Cyber Insurance and why do Grocery Retailers need it?
Mercatus Radio presents the Digital Grocer - Episode #6
In this episode, Sylvain Perrier explains why grocery retailers need to step up their security measures. He recounts his first experience as a vendor in dealing with retailer cybercrime going back well over 10 years at BJ’s Wholesale Club.
Sylvain highlights why retailers need to be cautious. The retail industry is now the top target for cyber criminals. As the “2018 Trustwave Global Security Report” observes, the North American retail sector suffered the most breach incidences of any industry in 2017 (16.7%), followed by the finance and insurance industry (13.1%) and hospitality (11.9%).
What can grocery retailers do about the increasing number of cyberattacks? It’s impossible to be 100% secure. There are steps grocery retailers can take to mitigate risk and reduce the impact of a cyberattack. Sylvain introduces listeners to the world of cyber insurance, which can be very complex to navigate. Helping decipher this world is studio guest and cyber insurance expert, Robert Harrison, an insurance executive with Martin Merry and Reid based in Toronto.
Enjoyed this podcast? Then you might like these resources:
- Blog Post: Navigating the Storm: Are Old School KPIs Enough to Guide Grocery Executives?
- Podcast: What Digital Grocers Need to Know About the Americans with Disabilities Act (ADA)
Sylvain Perrier: Welcome ladies and gentlemen to the Mercatus podcast, Digital Grocer, episode six. We’re recording right here in Mercatus HQ. I’m your host, Sylvain Perrier, president and CEO of Mercatus. And joining me in studio today is Mercatus’ very own senior director of marketing, Mark Fairhurst.
Mark Fairhurst: Hello everyone.
Sylvain Perrier: And our trusted sound engineer, at the board, Kevin Glenn.
Kevin Glenn: How’s it going?
Sylvain Perrier: So guys, we have, I would say, an amazing subject today to talk about. Certainly one that sends chills of fear into the hearts and the minds of the grocery retailers that are out there listening to our show as well their service providers and it’s what I like to call, cyber insurance. In this day and age when you’re operating a technology company or a retailer whether it’s a small regional chair or a big box retailer, you can’t exist without some form of cyber insurance and some form of protection. We are in the digital age. It’s even more so if you’re a vendor that’s doing SAS, software as a service or PAS. It’s kind of an odd word to use, PAS, platform as a service.
Sylvain Perrier: Before we kind of get into the subject and I want to talk about a real world example, right around, not necessarily cyber insurance but what I think may be the origin of kind of this whole notion of the industry of cyber insurance. You guys have read the news of large banks and large retailers that have succumbed to cyber attacks or have quite frankly, have had to deal with breaches of some sort of private information being leaked.
Mark Fairhurst: Absolutely. And it seems to getting more prevalent as we go forward.
Sylvain Perrier: Yeah, and I think this is going to be the future in terms of information warfare. It’s not necessarily battles may not be fought on a field with muskets or guerrilla warfare. We’ve unfortunately learned in the Korean War and kind of evolving into some of the more modern wars that we’ve seen. Think of Sony. The PlayStation network being attacked. Sony, their movie division as well.
Mark Fairhurst: Yep. It being held hostage.
Sylvain Perrier: Being held hostages. Yeah, exactly. We still don’t know who it was but there’s been claims it was the North Koreans that orchestrated that. There’s also been Target on more than one occasion. TJ Max, that was a huge one back in the early 2000s or maybe late 2000s. There’s also been countless of other ones. And I’ve actually, you guys may not know this, but at the periphery I actually lived through the tail end of a cyber attack and I can kind of share that with you guys.
Sylvain Perrier: This is many, many, years ago. It’s over a decade ago. Previous company of mine was a service provider to an amazing retailer located in the United States, BJ’s Wholesale Club. Great retailer. We were responsible, my organization, for building data collection kiosks for them, with touchscreens. And specifically for collecting employee and customer feedback at the entrance of the store and the exit of the store. We happened to be in town with them in Natick with a prototype device. We needed to connect it to their WiFi. I’m at the original first store, just on the outskirts of the city and I’m there with their security information officer as well as one of the IT individuals and we’re connecting this to the WiFi network.
