the company’s CEO, Gregg Steinhafel, appeared on CNBC, apologizing for the breach, reassuring customers and defending the company’s reaction:
Steinhafel should have been giving interviews in December, said Jonathan Bernstein, an independent crisis management consultant in Los Angeles. “They would have suffered less loss of sales and less impact on their stock value if they had been more assertive from the get-go.”
Other observers gave Target high marks for making a relatively quick disclosure of the breach and offering a free year of credit monitoring to customers. The four-day gap between discovery of the breach on Dec. 15 and public disclosure on Dec. 19 was faster than it’s been in other cases, said Alysa Hutnik, an attorney in the Washington, D.C. office of Kelley Drye.
“I haven’t done the math, but I think that would rate somewhere at the very top,” said Hutnik, who specializes in cyber security issues.
Another high point is the prominent role of Target’s CEO, Hutnik said. “He knows there’s work to be done to earn back customer trust, and it looks like he is taking that obligation seriously,” she said, noting that top executives rarely serve as public faces after a data breach.
Other positive steps include Target’s $5 million investment in cyber security education said Michael Soza, a partner in accounting and consulting firm BDO.
“This latest move … is really going on the offensive to show that they really are trying to get out in front of this thing and really attack what is not just a Target problem,” Soza said.
As long as no other damaging details leak out, most customers will remain loyal to the chain, said Daniel Korschun, an assistant professor of marketing at Drexel University in Philadelphia.
But the company will have to work harder to win back customers who suffered directly. They will be hard to find and hard to soothe, especially if they’ve had to spend hours on the phone undoing damage to their credit or bank accounts.
“Those are the ones where the trust has really been lost,” Korschun said.
Risk Managers Rank Global Risks
Damage to brand and reputation is the No. 1 risk facing companies today, according to Aon’s 2015 Global Risk Management Survey.
“There’s a lot behind that which is driving that [ranking],” said Theresa Bourdon, group managing director, Aon Global Risk Consulting.
One of those factors is cyber risk, which for the first time in the survey’s history, since 2007, jumped into the top 10 risks, coming in at No. 9. It had been 18 in the last survey, which is taken every two years.
“If you talk to our clients, that’s no surprise,” she said. “The frequency is very low for these cyber events but it is obviously increasing.”
And, just as obviously, there is a correlation between cyber events and brand. Just look at Target, which is still struggling to regain its footing after the personal information of about 110 million of its customers was stolen in 2013.
According to U.S. Reputation Leaders Network, Target’s reputation saw its biggest drop after the cyber attack – and it was the largest drop of any U.S. company from 2013 to 2014, according to an article in “The Street.”
The remaining top 10 risks are: economic slowdown/slow recovery; regulatory/legislative changes; increasing competition; failure to attract or retain key talent; failure to innovate/meet customer needs; business interruption; third party liability; and property damage.
Other key movement in the rankings were the inclusion of property damage, which moved up to No. 10, from 17 in 2013; and third party liability, which had been 13 but moved up to 8.
One risk that dropped off as a top 10 risk was commodity price risk. It had been 8 in 2013, and moved down to 11 in the 2015 survey.
Bourdon said that one risk that remains top of mind for risk managers is regulatory and legislative issues. “It’s consistently a top 3 risk,” she said, noting that it was projected to remain so when risk managers were asked to project their top risks three years from now.
“Organizations are really challenged to respond to the pace at which regulations are coming,” she said. “There is a strong need for governance and a compliance framework.”
That risk, also, she said, relates to the reputational and brand damage that a company can suffer.
As for cyber, one surprising finding of the study — which surveyed 1,400 risk decision-makers in 28 industry sectors in 60 countries — was that 82 percent of the respondents said their companies were ready for a cyber attack, Bourdon said.
At the same time, 58 percent of the respondents said their companies have not done an internal assessment of their cyber risk exposure.
“Realistically speaking, this is relatively new territory that everybody is trying to get their arms around, organizations, insurance companies and those of us who are risk advisers,” she said.
“The goal for the industry as you look at these risks today and in the future is, how are we going to innovate and support these risks.”
Cyber, in particular, needs solutions, she said. “There is not enough insurance out there for the demand.”
Risk managers understand they need more data and analytics to “help them navigate this world” of increasingly complex risks, she said.
More risk managers, Bourdon said, are looking at their organizations holistically and not just focusing on insurance purchasing.
