The document outlines the increasing threat of cybercrime to the retail industry, highlighting that retail stores are now the top target for such attacks, with significant financial impacts. It details the need for retailers to protect sensitive data like credit card information, employee data, and intellectual property while discussing the steps needed to manage cyber risk and respond effectively to breaches. The content emphasizes the importance of cybersecurity awareness and the necessity for retailers to establish protocols to manage and mitigate these risks.

1. THE UNSEEN ENEMY
PROTECTING THE BRAND, THE ASSETS AND THE CUSTOMERS

2. Technology – Connecting the world…
 9 billon connected devices predicted
to rise to 24 billion by 2020
 If Facebook were a country, it would
be the 3rd largest in the world
 Facebook kicks off over 1000 users per
day because they are too young
 In 2011, more video was uploaded to
YouTube in a two month time period
than if ABC, CBS, and NBC had been
airing new content 24/7/365 since:
1948
Page 2

3. In the News
Page 3

4. Recent Studies
 2013 Trustwave Global Security Report
• Retail industry made up 45% of data breach investigations studied (15%
increase from 2011)
• E-commerce sites were #1 targeted asset, accounting for 48% of all
investigations
 Symantec
• Cumulative bill for cyber crimes in 24 countries totaled $388 billion last year
• 431 million adults experienced some form of cyber crime last year, equating
to nearly 1.2 million people per day or 14 per second
Page 4

5. Why Should Retailers Be Concerned?
 Retail industry is now the top target for cybercriminals
 Annual U.S. retail e-commerce spending has surged 143% since 2004 to
$161.52 billion last year. In fact, a report from IRMG indicates that
internet/mobile shopping increased 15% in 2013.
 Early estimates indicate that 20% of the upcoming holiday sales will be
online
 E-commerce attacks are emerging as a growing trend, surpassing the
amount of point-of-sale attacks
 Financial cost of a cyber attack is higher for businesses that sell
products on the front-end, such as retailers
 The SEC is pushing to require that companies disclose data breaches in
their financial statements
Page 5

6. What Must Retailers Protect?
Page 6
Credit card
information
Private
employee
data
Intellectual
Property
Customer
Information
Reputation
and
good will
Confidential
business
information

7. How Breaches Occur
Criminal Act
by Outsider
Vendor
Error
Human Error
Page 7
Technology
Failure
Employee
Misconduct

8. Case Studies
Resource: Retail Fail: Walmart, Target Fared Worst In Def Con Social Engineering Contest
Page 8

9. What are the options for handling the risk?
Retain
Allocate
Transfer
Page 9
Keep the risk within the organization
Involve counsel to shift risk to suppliers
and business partners
Transfer the risk to another entity

10. Types of Insurable Risks
Third Party
Page 10
First Party

11. Costs
 Types
• Hard
• Soft
• Time
 Retail companies see much more
significant costs around cyber attacks
 According to Neustar’s May 2012 report:
• 65% of businesses said a site outage
would cost them up to $10,000 an hour
• 21% said it would cost $50,000/hour
• 13% would lose $100,000/hour
Page 11

12. What Do You Know About Your Data?
 Location
• Cloud
• Physical environment
• Is your data co-located?
 Service Level Agreements
• Breach notification
 Law enforcement considerations need to be considered and addressed:
• Requests to maintain secrecy or limit knowledge
• Maintaining control of the investigation
 Communications with insurers presumably are not privileged
Page 12

13. Actions Following a Breach
Functional Steps
Deploy
Preserve
Identify
Notify
DEPLOY AN INCIDENT RESPONSE TEAM
PRESERVE SYSTEM LOGS
 IT Director
 CIO
 Human Resources
 Legal
 Internal or external security experts
 Date, time, duration, and location of
Page 13
breach

14. Actions Following a Breach (Continued)
Functional Steps
Deploy
Preserve
Identify
IDENTIFY THE FOLLOWING
NOTIFY
 How was the breach discovered?
 By whom?
 Any additional details:
• Entry and exit points
• Compromised systems
• Data deleted vs. modified vs.
 Public relations
 Insurance carrier
viewed
 Identify and understand details of the
affected data
Page 14
Notify

15. Insurance Recovery Considerations in the Face of a
Security Breach or Data Loss or Claim
 Timely notice of claim (claims made and reported?)
 Involvement of counsel (internal & external) to review how coverage
may respond. Consent to incur prudent or necessary expenses may be
required:
• Costs of crisis stage or legal compliance such as breach
notification, credit monitoring, call center, forensics are vast
majority of the expense on per record figures ($194 /record)
• Defense expenses (private claims, regulatory claims)
 Communications with insurers presumably are not privileged
 “Labeling” of first party costs/categorization
Page 15

16. Who Provides Services Around Cyber Risk?
Preventative/
Proactive
Assessment
Technology/
Data
Analytics
Legal
Page 16
Data Hosting/
Monitoring
Forensic
Accounting
Public
Relations

17. CONTACT
Michael Barba, CISSP, CPP, DFCP, CNE, EnCE
Managing Director, BDO USA, LLP
mbarba@bdo.com
212-885-8120
Jeff Hall
Senior Manager, BDO USA, LLP
jhall@bdo.com
212-885-7339
Page 17

18. BDO is the brand name for BDO USA, LLP, a U.S. professional
services firm providing assurance, tax, financial advisory and
consulting services to a wide range of publicly traded and
privately held companies. For more than 100 years, BDO has
provided quality service through the active involvement of
experienced and committed professionals. The firm serves clients
through more than 40 offices and more than 400 independent
alliance firm locations nationwide. As an independent Member
Firm of BDO International Limited, BDO serves multinational
clients through a global network of 1,204 offices in 138
countries.
BDO USA, LLP, a Delaware limited liability partnership, is the U.S.
member of BDO International Limited, a UK company limited by
guarantee, and forms part of the international BDO network of
independent member firms. BDO is the brand name for the BDO
network and for each of the BDO Member Firms.
www.bdo.com
To ensure compliance with Treasury Department regulations, we wish to inform you that any tax advice that may be contained in this communication
(including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding tax-related penalties under the
Internal Revenue Code or applicable state or local tax or (ii) promoting, marketing or recommending to another party any tax-related matters addressed
herein.
Material discussed in this publication is meant to provide general information and should not be acted on without professional advice tailored to your
individual needs.
© 2013 BDO USA, LLP. All rights reserved. www.bdo.com
Page 18