Sylvain Perrier: Most of you know, WiFi networks inside retailers are typically fairly secure. Sometimes do not operate on the same network as the POS system because of the attraction. And typically you’re supposed to have segregated VLANs. And not everyone can connect to these wireless networks. You require certain security credentials. So we’re connecting this kiosk and it’s going fairly well. And suddenly their mobile phones start ringing and they’re not answering them. Their store manager comes over said, “Hey, head office is looking for you.” And as typically happens, head office employees when they’re inside of a store, they ignore the store employees.
Sylvain Perrier: Well suddenly, their CIO walks in and they have to leave. So I’m kind of abandoned at the store and my little wooden kiosk, my little prototype. I come to find out in March of ’04, this is not even six months before we founded Mercatus, BJ’s announced to the world that they had been hit. Something like eight to nine million credit cards were stolen from someone and they weren’t necessarily disclosing. It was a pretty serious affair.
Sylvain Perrier: Now, this is post 9/11 and information theft, credit card theft, specifically in United States is treated very severely so immediately BJ’s lost the ability, actually before it was announced publicly, the ability to process credit cards from AMEX, Visa, MasterCard. The Federal Trade Commission went in to do a forensic audit, including Homeland Security, because at the time it was considered an attack against United States. Homeland Security is a joint taskforce of the FBI, the CIA and Secret Service and they were forced into immediate audits on a monthly if not quarterly basis. Us as vendor, are shrouded, we don’t know what’s happening. So no one’s returning phone calls for months.
Sylvain Perrier: Project are abandoned. Millions of dollars are being lost. Everyone is just losing it. Now, BJ’s ending up settling with the FTC on certain charges that they did not protect what’s called PII data in ’05, including having to settle and fight a series of class action lawsuits. Was just, really, really, really crazy. It ended up being in ’09 discovered that this, if you’re a hacker and you’re in this world, if you were to hand out a Stanley Cup to someone, it would be to Albert Gonzales who was the renowned TJ Max hacker who not only hit those guys but BJ’s and a bunch of retailers. He stole a 141 million credit cards.
Sylvain Perrier: This was the unfortunate thing. BJ’s was an amazing retailer to work for and when this occurred I believe they had just been bought by Bain Capital out of Boston. Bain was kind of in the throes of buying retail. So my company was working for BJ’s and Toys R Us and Guitar Center. And it was like every time we’d turn around, Bain was buying one of our clients over and over and over again. The Bain guys were scrambling, losing it. I ended up meeting some of the Bain guys on a flight back from Singapore in Boston, in call it, ’08, ’09. And so, one of the guys on the plane who introduced himself, he happened to be, he did the acquisition of BJ’s and he happened to have to deal with all of this. You’re dealing with government personnel that came out of 9/11 knowing that they failed.
Mark Fairhurst: So they’re like super vigilant now.
Sylvain Perrier: Extremely vigilant and this is a threat to the American psyche and people. If our people do not have confidence in being able to use a credit card to buy toilet paper or milk or whatever it may be, this is a significant, significant issue. And this has been rinse and repeat unfortunately. With the proliferation of technology and payment technologies and I think the reality is the credit card companies as well as the service providers and the processors have kind of caught up with respect to how to protect networks. How to make sure that we understand that data’s sensitive and kind of so on, but yet we still find cases.
Sylvain Perrier: We had a case here in Canada. It’s about a week ago with BMO and one of their kind of, is it an affiliate or some sort? I can’t remember but we’ll have to look it up. It’s a sensitive matter but I think at the same time, we as individuals, have become completely desensitized to these things.
Mark Fairhurst: You sort of expect it to happen. And you’re right, with the spread of technology in multiple dependencies and vulnerabilities just seem to be increasing.
Sylvain Perrier: Yeah. And what’s come out of this is, the world of cyber insurance, which is very complex to navigate. To help us out today, especially for our listeners out there that have no idea about cyber insurance of kind of dabbled in it or maybe in the throes of it, who knows? We’ve brought in an expert and he’s joining us in studio today. His name is Robert Harrison, he’s a CFA. And here’s one of the, he’s a CFA of CFAs, that’s what I’ve been told. He’s an insurance executive with Martin Merry and Reid. He’s been with them for over 15 years. Robert, welcome to the show.
Robert Harrison: Thank you Sylvain.
