Cyber compliance does not always equal risk management, Deloitte report finds

Cyber risk is a business issue. That was one of four key themes that characterized the state of cyber risk programs and issues facing the retail and distribution sector, according to a Deloitte report released this week.

The report, titled Cyber risk in retail: Protecting the retail business to secure tomorrow’s growth, also found that: compliance does not always equal risk management; breach response readiness is top of mind as companies scramble to shore up detection; and external intelligence will play a crucial role in the war against cyber threats.

The report noted that 2013 and 2014 saw “an unprecedented level of cyber assault on retailers,” with several major breaches and retailers reporting tens of millions of customer data and credit card records exposed.

In response to both the general sense of alarm and the shifting cybersecurity landscape, Deloitte said in the report, the company undertook two projects over the summer of 2014 to gather information and facilitate practical dialogue on how to move forward. The first of these was a 65-question survey on the current state of retailers’ cyber risk and security programs, including investment and governance priorities. Forty organizations, representing a diverse range of large and mid-size retail companies, participated in the survey.

Related: Judge OKs $10 million settlement of class action lawsuit over Target Corp. data breach

The second project was a first-of-its-kind Retail Cyber Risk Leadership Forum that brought together 85 CEOS, chief financial officers, chief information officers, loss prevention personnel, general counsel and chief information and security officers from more than 45 retail and distribution organizations, along with leaders from government, law enforcement, and supporting service organizations, for two days of practical discussion and collaboration.

The aforementioned four themes emerged from the projects. [click image below to enlarge]

“The threats are obviously becoming more sophisticated,” said Alison Kenney Paul, vice chair and U.S. retail and distribution leader with Deloitte LLP, in the report. “Because of the innovation [retailers] deliver to reach customers – omnichannel approaches, social media, efficiency efforts – the way we work is very different than other industries, and the way we worked a decade ago. While that presents great opportunities, it also raises the stakes of the game.”

The Deloitte & Touche LLP Cyber Risk survey found that compliance does not always equal risk management: most company leaders felt that regulatory and standards requirements are only “somewhat effective” in reducing security breach exposure (71%) and improving cyber risk posture (80%). Furthermore, security/risk assessments and data protection initiatives outranked compliance as top program initiatives.

In terms of breach readiness, the survey found that even when they do have preparedness plans, organizations may not be proactively reviewing, providing training for, or rehearsing their plans. Still, 57% of respondents have some kind of a cyber insurance, ranging from less than US$5 million to more than US$100 million.

Related: Home Depot faces dozens of lawsuits over data breach that hit debit and credit cards

Other findings include:

• A combined 70% say they either don’t track program metrics, or use technical metrics that are not aligned to business value. Only 6% say they have business-aligned metrics and report on a regular basis;

• 63% of the respondents either don’t have a documented cyber program strategy or don’t have their strategy document approved;

• 71% of survey respondents said they plan to conduct a cyber risk or security assessment; and

• Many organizations are investing in capabilities relating to threat detection (23%), security event monitoring (34%), and incident response (31%).

“The retail sector may look back on this past year—what some have called the Year of the Retail Breach—as a catalyst for a more risk-focused approach to cyber security,” the report concluded.