Digital Risks

Part
01
of three
Part
01

Digital Risks (Part 1)

The technology industry is advancing at a rapid pace with constantly evolving digital technologies at every turn. With high-speed advancement comes various emerging risks to numerous connected industries such as finance, e-commerce, and retail. The top five technology risks to various industries are e-commerce online security risk, product warehousing and logistics risk, data breach, cybersecurity risk, and technology vendor and third-party risk.

DIGITAL TECHNOLOGY RISKS

#1: E-COMMERCE ONLINE SECURITY: RISK TO E-COMMERCE INDUSTRY

  • E-commerce Online security is a unit of protocols that ensure e-commerce transactions are secure. Thus, strict security requirements must be kept in place to safeguard e-companies from all kinds of cyber threats.
  • There are instances when fraudulent e-commerce transactions take place. Web-based retailers do not have the means to physically verify the validity of the customer's card or verify if the customer is an authorized individual by requesting his/her driver’s license. E-commerce fraud can be committed in various ways such as using a stolen card for purchasing items, placing false claims of undelivered items, or hacking the merchant's system.
  • If this risk takes place, it may lead to phishing, which is a fraudulent attempt to acquire sensitive information like customers' credit card details, usernames, and passwords. An unprotected online service can lead to data errors, credit card fraud, and hacking.
  • The probability for this risk to occur is high since a survey conducted by OnePoll study found that 87% of individuals believe that they are not likely to purchase from an e-commerce business that has poor online security.
  • Potential countermeasures include a multilayered security system installed on the e-commerce platform, a thorough monitoring system that checks each transaction from ordering to delivery, request users to place strong passwords for their accounts, and attain a trust mark with SSL certification.

#2: PRODUCT WAREHOUSING AND LOGISTICS: RISK TO E-COMMERCE INDUSTRY

  • Operations of e-commerce warehouse operations and logistics is a challenging task. If it is not done properly, it may lead to increased expenses and a waste of time, which in turn would decrease customer satisfaction by a large margin.
  • If the e-commerce inventory is not monitored with suitable tracking software, then businesses would end up running out of stock when orders come in, delay in shipment, and shipping products to the wrong recipient.
  • According to Smart Insights, over 48% of shoppers factor guaranteed delivery dates to be an important aspect when checking out online. This suggests that the probability of the risk to occur is medium.
  • Potential countermeasures include installing an inventory management software that automatically monitors and updates across all platforms, ensuring a suitable tracking software is in place, and ensuring the proper use of a barcode scanner to speed the process.

#3: DATA BREACH: RISK TO RETAIL INDUSTRY

  • An attack on an e-commerce store or payment processing system can cause damages resulting in massive tech bills and several frustrated customers. Sensitive information has always been at risk of being stolen at a physical store or online.
  • Hackers can steal sensitive data online by accessing the payment processor's system that is insufficiently protected or by "intercepting transaction data during transmission to or from the merchant services provider".
  • It was found that most retail industry data breaches were made by hacking stores that utilized point-of-sale technology. Updating the e-commerce store's technology can prove useful in preventing some hacks.
  • Acquiring a Data Breach Insurance can help online stores safeguard sensitive information from being stolen, prevent hackers from getting through their system and limit the damage of a security/cyber attack.
  • According to Thales 2018 Data Threat Report, 75% of retail businesses have experienced a data breach during the period 2017-2018 while 52% of them have experienced it during 2016-17. These figures are found to have exceeded the global average.
  • The probability of this risk occurring is high since statistics show that data breaches have doubled in 2018 alone as compared to 19% in 2017. The retail industry was found to have faced the second-highest data breach.
  • Retailers like Best Buy and Sears got affected by the data breach issue in 2017. Retailers that were affected in 2018 include Panera Bread chain of cafes, Adidas, and Macy's.
  • Potential countermeasures include updating old technologies with more advanced systems that can prevent hackers and safeguard the internal infrastructure and obtaining Cyber Liability Insurance. The insurance will enable e-commerce businesses to prevent customer identity theft and reduce the damage of an attack on the system.


#4: CYBERSECURITY RISKS: RISK TO FINANCIAL INDUSTRY

  • The risk of cybersecurity is currently the most extensive IT risk known in the financial services industry. It refers to the risk accepted by a financial establishment to keep digital information safe and private from theft, misuse, or damage.
  • The risk arises due to various internal and external factors such as the lack of user privilege segmentation, missing transaction controls, weak password policies, and insufficient logical access controls.
  • In 2018, the Canadian Imperial Bank of Commerce and Bank of Montreal, two of the largest banks in Canada, claimed that hackers stole the financial and personal information of over 90,000 customers.
  • The probability of this risk occurring is high because cyber risk in the form of degraded or disabled systems, destroyed files, compromised accounts or data theft is considered to be some of the top-of-mind risks these days.
  • The risk of cybersecurity can be mitigated in numerous ways. It is important to ensure that the appropriate controls are installed across all business channels. The different divisions in a company, especially the finance department must ensure that access to sensitive information is not granted without proper authorization.