Sylvain Perrier: You’re welcome.
Robert Harrison: That was quite the expression. Please explain.
Sylvain Perrier: Yeah, so my business partner, Andrew Chang who’s equally a CFA. And so I was on the phone with him couple of evenings ago and I say, “Hey we’re going to be doing a podcast on cyber insurance and Robert’s going to be joining us.” He goes, “Do you know like he grades all the people that do the CFA exam?” And he’s like, “It’s a brutal exam. If he’s grading those papers, he’s gotta be a CFA to CFAs.” I’m like, ’cause I started to laugh.
Robert Harrison: Thank you Andrew.
Sylvain Perrier: Thank you again for joining us. Can you, for all of us that are new to cyber insurance, can you just explain to us, what is it?
Robert Harrison: Cyber insurance, first of all, it’s evolving. You talk about 2004, didn’t exist at that time. There were aspects of it, particularly in the financial services arena. Cyber insurance is coverage for foreseeable events that are unpredictable. Whether that’s somebody hacking through your system into somebody else’s. Somebody hacking your system, causing damage. Taking some of your client records. The expenses associated of finding out exactly what happened, so forensic. Some of the expenses of dealing with the regulatory environment to the extent that you’re exposed to that. So it’s a variety of things.
Robert Harrison: But insurance is the final product in a chain of events. The chain of events are, you need to know what you’re doing. You need to talk to your broker. He can help direct you to the insurer that looks to your space as an appetite to that, but your space being the industry that you’re in. And then the insurer itself who will help walk you through your preparedness and help design responses, perhaps identify weak places in your chain of events. It’s not just the policy of the insurance, it’s the whole process around it.
Sylvain Perrier: Excellent. How do you price a policy?
Robert Harrison: Well policies are priced on exposure. If you’re an organization that has 10 clients and that’s all you deal with, that seems like a fairly small exposure. However, if your 10 clients each have five million customers and you have some interaction with that, well then all of sudden you have 50 million data points of exposure at any given moment. So you price it on the basis of what those exposures are. In the United States, you need to prove some kind of loss in order to be able to collect. In Canada, it’s not the case and as well as now in Europe with their new GDPR. You just need to show that you have been exposed and then you can claim some of the regulatory responses. Whether it be credit counseling for example. Certainly notifications. That’s how you price it from what are the final events.
Robert Harrison: And then the complexity of your system will also cause some issue in terms of pricing. If you have a whole series of legacy systems and a bunch of data that’s sort of talks to each other but doesn’t, you have to plug things in over top, there’s a nice weak spot right there.
Sylvain Perrier: Okay. So, would a company like Facebook have to carry cyber insurance?
Robert Harrison: Facebook’s large enough that they would probably have, in insurance terms, a great, very large, self insured retention. They would take the greatest exposure, and I’m thinking over a 100 million, 300 million. That they would fund themselves. For them it’s a disaster kind of thing that they would look out past their ability to deal with. But yes, they would probably, remote to the initial dollar, but they would definitely have something like that. It would be inconceivable that they wouldn’t.
Sylvain Perrier: Okay. Now, we have at Mercatus, we carry cyber insurance and it’s something that we look and review at least once annually. Is that typical for some of your clients?
Robert Harrison: The annual review is required. I think that depending on your stage of development. If you are evolving, if you’re changing, if you’re adding things to your business model then no, it needs to be looked at in advance of those things. There needs to be a real relationship between broker and client. Where you’re going, what’s your developments, what’s your exposure? Where are you thinking of going?
Sylvain Perrier: Okay. Now the question I always get from retailers that are out there that are engaging with third party vendors, whether it’s in a SAS basis or in a PAS basis, not every grocery retailer out there is requiring cyber insurance but who does it benefit?
Robert Harrison: Cyber insurance benefits the purchaser. There is first party damages, I think I talked about somebody entering your system and damaging your system. Ransomware, that’s another first party. The expenses of trying to figure out exactly what happened and how it happened and responding to that. But also third party expenses. Through your system in somebody else’s and there damage occurring at your client, at the retailer. Whether it be credit card theft. Whether it be damage to systems or fraudulent transactions on their banking system or attempted. Third party liability is also something that’s contemplated in there.
