THE UNSEEN ENEMY PROTECTING THE BRAND, THE ASSETS AND THE CUSTOMERS

Technology – Connecting the world…

9 billon connected devices predicted to rise to 24 billion by 2020

If Facebook were a country, it would be the 3rd largest in the world

Facebook kicks off over 1000 users per day because they are too young

In 2011, more video was uploaded to YouTube in a two month time period than if ABC, CBS, and NBC had been airing new content 24/7/365 since:

1948

Page 2

In the News

Page 3

Recent Studies

2013 Trustwave Global Security Report • Retail industry made up 45% of data breach investigations studied (15%

increase from 2011)

• E-commerce sites were #1 targeted asset, accounting for 48% of all investigations

Symantec • Cumulative bill for cyber crimes in 24 countries totaled $388 billion last year

• 431 million adults experienced some form of cyber crime last year, equating to nearly 1.2 million people per day or 14 per second

Page 4

Why Should Retailers Be Concerned?

Retail industry is now the top target for cybercriminals

Annual U.S. retail e-commerce spending has surged 143% since 2004 to $161.52 billion last year. In fact, a report from IRMG indicates that internet/mobile shopping increased 15% in 2013.

Early estimates indicate that 20% of the upcoming holiday sales will be online

E-commerce attacks are emerging as a growing trend, surpassing the amount of point-of-sale attacks

Financial cost of a cyber attack is higher for businesses that sell products on the front-end, such as retailers

The SEC is pushing to require that companies disclose data breaches in their financial statements

Page 5

What Must Retailers Protect?

Page 6

Customer Information

Credit card information

Private employee

data

Confidential business

information

Intellectual Property

Reputation and

good will

How Breaches Occur

Page 7

Criminal Act by Outsider

Technology Failure

Employee Misconduct Human Error

Vendor Error

Case Studies

Page 8

Resource: Retail Fail: Walmart, Target Fared Worst In Def Con Social Engineering Contest

What are the options for handling the risk?

Page 9

Retain

Allocate

Transfer

Keep the risk within the organization

Transfer the risk to another entity

Involve counsel to shift risk to suppliers and business partners

Types of Insurable Risks

Page 10

Third Party First Party

Costs

Types • Hard

• Soft

• Time

Retail companies see much more significant costs around cyber attacks

According to Neustar’s May 2012 report: • 65% of businesses said a site outage

would cost them up to $10,000 an hour

• 21% said it would cost $50,000/hour

• 13% would lose $100,000/hour

Page 11

What Do You Know About Your Data?

Location • Cloud

• Physical environment

• Is your data co-located?

Service Level Agreements • Breach notification

Law enforcement considerations need to be considered and addressed: • Requests to maintain secrecy or limit knowledge

• Maintaining control of the investigation

Communications with insurers presumably are not privileged

Page 12

Actions Following a Breach Functional Steps

DEPLOY AN INCIDENT RESPONSE TEAM

IT Director

CIO

Human Resources

Legal

Internal or external security experts

Page 13

Deploy Preserve Identify Notify

PRESERVE SYSTEM LOGS

Date, time, duration, and location of breach

Actions Following a Breach (Continued) Functional Steps

Page 14

Deploy Preserve Identify Notify

IDENTIFY THE FOLLOWING

How was the breach discovered?

By whom?

Any additional details:

• Entry and exit points

• Compromised systems

• Data deleted vs. modified vs. viewed

Identify and understand details of the affected data

NOTIFY

Public relations

Insurance carrier

Insurance Recovery Considerations in the Face of a Security Breach or Data Loss or Claim

Timely notice of claim (claims made and reported?) Involvement of counsel (internal & external) to review how coverage

may respond. Consent to incur prudent or necessary expenses may be required:

• Costs of crisis stage or legal compliance such as breach notification, credit monitoring, call center, forensics are vast majority of the expense on per record figures ($194 /record)

• Defense expenses (private claims, regulatory claims) Communications with insurers presumably are not privileged “Labeling” of first party costs/categorization

Page 15

Who Provides Services Around Cyber Risk?

Page 16

Preventative/ Proactive

Assessment

Data Hosting/ Monitoring

Technology/ Data

Analytics

Legal Forensic Accounting

Public Relations

CONTACT

Michael Barba, CISSP, CPP, DFCP, CNE, EnCE

Managing Director, BDO USA, LLP

mbarba@bdo.com

212-885-8120

Jeff Hall

Senior Manager, BDO USA, LLP

jhall@bdo.com

212-885-7339

Page 17

Page 18

BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, financial advisory and consulting services to a wide range of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the active involvement of experienced and committed professionals. The firm serves clients through more than 40 offices and more than 400 independent alliance firm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multinational clients through a global network of 1,204 offices in 138 countries. BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of the BDO Member Firms. www.bdo.com

To ensure compliance with Treasury Department regulations, we wish to inform you that any tax advice that may be contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding tax-related penalties under the Internal Revenue Code or applicable state or local tax or (ii) promoting, marketing or recommending to another party any tax-related matters addressed herein. Material discussed in this publication is meant to provide general information and should not be acted on without professional advice tailored to your individual needs. © 2013 BDO USA, LLP. All rights reserved. www.bdo.com