In the middle of a chain reaction: mitigating cyber risk in the retail and FMCG sector

By Eden Winokur, Alison Baker, Nicholas Simpson and Todd Waugh

Cyber attacks targeting corporates are on the rise globally, with an estimated 50% increase in 2021 compared with 2020.^[1]

This should be cause for concern for the more than 130,000 retail trade businesses across Australia who, according to PwC, contribute revenue of over $300 billion to the Australian economy annually.^[2] Of even more concern is the focus by cyber criminals on the retail and fast-moving consumer goods (FMCG) sector,^[3] a problem exacerbating the challenges already faced by delays within the supply chain.

What can companies in this sector do to mitigate the risk?

Increased risk environment

Like all Australian organisations, companies in the retail and FMCG sector should be on high alert for cyber attacks. They should be advising staff to take extra care and be on the lookout for any suspicious cyber activity.

Taking an enhanced cyber security posture is recommended by the Australian Cyber Security Centre (ACSC) following Russia’s invasion of Ukraine. The ACSC has issued a high alert status alert and warned of an increased threat of malicious cyber activity that may impact Australian organisations through business disruption or uncontained malicious cyber activities.

Targeting the retail and FMCG sector

One of the reasons this sector is targeted is because of the significant amounts of customer data that is held, which often includes financial information. This means that cyber attacks can impact more than just business operations. They can create a privacy risk, which may lead to potential third-party liabilities and reputational damage when an incident occurs. This risk is heightened by COVID-19, with almost nine in 10 Australian companies adopting new technologies to support business continuity during a sharp increase in online shopping and working from home.^[4]

Another reason this sector is targeted, which is arguably the sector’s biggest risk, is the reliance on interconnected supply chains. Disruption to one part can have a chain reaction. This risk is heightened by the fact that while steps can be taken within a company to ensure the best possible cyber security standards, business operations can be significantly impacted by cyber attacks against third parties.

Cyber attacks in the sector

The retail and FMCG sector has suffered some of the largest and most impactful cyber attacks experienced in Australia. Some examples of the way cyber attacks have affected the sector include:

• supply chain attacks, where a key cog in the supply of goods is impacted, causing a ripple effect that significantly disrupts the business operations of various companies reliant on the impacted company;
• attacks against software providers, impacting business operations for companies reliant on the software targeted or as a means to launch a more significant attack;
• attacks on automated ordering systems, requiring manual order processing, additional expenses to be incurred and leading to product shortages;
• attacks on general IT systems, resulting in staff being unable to use their computers which materially affects business operations;
• theft of customer data leading to threats to either pay a ransom or for the data to be published online; and
• data breaches giving rise to a legal obligation to notify affected individuals and the Office of the Australian Information Commissioner (and potentially other regulators).

Depending on the size of the company and severity of the incident, cyber attacks can cost businesses millions of dollars to recover from. They can also have a significant impact on a company’s reputation.

It is therefore imperative that companies in this sector understand how a cyber attack could impact their business.

Assessing the risk

In 2021, the ACSC released guidelines to assist companies identify supply chain risk.^[5] The ACSC recommends that organisations assess the following risks:

• foreign control or interference – includes foreign governments controlling or interfering with businesses in the supply chain;
• poor security practice – includes cyber security standards of third parties in the supply chain, how third parties handle cyber incidents and how they manage their employees;
• lack of transparency – includes third parties sharing information about penetration testing on their network, whether contracts address cyber security standards or the right to an audit and whether there are product delivery guarantees; and
• access and privileges – includes whether third parties have in place access and privilege restrictions associated with the goods or services being offered, whether the sale is dependent on the internet and where data is stored.

Companies in the retail and FMCG sector should discuss these risks with their internal and external IT and legal advisors. While the risks cannot be eliminated, it is important to take steps to mitigate the impact that these risks can have on business operations and customers.

Key tips

Having regard to the current cyber climate, and the alert by the ACSC, there has never been a more important time for companies to reassess and strengthen their cyber security processes.

Here are some key tips which every Australian organisation, including those in the retail and FMCG sector, should adopt to strengthen their cyber security.

• Develop a cyber security culture in your workplace through employee training. Ensure your employees are trained to identify cyber risk, particularly phishing emails and malicious links or documents arriving by email, and know to escalate suspicious emails to an IT department or vendor. Carry out regular cyber security training and encourage an attitude of ‘zero trust’ when it comes to opening attachments or links from suspicious sources and when providing sensitive information.
• Have an up-to-date and tested incident response plan. The plan should include a step-by-step guide of what to do if there is a suspected cyber attack or data breach. It should include contacting technical support and your lawyer and be tested in desktop exercises or simulations. If there is a potential liability arising from the cyber attack, your lawyer should be able to advise you on your legal and regulatory obligations depending on the situation. Contacting your lawyer immediately can also mean that investigations remain privileged should proceedings be commenced against your company at a later date.
• Implement recommended network security hardening, including at a minimum the ACSC’s ‘Essential Eight’.^[6] Common-sense cyber security can materially reduce legal risks associated with an incident. These measures include, for example, regular backups, an adequate firewall, prompt patching, up-to-date software, enabled multi-factor authentication, and ideally endpoint detection and response. Discuss this your with internal and external IT experts and resources.
• Understand notification obligations based on privacy legislation and in contracts with companies in the supply chain. Before an incident occurs, prepare a schedule setting out the notification obligations with each party in the supply chain. This way, if an incident happens you do not have to work through each contract in the middle of a crisis.
• As a last line of defence, if it has not already been purchased, consider obtaining cyber insurance. Among other things, cyber insurance can provide cover for the costs of remediating against an attack or a data breach, incident response costs, vendor costs to provide legal, regulatory and reputational advice and business interruption loss. Speak with your insurance broker or lawyer to discuss what is required to obtain cyber insurance and to comply with the terms of any cyber insurance policy.