Robert Harrison: Wordings are changing. The way that the insurance industry is looking at this is changing. It used to be from what were the events that happened? It’s now coming down to who is it that it’s affected? Is it first party? Or is it third party? And then the other bits and pieces get sort of attached all the way through, whether it be damage to systems, business interruption, ie. you’re held ransom, you can’t do anything a period of time, the amount of money you lose. And then of course the notification expenses, the privacy acts all over the world are requiring you to tell your clients.
Sylvain Perrier: Exactly.
Robert Harrison: Costs money to tell them, right?
Sylvain Perrier: Exactly, exactly. Now, company X has cyber insurance and is deemed to breached and it’s discovered by one of the engineers inside the organization and they have a plethora of clients. Now, the rules change when you have cyber insurance at this point, in terms, what would you recommend this company do at that point?
Robert Harrison: First thing they ought to do is they need to talk to their privacy commissioner in whatever the jurisdiction that they exist. In today’s world, the privacy rules require that you tell the authority responsible for privacy in your jurisdiction as soon you discover something that is likely to have impacted your clients. At the same time, and this is not done in isolation, at the same time, you need to begin immediately working with your insurer to tell them that this is what’s there. They have a suite of legal folks, technical people, adjusters, who will help you sort through what has occurred and then to develop a response. The response is in conjunction with what the regulator, the privacy commissioner tells you to do, is how to manage the fallout. Whether it be media. Whether it be damage to your reputation. Target for example, they took an enormous hit.
Sylvain Perrier: Brutal.
Robert Harrison: Brutal hit. Their business was definitely affected. And you can think back to a variety of others. It’s a combination of events that occur. But you really have to backpedal and when you begin to think about cyber, you’re beginning to put all those plans in place. And your broker and your insurer are there to help you do that because it makes sense. If an event occurs, if you’re not prepared, then you’re already behind the eight ball. And from an insurance perspective, it will cost the insurer more. The end of the day, it costs you as a business greater than, hopefully not, but greater than what happens on the insurance side of things.
Sylvain Perrier: That’s great advice. And that’s where the marketing kicks in, in terms of the PR?
Mark Fairhurst: What I’m curious about is, some organizations may be reticent to disclose a breach but those that are forward thinking and are truly respectful of their customer base, they should be empowered and marketing should support that as an endeavor in situations like this.
Robert Harrison: Oh, a 100%. In today’s world, if you’re not out in front, you can think about a slew of different things. Maple Leaf Foods, years ago they had a problem with some of their processed meats.
Mark Fairhurst: A listeriosis outbreak.
Robert Harrison: Right, exactly. And they came out immediately said, “We’re sorry. We did this. We’re going to make this up. We’re going to make sure this doesn’t happen again.” And they barely missed anything. Can’t remember the name of the pet food company in the United States that denied, denied, denied and then eventually said, “Okay.” And they went out of business.
Sylvain Perrier: That a really good point.
Robert Harrison: That’s not strictly related to cyber but it’s very much the same kind of issue.
Sylvain Perrier: The whole Maple Leaf example is reminiscent of Johnson and Johnson with the Tylenol contamination.
Robert Harrison: Classic example.
Sylvain Perrier: That whole, the way the CEO handle it and made the decision to pull product of shelf which cost them I think, north of a 100 million, has become a classic case in business school. How you get ahead of it by admitting you made a mistake and what you’re going to do to fix it. I think in this day and age around cyber insurance and data and breaches and stuff, I think it’s the same. If we had to impart some knowledge to our listeners out there, in the context of a retailer, what’s a few things you think you could recommend to them?
Robert Harrison: Well retail, ’cause you’re dealing with the public and all the data you collect. Who they are, where they are. You have to have an address, some kind of identifiable information. You need to know exactly at any given moment, how much data you have. Where it’s coming from and where you store it. And what you do with it when you collect it. Do you then scrub the data? Do you then turn it into a base from which you do analytics? Or do you actually target stuff to the client? If you target sales and advertising to the client, you need to be aware that that’s very clearly identifiable data. You need to be able to ring fence that. You need to be able to say to yourself, to your clients, probably as much as anybody else, and to your insurer that, “Here are the points of entry. Here are the points of exit and this is what we do to make sure that we know what’s going on.”