#5: TECHNOLOGY VENDOR AND THIRD-PARTY RISK: RISK TO FINANCIAL INDUSTRY

  • The financial industry has a large business ecosystem that is made up of software providers, information technology providers, management consulting firms, outsourcing firms, human resources firms, accounting firms, and legal organizations.
  • A failure in addressing emerging risks to internal management processes in financial institutions such as banks can lead to systemic and operational threats.
  • Economist Intelligence Unit conducted a survey with 400 C Suite executives from leading banks around the world that revealed that over 71% of banks are currently focusing most of their digital investment on safety and cybersecurity while only 17% of them are considering the risks from third-party relations due to open banking.
  • According to the survey conducted by BitSight, over 97 % of respondents claimed that cybersecurity risk that affects third parties is a major concern. It was also revealed that over 80% of those surveyed have claimed to terminate a business relationship because of a vendor's cybersecurity performance.
  • The probability of this risk occurring is high because managing third-party cyber risk has become the top concern for businesses, according to the vice president of Communication and Government Affairs at BitSight, Jake Olcott. He states that although the financial sector is taking working on managing the risk, key aspects such as effective board reporting and continuous monitoring systems are still lacking in safety.
  • An important countermeasure for this risk is the development of a risk framework that takes advantage of the benefits of digital transformation. This can be done by the financial industry collaborating with various technology suppliers and regulators, both cross-border and domestic.
  • There must be a proper system of safeguarding data placed at the "core of sustainable digital finance". It is also essential for fintech component solutions to be integrated and reviewed in the system's supply chain.

RESEARCH STRATEGY


We began our search by looking at the top technology risks across various industries such as Retail, Loyalty, e-commerce, Sales Transactions, and Finance in industry-specific websites such as SmartInsights, Floship, and Insureon. The articles and reports found enumerate the various risks associated with technology across several industries. We then filtered the information based on technological risks associated with industries such as retail, e-commerce, and finance.

Next, we looked for industry surveys and reports published by market leaders such as Deloitte. The surveys and reports obtained contained information on various technological risks associated with specific industries such as e-commerce and finance. After an extensive search through these channels, we were able to determine the risks that businesses across various sectors are most concerned about. We ensured that each risk identified has been stated as a major risk by business leaders and C-Suite executives of major companies.

Information regarding the potential impact and the probability of occurrence was found based on surveys conducted and statistics/data on risks that have already been faced by companies such as Sears, Best Buy, Macy's, and Adidas.

Part
02
of three
Part
02

Digital Risks (Part 2)

Various industries face digital risks that can be costly. High risks that could affect employees, security, injury, privacy, and damage to property. Below, we discuss five technology risks to the online banking industry, technology industry, and manufacturing.

Client-side Injection (Direct Banking Industry)

Description

  • The Fintech direct bank N26, initially did not pin the certificate or sign the transaction data being sent on their android mobile app. This runs the risk of the data being intercepted and swapped without the user noticing.

Potential Impact

  • This risk can be categorized as "High" for the following reasons:
    • According to the Open Web Application Security Project (OWASP), this lists as one of the top ten mobile app security flaws so it has a high-risk rating.
    • Initially, the app used the companies private and public key for authentication but once sent, they did not make sure the transaction was secure. The risk meant a transaction amount could be manipulated and sent to a different destination, even though the original confirmation details were correct.

Potential Countermeasures

  • Ensure data has input validation. In the above mentioned case, the data should be signed and included a pinned certificate. The data code then could not be subjected to client-side injection as it has rejected the fraudulent transactional data.
  • Determine transactional flows with code analysis to pick up any possible loopholes.

Unintended Data Leakage

Description

  • The Fintech direct bank N26, in its peer-to-peer transaction system initially, would seize all of a user’s address book. Then the app would post the data to the N26 servers and send it back in a response body (similar to an email body). This was done to identify the details of the person to whom the peer-to-peer transaction was to take place.
  • The risk was data could be obtained by an unauthorized third party.

Potential Impact

  • This risk can be categorized as "High" for the following reasons:
    • According to the Open Web Application Security Project (OWASP), this lists as one of the top ten mobile app security flaws.
    • The risk was twofold, the potentially copious amount of data was now sitting on the user’s phone without encryption or security and other applications could read thousands of address details at once.

