Retailers Balance E-commerce Model with Data Security Concerns

July 2017

The e-commerce model, promising as it may be, carries enormous risk for retailers and consumers alike. Consumers entrust their financial and personal information when they make purchases both in-store and online, thereby tasking retailers with securing data spread across multiple digital platforms. 

Our study reflects the weight of this process, as 100 percent of retailers cited risks associated with possible security breaches in their most recent 10-Ks. In specific terms, these businesses are concerned with the potential release of confidential customer, employee and corporate information, which could be exploited for identity fraud, financial theft or brand reputation damage. 

When cyberattacks occur, retailers not only have to answer to their consumers and employees, but they are also increasingly held accountable by regulators. The majority of retailers (78 percent) cite concerns about data privacy and security regulations in their 10-Ks this year, in line with the results of BDO’s 2017 Retail Compass Survey of CFOs, which found that 70 percent of retail CFOs anticipate heightened cybersecurity regulations through 2017. The Trump administration recently enacted cybersecurity regulation to clarify the federal government’s role in cyber risk management, and states such as New York are working to more clearly define data privacy guidelines for various industries. 

Retailers can protect data and minimize regulatory scrutiny by organizing employee training programs and creating coordinated incident response plans. Should regulators come knocking at retailers’ doors, having a thoughtfully developed, communicated and audited plan is a much stronger defense than simply delegating full responsibility to the IT department. 

“Retailers should not let the fear of data breaches prevent them from establishing robust omnichannel presences. They should, however, be aware of their unique digital vulnerabilities and implement strategies to safeguard the information of their employees, customers and business. Retailers can protect their bottom line and reputation by assessing their unique risks, designing a cyber security program that addresses those specific risks using a thoughtfully constructed program of security controls, policies and procedures, data breach insurance and supply chain risk management across all functional areas, and not just credit card data.”

2017-Retail-RFR-headshots5_Coffman.jpgDeena Coffman
Managing Director in BDO Consulting’s Technology Advisory Services practice


A Chip on Retail’s Shoulder

Since credit cards are a primary method of payment for consumers, retailers also face pressure from the payment card industry (PCI) to strengthen their cybersecurity, including working to ensure Europay, MasterCard and Visa (EMV) compliance. This year, 30 percent of retailers cited PCI standards and EMV compliance as a potential risk to their business. While the Retail Compass Survey of CFOs found that 82 percent of those surveyed in 2017 are EMV-compliant, the proportion of retailers who still see it as a risk reveals how the industry’s security standards are maturing as cyber threats evolve. 

The economic impact of data breaches is a significant area of concern for retailers. In August 2016, Eddie Bauer reported that approximately 350 of its stores were attacked by ransomware, indicating that customers’ credit card data was potentially compromised. This led Eddie Bauer to sponsor a year of free identity protection services for those who made purchases at the store during the time of the attack. It may be difficult for retailers to anticipate a data breach’s impact on brand perception and to calculate the influence on stock prices, but they should not underestimate the blunt financial costs of a cyberattack.    

Despite the challenges posed by digitization, retailers are still experimenting with new ways to engage customers via technology. According to e-Marketer, Americans will spend 2 hours and 25 minutes per day on mobile apps in 2017, a 10 percent increase from 2016. Today’s retailers can connect with customers in more ways than ever before, but this opportunity brings its own unique challenges. In fact, 23 percent of retailers noted concerns around their mobile platforms in their 10-Ks. Contributing to these concerns are issues related to heavy app competition, demands for improved user experience, security challenges and the fact that the number of mobile apps consumers use regularly is dropping. 

Wariness around risks associated with virtual shopping is also demonstrated by the 65 percent of retailers who noted their concerns about potential impediments to their e-commerce initiatives in their 10-Ks this year, up from 57 percent in 2016. These rising concerns may be driven by the increasingly crowded e-retail space, competitive delivery rates and consumers’ changing expectations toward personalized shopping experiences. Flattening in-store sales, however, might leave many retailers with no other choice than to invest in bolstering online sales platforms. 

As more consumers’ shopping habits and preferences diversify across platforms, retailers face a growing responsibility of protecting millions of Americans’ sensitive information. Given this burden, retailers are right to be concerned with their financial and reputational liability. Designing a tailored, penetration-tested cybersecurity program is the first step toward a strong, proactive defense against hackers.