Robert Harrison: Clearly identified in there is if something happens, how do you ring fence the rest of the data? How do you limit the damage? And then, the process kicks in to tell people what they’re supposed to do and go from there. Really, at the end of the day, it’s a from senior management to clerk level, everybody has to be aware of data security and the sensitive nature of creating any kind of exposure. And then you put in plans from top to bottom. Cyber insurance just doesn’t, isn’t just related to cyber. If the management of your company isn’t thinking of this in advance, if they’re not making preparation, they become personally liable because they haven’t done their management due diligence. It’s not just what happens to the data, it’s how you got to that point.
Sylvain Perrier: Absolutely.
Mark Fairhurst: I just want to jump in. Sylvain, you have lots of conversations with a lot of grocery retail executives. Is this something that is keeping them up at night?
Sylvain Perrier: What keeps them up at night. Cyber insurance is a byproduct of the worry. My sense of it is, not every organization as Robert was talking, is not necessarily proactive. They are very reactive. And not all of them. The questions I get is, do you have cyber insurance? And it isn’t the question is, what are your security practices? What are your privacy practices? Do you have a security officer? Do you have somebody on your dev ops team that has been classified as being quote unquote, the security officer? And my answers are, are no different than the advice that Robert’s providing is, and I would give this exact same advice to a service provider or to a retailer. Security, privacy, data retention and today ADA compliancy, is something that needs to embedded in the culture from the moment you step in as an employee into the business.
Sylvain Perrier: You’re conscious of the business’ practices and it’s raison d’etre from day one. So it’s not an afterthought when you’re compiling code or accessing a system. I always say that the cyber insurance is byproduct of that, including errors in omission insurance which is really critical because if you’re touching third party systems, specifically retailers. And I also tell retailers, you need to look at not just what Robert’s talking about, is the inputs and the outputs of the global system that you operate, but where’s it coming from? And where’s it going? And are you leveraging third parties? And the questions I get now because Mercatus is headquartered in Toronto but we have our US subsidiary, Mercatus USA, where’s the data located? Data’s located in the United States, it stays in the United States. When we operate with Canadian clients, the data stays in Montreal at Amazon’s data center. When we’re in Europe, well it’s in Ireland. We’re very respectful of that.
Sylvain Perrier: I think it’s a combination of things that you need to do but it starts very first and foremost with culture of your business and making sure that people understand security is very, very critical. I think the companies that trip up on this, and I’m just going to put it out there for the listeners and you guys can comment on it on Twitter if you want to reach out to me, it’s @sylvainperrier. That they don’t put the customer at the center of the experience. Security’s an afterthought. Let’s go buy this system. Let’s patch it in. Let’s see how it works. Let’s connect it. Oh we forget to secure it. Oh, it’s okay, it’s using SSL. Well that’s not enough today. And you have to do, which we do today, third party security scans on a quarterly basis. In some cases we have clients that do it on a monthly basis. Yada, yada, yada. Which is all those things that you need to do to operate in this day and age. First and foremost, put the customer at the center of the experience and then layer it out through your culture.
Sylvain Perrier: Sir, it’s been a pleasure having you on the show today. Thank you so much.
Robert Harrison: You know what? It’s been my pleasure. Thank you. Some of the stories you tell are hair curling which is kind of fun.
Sylvain Perrier: That is, well Mark used to have hair, I curled it so much it fell out.
Robert Harrison: Now the audience knows.
Mark Fairhurst: Now the audience knows. For those of you out there that are listening, if you want to reach out to Robert, how can they contact you?
Robert Harrison: I am on LinkedIn, Robert G. Harrison and through the company website which is www.mmr.ca. That’s Martin Merry and Reid, the initials. Just want to thank you guys very much. It’s been fun and enlightening and carry on. Good work.
Sylvain Perrier: Thank you. Thank you so much. Ladies and gentlemen, thank you so much for listening today. Don’t forget to download our next episode. And Mark, how can the listeners get a hold of us.
Mark Fairhurst: Usual way is go to mercatus.com. Our social handles are listed at the bottom of our page. We’re also on LinkedIn, Twitter, Facebook and Instagram.
Sylvain Perrier: We’re everywhere.
Mark Fairhurst: Everywhere.
Sylvain Perrier: Thank you.