Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

Report: Some Retail Firms Still Don't Recognize Cyber Security Risks

Nearly 10 percent of retail firms have not reported any cyber security exposure to the SEC since 2011, Willis Group says.

Nearly 60 percent of retail companies describe their cyber security exposure as "significant," "serious," or "critical," but another 9 percent are not reporting any cyber security exposure at all, according to a report published Wednesday.

According to a study of filings with the Securities and Exchange Commission conducted by risk advisor and insurance broker Willis Group Holdings, almost a tenth of retailers have not reported any cyber risk in financial documents filed with the SEC, which has required such reporting since Oct. 2011. The report describes the non-disclosure as "surprising," given the high-profile breaches recently discovered at retail chains such as Target, Michaels, and Neiman-Marcus.

Among those that did report cyber exposure, the top three risks cited were privacy/loss of confidential data (74%), reputation risk (66%), and cyber liability (61%). Cyber risk at the hands of outsourced vendors ranked at just 9%, a result Willis also describes as "surprising," given the level of outsourcing across the sector and retailers' heavy reliance on third-party technology partners.

Almost half (49%) of retail companies cited the use of technical safeguards as a chief remedy for cyber risk -- more than the Fortune 1000 as a whole (43%), the report states. However, 17% of retail companies reported inadequate resources to limit cyberlosses.

Less than one tenth (9%) of the retail sector indicated that they have purchased insurance for cyber exposures.

Chris Keegan, senior vice president for e-risk at Willis North America and co-author of the report, says the retail industry is "slightly behind the curve" in protecting itself against cyber security threats.

"A series of recent high-profile cyber breaches has pointed a government spotlight at the sector, and Willis expects this scrutiny to continue," Keegan says. "Our advice for retailers is: Don’t wait for the SEC to come knocking on your door."

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
securityaffairs
50%
50%
securityaffairs,
User Rank: Ninja
4/25/2014 | 3:33:15 AM
Re: Limited Resources
I'm not surprised. Retailers still have perception of security as a cost. The worrying aspect is that the majority of attacks is not reported for various reasons, because the fear of reputation lost or simply because they go undetected for a long time. 

It is necessary a joint action by retailers, security firms and government .... the phenomena are really alarming
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/24/2014 | 3:08:44 PM
Limited Resources
For the companies that can't use third party security vendors or many detection/prevention tools it should be noted that policy, access management and infrastructure are advocates towards one can be added safeguards. Granted there is cost in the labor of your employees but these methods will prove a short ROI when it comes to regulations/fines. First part is infrastructure. Analyze your network and ensure that items that don't need to be vulnerable to the internet are not. There are many ways that analysis and moving items of your infrastructure can safeguard your data. For access management ensure that the employee is provided the least amount of access available to complete their tasks. Too much access will be detrimental in case of a breach. With well documented policies, most possible secure infrastructure, and efficient access management; resources can be kept safer than in the current predicament at minimal cost.
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8813
PUBLISHED: 2020-02-22
graph_realtime.php in Cacti 1.2.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege.
CVE-2020-9039
PUBLISHED: 2020-02-22
Couchbase Server 4.x and 5.x before 6.0.0 has Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).
CVE-2020-8860
PUBLISHED: 2020-02-22
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Samsung Galaxy S10 Firmware G973FXXS3ASJA, O(8.x), P(9.0), Q(10.0) devices with Exynos chipsets. User interaction is required to exploit this vulnerability in that the target must answer a phone call. T...
CVE-2020-8861
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-1330 1.10B01 BETA Wi-Fi range extenders. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HNAP login requests. The issue ...
CVE-2020-8862
PUBLISHED: 2020-02-22
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of D-Link DAP-2610 Firmware v2.01RC067 routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from the ...