The Secret Service and the Department of Homeland Security recently warned more than 1,000 retailers that they were probably being hacked with the same malware that hit Target last year. The Chicago Tribune reports that the “Backoff” virus was more widespread than initially thought. The virus, which scrapes credit card data at the point-of-sale, is difficult for retailers to detect and many businesses aren’t yet able to monitor for it.
The DHS is urging retailers to get in touch with their anti-virus vendors in order to get the right systems into place as soon as possible, and recommends additional measures, such as implementing systems to ensure consumer and credit card data are always encrypted wherever the data lives on the network.
Cyber security will continue to be a serious issue for retailers large and small. Groups like the National Retail Federation (NRF) and the Retail Industry Leaders Association (RILA) have put together large consortiums, think tanks, and initiatives to pool information and resources to get effective solutions out to retailers as quickly as possible.
The NRF’s information sharing platform, and RILA’s Cybersecurity and Data Privacy Initiative are good resources for retailers who need more information on what they can do to protect their data and their customers’ data. RILA’s initiative seeks to strengthen overall cybersecurity, improve payment security, and address consumer privacy issues. Both programs are big and far-reaching, but fighting hackers requires quick and nimble action.
As the industry searches for and develops new methods for security, retailers will have to find new ways to ensure the safety of their transactions and data. Retailers might want to take some advice directly from Target – in his testimony before the Senate Committee on Commerce, Science & Transportation in March, 2014, John Mulligan, executive vice president and chief financial officer for Target, reviewed some of the actions Target was taking to ensure the safety of customer records. Target is currently:
- Reviewing security across its network, segmenting and separating key portions of the network by using firewalls and limiting unauthorized traffic.
- Strengthening anti-virus tools and whitelisting, or limiting the type of transactions that can run on a Target cash register.
- Initiating stricter authentication on the networks that Target uses, upgrading to two-factor authentication for entry into the system.
Target was also the first retailer to join the Financial Services Information Sharing and Analysis Center, and is changing over to chip technology for its payment system.
Solutions for retailers of all sizes
Keeping your organization safe from hackers is a massive undertaking. From your servers down to every cash register in every store, it’s expensive, time-consuming, and ever-changing, requiring constant vigilance. And, as Mr. Mulligan pointed out, even if your company is certified as being compliant with the more than 300 independent items in a Payment Card Industry Data Security Standards assessment – as Target was – you are still susceptible to widespread hacking.
Consider the exposure you have if your cash registers are hacked, or your servers breached. Are you insured for these breaches. Does your policy even cover hacking and cyber crimes under their current definitions? Review your coverage with your agent, and understand what types of liabilities are covered – will your policy cover reimbursement for every customer who was affected by the breach? The lawsuits filed against you by customers? The lawyers you’ll have to hire, and the consultants you’ll need to on-board to fix the problems?
If you feel like your coverage isn’t enough, consider an enterprise risk captive – feel free to contact us if we can provide more information for you. A captive can help cover your company in the case of cyber crimes, or it can assist you with the high deductibles you may have with your current commercial policy.