We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:



View more

Taking the Full Measure of Retail, Wholesale, and Food and Beverage Cyber Risks

Posted by Susan Young July 24, 2019

The risks inherent in using and processing customers’ personal data are familiar territory for customer-facing businesses, including restaurants and retailers. Nearly 90% of retail, wholesale, and food and beverage respondents to the Excellence in Risk Management survey identified cyber-attacks as a significant concern.

There’s growing awareness that cyber risks for retail and farm-to-fork businesses go beyond data breach, and that the risk of business interruption from a cyberattack or technology failure is increasing, with potential for significant economic damage. Widely-used transformative technologies — including self-checkouts, mobile wallets, automated production and robotics, and online ordering and payment systems — can increase productivity and enhance the customer experience, but also create more points of vulnerability and the potential for business interruption.

 A cyber event or technology failure can disrupt operations, paralyze systems, and halt customer services, resulting in revenue loss, extra expense, and reputation damage: 

  • A global snack food wholesaler experienced a disabling ransomware attack that paralyzed its manufacturing capabilities for days, leading to millions in lost revenue.
  • A leading US retailer was left unable to complete customer orders following failure of its fulfillment system, leading to significant revenue losses.

Although the economic impact could be extensive, many retailers and farm-to-fork companies don’t know how much a cyber-attack or technology failure could actually cost because they haven’t taken the critical step of quantifying their risk.

Economic Quantification is Key

Retailers and farm-to-fork companies often use qualitative methods to assess their cyber risk. For some, this includes vague descriptive methods like traffic light colors or low, medium, or high grading, which do not provide actionable economic data necessary to drive sound cyber risk planning and investment decisions. 

Protecting your organization against an operational or technology disruption first requires an understanding of your risk exposures, including your technology footprint. Armed with that information, you can quantify the financial impact of such an event. Unless you know the economic cost of cyber risk, your organization could be overspending on cybersecurity technology while underinvesting in crucial areas such as insurance, training, and response planning that are crucial to building cyber resilience.

Risk quantification applies a range of potential economic scenarios to measure the value of specific risks, enabling organizations to: 

  • Express cyber risk in dollar terms, thus removing ambiguity and allowing for an apples-to-apples comparison to the cost of other organizational risks.
  • Provide a common language to describe the financial cost of cyber risk that can be used across the organization, especially among those without technological expertise.
  • Make well-informed decisions about cyber capital allocation, including investments in cybersecurity technology. This insight is instrumental in determining insurance needs, including what type of coverage and limits to purchase.
  • Allow companies to evaluate whether their cyber investments are having a meaningful impact in reducing their risks. 

If you can’t measure it, you can’t manage it. With technology transforming the business and risk landscape for retail, wholesale, and food and beverage companies, the bottom line is that quantification of cyber risk will lead to better cyber risk management and greater cyber resilience.

Susan Young