5 Cybersecurity Risks Facing the Retail Sector

A cyber-attack can debilitate any organization, exposing protected customer data, and putting the company at risk for law suits, regulatory actions and reputational damage.

“With the upward trend in threats, vulnerabilities, compliance requirements, and digital innovation, it is important for businesses to understand the emerging risks and implement essential cyber hygiene controls,” said Spencer Timmel, Head of Cyber Insurance at Safety National. “Businesses should train the workforce to mitigate those risks and ensure that their cyber insurance policy is designed to properly respond when a cyberattack does occur.”

Organizations can start by identifying their vulnerabilities, which continue to evolve as cyber criminals become increasingly organized and savvy. Some of the top cyber threats to retail establishments include:

1. Ransomware

According to the State of Ransomware in Retail report published by Sophos, 69% of retail businesses were the victim of ransomware attacks in 2023. Ransomware can be a short-term event with long-term consequences. Short-term expenses to hire a forensic investigator and pay a ransom but meaningful business interruption and long-term liability issues involving class action lawsuits and regulatory actions are a growing concern.

The U.S. Treasury Department’s Office of Foreign Assets Control maintains a list of banned threat actors called the Specially Designated Nationals and Blocked Persons List. An organization or individuals could face federal civil penalties, sanctions or jail time by paying someone on this list. A breach coach, provided as a resource through many cyber policies, can help determine if the ransom can be paid.

2. Third-Party Exposure

According to several studies, data breaches that include a third-party vendor are among the most expensive breaches reported. Organizations should be aware of all vendor usage, including what they are doing to protect against cybercrime and how they report an incident should one occur. Vendor access should be limited, especially if your business is handling personal identification information (PII). Data breaches commonly start from within a company, so it is critical for your reputation and customers’ security that businesses have a thorough vendor management program that thoroughly assesses vendor system security and protocols.

3. Pixel-Tracking Technology

Many large organizations are grappling with this, particularly those using public-facing websites with embedded pixel-tracking technologies to retarget ads to potential customers. In order to serve these personalized ads, this technology passes on customers’ info across the web. Some businesses are fully aware that this technology is embedded in their website to enable retargeting. However, some may not be aware that their customers’ data is being shared with technology companies like Meta. As this becomes more of a common practice, it is important for all businesses to disclose these practices in the privacy policy. Failure to do so could result in privacy liability lawsuits.

4. Deepfakes

With the use of artificial intelligence (AI), this risk is evolving quickly. Threats now go beyond reputational risk related to spoofing corporate executives in videos. Retailers now face the threat of engaging with a social media post that, unbeknownst to them, can be a deepfake. For instance, it would not be uncommon for a clothing retailer to repost or engage with a celebrity’s post on social media where they wear something from the brand. If this is a deepfake, the celebrity can claim that they have been financially harmed as a result of sharing that post and sue for reputational damages. It is important for every business to address social media approvals in their policies specific to address AI and deepfakes.

5. Security-Related Technology

There are several exposures related to measures clients are taking to prevent theft at their retail locations. Many have implemented video surveillance, tracking, and facial recognition tools to assist with theft prevention. There are risks related to a leak of the biometric data that some of this technology collects, which could open up an organization to liability and regulatory exposures.