Potential Countermeasures

  • Secure any data utilized by a mobile banking app on the device against unauthorized access.

Intelligent Automation (Technology Industry)

Description

  • Intelligent automation or smart machines are rapidly transforming the business environment.
  • Some risks associated with intelligent automation include business disruption, inconsistent developer training, lack of controls and deficiency in change management processes.

Potential Impact

  • This risk can be categorized as "Medium" as there is potential for business disruption.

Potential Countermeasures

  • A properly designed and developed governance function is critical to maintaining intelligent automation programs.

3-D Printing (Manufacturing)

Description

  • 3-D printing is revolutionizing the manufacturing industry through the ability to create a broad variety of quality parts.
  • The potential risks in the manufacturing industry are product and professional liability and counterfeiting. For instance, who is accountable for a product flaw, the manufacturer of the product or manufacture of the 3-D printer.

Potential Impact

  • This risk can be categorized as "High" because a number of claims are possible against the manufacturer of the product. Examples of potential claims are worker injuries, property damage, and product liability.

Potential Countermeasures

  • Make sure the company is covered with Insurance and legally.

Collaborative robots (Manufacturing)

Description

  • Collaborative robots work alongside workers in the workplace. If there is a malfunction or failure, the business runs the risk of personal injury, property damage or product defects.

Potential Impact

  • This risk can be categorized as "High" because its potential impact on a business is employee safety, product liability through defective products, and damage to property.

Potential Countermeasures

  • Ensure adequate training for the prudent use of collaborative robots.
  • Make sure you have contingency planning in place. For instance, a backup power supply in case of a power failure.
  • Make sure the company is legally covered and insured against possible risks.

RESEARCH STRATEGY

These risks identified differ from those in part one. Our research strategy was to identify articles and reports that listed the top digital risks across various industries. The reports revealed the top risks from which we selected five.
Part
03
of three
Part
03

Digital Risks: Mitigation

Three examples of how global energy companies are mitigating technology risks are increasing cyber insurance, improving data protection, and enforcing policies for proper data handling.

INCREASING CYBER INSURANCE

  • Companies have been leaning towards acquiring cyber insurance to alleviate the pressure of out-of-pocket expenses as a result of a data breach.
  • Some insurance companies now offer policies that cover loss of brand trust in relation to customers.
  • Energy companies have recognized the need for insurance in protecting their companies from cyber attacks. A Marsh report found that 76% of them are worried about its impact on the daily operations of their businesses, and 77% are planning to invest more to fight to manage cyber risks.
  • Companies have become more concerned with cyber risks, and as such, they have sought measures to reduce the billions in losses, including insurance coverage and other investments.
  • Two hundred fifty-four companies have already reported that £11.7 million is spent annually fighting against cyber risks.
  • The Global Risk Report predicts that in 5 years, companies will be spending $8 trillion, which is one of the reasons for companies to get insurance coverage to protect them from financial losses.

INCREASING DATA PROTECTION

  • Businesses are investing in advanced technology to protect data and data storage systems and are paying closer attention to their respective network security to check for vulnerabilities.
  • Energy companies have now increased their use of artificial intelligence, which increases companies' risk of exposure, especially in relation to the use of smart grids and internet of things (IoT).
  • While energy companies are trying to adapt to the modernization using smart grids, they fear the cyber risks involved in transforming mechanical systems to digital ones. Therefore, emphasis is being placed on rapid detection and higher resilience for data protection.
  • Chief information security officers (CISOs) have begun to use multilayered security defense, including real-time scanning, behavior analysis, and machine learning to increase data protection within their companies.
  • Increased protection of data is necessary because large-scale cyberattacks are becoming the new norm "in 2017, the average DDoS target was likely to be hit 32 times over a three months period."

ENFORCING POLICIES FOR PROPER DATA HANDLING

  • There has been an increase in security risks associated with IoT devices, which often lead to financial losses.
  • A Ponemon study found that human error accounted for 24% of breaches, even though a lot is being spent to avoid the same. For this reason, businesses are educating employees on the best practices for proper data handling and the use of new technologies such as cloud-based services.
  • Proper data handling procedures are being taught to both executives and employees in an effort to increase security posture and make staff knowledgeable on vulnerabilities that exist or are emerging.
  • This should help to improve the integration of IoT "and communication between various digital products."

