Inside Boardroom: Q&As With The Authors Part 6

Is your company prepared for a cyber crisis?

Recently FMI, in partnership with global consulting firm Oliver Wyman, jointly released a compilation journal of strategic insights, entitled Boardroom, to help senior executives successfully guide their companies in this ever-changing food retail environment.

Comprised of original perspectives from leading experts in food retail on a selection of the most critical issues executives must confront in boardrooms across the country and around the world, in the final installment of our Q&A series, I spoke with Raj Bector, partner in Oliver Wyman’s Strategic IT and Operations Practice, on the importance of retailers being prepared for cyber crises and understanding how to implement effective cyber risk management. I also caught up with Hannah Walker, FMI’s senior director of technology and nutrition policy on what she’s hearing from FMI members.

Can you talk about the risk of cyber crises for retailers and the trends you have seen?

Hannah Walker: This blog is particularly timely because cyber criminals are getting increasingly sophisticated. For instance, in recent months, we’ve been aggressively countering public opinion that EMV answers data security problems. In reality, we have a payments chain with many actors and EMV isn't the answer. EMV merely ensures the card is valid but it does not prevent a breach, so a crisis plan is critical. Food retailers are encrypting and tokenizing the data - even if it's compromised, it's useless to the thief. We recognize there's still a great need to protect cyber information; hence we're investing in order to protect the customer’s and other sensitive data in our systems.

Raj Bector: That’s right. What we’ve found is that the two major areas of concern from a retail standpoint are at the point of sale and the broader vendor or supply chain.  Many retailers have thousands of vendors and suppliers and there is a significant amount of risk for every entity, so much so that there is a concerted push in identifying vendor risk within the retail space, as well as more broadly in other industries. The other trend, in terms of the point of sale, is the concern around fraud risk. We’re seeing quite a bit of uptick around “card not present” risk, where fraudulent actors don’t physically have the credit card, and it’s an online transaction. The fraud there is increasingly quite significant. These issues are typically related to cyber-crime – somebody stealing somebody’s identity or credentials and making a purchase online without the physical card being in the merchant’s hands.

How does a company begin to implement or recognize cyber risk management?

Bector: This is a broad question and has multiple layers.

  1. The first layer is to really understand what the organization means by cyber risk management, which is differentiated from cyber security or IT security.
  2. The second risk management principle is to be able to quantify those probabilities.
  3. The third piece is you have to be able to factor in the people dimension to this problem.
  4. The next piece is a link to operational risk or a link to a broader risk management regime.
  5. The last variable in the risk management equation is a cultural change that needs to happen in the organization. So there needs to be a cultural shift where people are actually thinking about it in risk terms as opposed to an IT security standpoint.  

Those are the elements when we talk about cyber risk management. Those five different elements must be included as part of an organization’s overall cyber risk management program.

Walker: Managing the risk is the key point here. Food retailers are building strong firewalls and implementing best practices on the front end to prevent intrusion, but they understand not to stop there. This is where encryption, tokenization and other solutions to make the information useless become critical for risk management. Grocers realize that mitigating the damage that can be done by these criminals – especially if they do gain access – is an additional and essential layer of protection in the store.

What makes companies most vulnerable to a cyber-attack and what can they do to mitigate this risk?

Bector: One thing that gets overlooked in these institutions is how executives communicate their cyber risk posture in the public domain. A very actionable thing that organizations can do is to train their executives on how to communicate cyber risk posture and programs to the broader public, and how to handle questions around this particular risk. There is much more they can do, but this is a major item that is worthy of being highlighted.

Walker: Communicating your cyber risk posture publicly also involves working with law enforcement. We’ve found that coordination with law enforcement remains essential in two particular areas: The current in-store-card-present world and the quickly growing online-card-not-present environment. Merchant groups, including FMI, are currently working with both state and federal law enforcement to identify opportunities to take down these crime rings and identify possible areas where federal laws need to be strengthened.

Are there other things you think policymakers and companies should be thinking about beyond the article’s key points?

Walker:  I’ll handle it from the policy side. What we see is that grocers are investing countless man hours and significant capital to protect themselves and their customer data from ever evolving and sophisticated criminal cyber threats.  Cyber criminals have proven to be nimble and quick to change their tactics to exploit any vulnerability in the system. It is essential for policymakers to understand these evolving threats and the work that is being done to protect sensitive information and data before they move to regulate or legislate in this space. Any new federal legislation should account and allow for flexibility and innovation in order to continue defending against these criminals.  

Bector: On the individual company side, organizations have to look at risk across the supply chain and not just in their own institution. This risk has a lot of interdependencies and there are a lot of different sectors people can use to enter a network, access data and create havoc. It’s not just about fortifying their networks; it’s about looking at and protecting the broader supply chain.

*This interview is the final Q&A of a six-part series between FMI executives and Oliver Wyman partners on the inaugural issue of our joint journal Boardroom.

By Mark Baum, SVP of Industry Relations and Chief Collaboration Officer, Food Marketing Institute