“It’s a much bigger and challenging role than it ever used to be and if you are using the same tools and techniques you were using 10 years ago, then you are not leading your organization down the right path.”
Making the Marine Industry SAFE
When it comes to marine based businesses there is no one-size-fits-all safety approach. The challenges faced by operators are much more complex than land based businesses.
The most successful marine operators understand that success is dependent on developing custom safety programs and then continually monitoring, training and adapting.
After all, it’s not just dollars at stake but the lives of dedicated crew and employees.
The LIU SAFE Program: Flexible, Pragmatic and Results Driven
Given these high stakes, LIU Marine is launching a new initiative to help clients proactively identify and address potential safety risks. The LIU SAFE Program is offered to clients as a value added service.
“The LIU SAFE program goes beyond traditional loss control. Using specialized risk assessment tools, our risk engineers function as consultants who gather and analyze information to identify potential opportunities for improvement. We then make recommendations customized for the client’s business but that also leverage our knowledge of industry best practices,” said Richard Falcinelli, vice president, LIU Marine Risk Engineering.
It’s the combination of deep expertise, extensive industry knowledge and a global perspective that enables LIU Marine to uniquely address their client’s safety challenges. Long experience has shown the LIU Risk Engineering team that a rigid process will not be successful. The wide variety of operations and safety challenges faced by marine companies simply cannot be addressed with a one-size-fits-all approach.
Therefore, the LIU SAFE program is defined by five core principles that form the basis of each project.
“Our underwriters, risk engineers and claims professionals leverage their years spent as master mariners, surveyors and attorneys to utilize the best project approach to address each client’s unique challenges,” said Falcinelli.
The LIU SAFE Program in Action
When your primary business is transporting dry and liquid bulk cargo throughout the nation’s complex inland river system, safety is always a top concern.
The risks to crew, vessels and cargo are myriad and constantly changing due to weather, water conditions and many other factors.
SCF Marine, a St. Louis-based inland river tug and barge transportation company and part of the Inland River Services business unit of SEACOR Holdings Inc., understands what it takes to operate successfully in these conditions. The company strives for a zero incident operating environment and invests significant time and money in pursuit of that goal.
But when it comes to marine safety, all experienced mariners know that no one person or company has all the answers. So in an effort to continually find ways to improve, SCF management approached McGriff, Seibels & Williams, its marine broker, to see if LIU Marine would be willing to provide their input through an operational review and risk assessment.
The goal of the engagement was clear: SCF wanted to confirm that it was getting the best return possible on its significant investment in safety management.
Using the LIU SAFE framework, LIU’s Risk Engineers began by sending SCF a detailed document request. The requested information covered many aspects of the SCF operation, including recruiting and hiring practices, navigation standards, watch standing procedures, vessel maintenance standards and more.
Following several weeks of document review the LIU team drafted its preliminary report. Next, LIU organized a collaborative meeting at SCF’s headquarters with all of the latter’s senior staff, along with McGriff brokers and LIU underwriters. Each SCF manager gave an overview of their area of responsibility and LIU’s preliminary findings were reviewed in depth. The day ended with a site visit and vessel tour.
“We sent our follow-up report after the meeting and McGriff let us know that it was well received by SCF,” Falcinelli said. “SCF is so focused on safety; we are confident that they will use the information gained from this exercise to further benefit their employees and stakeholders.”
“It was probably one of the most comprehensive efforts that I’ve ever seen undertaken by a carrier’s loss control team,” said Baxter Southern, executive vice president at McGriff, which also is based in St. Louis. “Through the collaborative efforts of all three parties, it was determined that SCF had the right approach and implementation. The process generated some excellent new concepts for implementation as the company grows.”
In addition to the benefits of these new concepts, LIU gained a much deeper understanding of SCF’s operations and is better positioned to provide ongoing loss control support.
“Effective safety management is about being focused and continuously improving, which requires complete commitment from top management,” Falcinelli added. “SCF obviously is on a quest for safety excellence with zero incidents as the goal, and has passed that philosophy down to its entire workforce.”
“SCF’s commitment to the process along with LIU’s expertise was certainly impressive and a key reason for the successful outcome,” Southern concluded.
There are many other ways that the SAFE program can help clients address safety risks. To learn more about how your company could benefit, contact your broker or LIU Marine.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Liberty International Underwriters. The editorial staff of Risk & Insurance had no role in its preparation.