RESEARCH STRATEGY

The research team used several sources such as Risk Management Magazine, Forbes, Trend Micro, World Economic Forum Report, KPMG Report, and Risk and Insurance. We selected common discussion themes/trends about mitigating technology risks from all the sources, that is, they appeared at least three times (frequently cited) across sources. These were then used to create titles for the observed themes, to present the three examples of how global energy companies are mitigating technology risks.
Sources
Sources

From Part 01
Quotes
  • "Fraud: E-commerce transactions are much more likely to result in FRAUD than face-to-face ones. The reason is that, when in doubt about the legitimacy of a particular transaction, web-based merchants cannot physically verify the validity of the card or verify that the cardholder is an authorized user by requesting his driver’s license"
  • "Data Breach: Criminals are always looking for ways to circumvent the e-commerce merchants’ data protection mechanisms and steal the stored cardholder information"
  • "Customer Disputes and Chargebacks: Customer disputes and chargebacks are usually the top risk concern for e-commerce merchants. They can be reviewed separately, but I prefer to place them in the same category, because customer disputes, as harmful as they are on their own, do the most damage when they deteriorate into chargebacks."
Quotes
  • "Data breach. Whether it's an attack on your online store or your credit card processing system, a data breach could leave you with massive tech bills and thousands of frustrated customers."
  • "Measures: Many recent retailer data breaches were facilitated by hacking stores that used ancient point-of-sale technology. Updating your technology can prevent some hacks, but not all. "
  • "Cyber Liability Insurance (aka Data Breach Insurance) may pay for the cost of a data breach and help you fulfill your legal obligations, prevent customer identity theft, and limit the damage of a cyber attack on your POS system or ecommerce site."
Quotes
  • "In May 2018, two of Canada’s largest banks, Bank of Montreal, and the Canadian Imperial Bank of Commerce’s Simplii Financial confirmed hackers stole the personal and financial data of more than 90,000 customers"
  • "While the banks took online security measures after the hackers contacted them, it was surprising to see that these processes were not put in place before"
  • "Cybersecurity risk is the most prevalent IT risk in the financial services industry. It refers to the risk undertaken by a financial institution to keep electronic information private and safe from damage, misuse or theft."
From Part 02
Quotes
  • "According to Arxan technology report, 90% of apps surveyed had at least 2/10 of OWASP’s top ten major security risks. Even today 50% of business don’t allocate a separate budget for mobile apps security. While this means a treat for hackers, it can be a huge risk for businesses."
  • "Client-side injection refers to the execution of malicious code on the client-side on the mobile device, via the mobile app. "
  • "Poor or missing authentication allows an adversary to anonymously operate the mobile app or backend server of the mobile app. This is fairly prevalent due to a mobile device’s input form factor. "
Quotes
  • "We succeeded in leaking customer data, manipulating and carrying transactions and even could have entirely taken over foreign accounts. We reported these findings to N26 and did not disclose them before they were fixed. By publishing this case study, we hope to raise awareness about security considerations in the critical banking sector, especially for other FinTech startups."
  • " Even though it is comprehensible that N26 wants to present other N26 users directly in the app, the technical implementation does not preserve privacy as the N26 app uploads all email addresses and phone numbers found in the customer’s address book in plain text to the N26 backend."
  • "Transaction Manipulation. The goal of this attack is the transparent real-time manipulation of a user-initiated transaction."
Quotes
  • "Intelligent automation—including robotic process automation, machine learning, and cognitive solutions—is literally transforming the business world right before our eyes. "
Quotes
  • " Collaborative robots, or co-bots, which work alongside workers, can help bridge talent shortfalls and improve productivity in the manufacturing industry. As manufacturers incorporate co-bots into their operations, they also need to address potential risks. For example, manufacturers could be held liable for product defects, personal injury, or property damage resulting from co-bot failures or malfunctions. "
  • "Additive manufacturing, or 3D printing, can help manufacturing operations boost production and reduce costs, but this new technology may also introduce risks related to counterfeiting, product liability, professional liability, and more. Criminals may create and sell counterfeit, lower-quality versions of a manufacturer’s products, which could result in false product liability claims. "
Quotes
  • "As a platform technology, 3-D printing has the power to launch your company in exciting new directions. But as you rocket into the future, don’t forget to protect your innovations, your investments, and your employees. Checking in with your legal counsel and your insurance provider every step of the way will reduce your risk, helping you reap the many benefits of 3-D printing — while avoiding potential pitfalls."
Quotes
  • "By working alongside employees, co-bots can help bridge talent shortfalls and improve productivity in the manufacturing industry. Manufacturers that work closely with insurance partners to understand how co-bots may affect operations will be better equipped to incorporate them successfully and mitigate potential risks."