Brian Pennington

A blog about Cyber Security & Compliance



100 Percent of Retailers Disclose Cyber Risks

According to BDO’s analysis of risk factors listed in the most recent 10-K filings of the 100 largest U.S. retailers, risk associated with a possible security breach was cited unanimously by retailers, claiming the top spot, up from the 18th spot in 2007.

Since major retail security breaches began making national headlines in 2013, retailers have become acutely aware of the growing cyber threat and cyber-related risks. Between new point-of-sale systems and evolving digital channels, the industry faces unique vulnerabilities: Retailers are responsible for safeguarding consumer data as well as their own, in addition to protecting against potential gaps in security related to third-party suppliers and vendors.

2016 marks the 10th anniversary of our retail risk factor analysis, and throughout the decade, we’ve seen the retail landscape undergo a dramatic evolution in response to the recession, new and maturing e-commerce channels and evolving consumer preferences,” said Doug Hart, partner in BDO’s Consumer Business practice. “Retailers over the years have proven to be in tune with the industry-wide issues and trends that could pose risks to their businesses, and they are clearly not tone deaf when it comes to reacting to the urgency of cybersecurity

The following chart ranks the top 25 risk factors cited by the 100 largest U.S. retailers:

Top 20 Risks for Retailers 2016 2015 2014
General Economic Conditions #1 100% #1 100% #1 100%
Privacy Concerns Related to Security Breach #1t 100% #4t 99% #8 91%
Competition and Consolidation in Retail Sector #3 98% #1t 100% #3 98%
Federal, State and/or Local Regulations #4 96% #1t 100% #2 99%
Natural Disasters, Terrorism and Geo-Political Events #5 94% #7 96% #13 87%
Implementation and Maintenance of IT Systems #6 93% #4 99% #7 92%
U.S. and Foreign Supplier/Vendor Concerns #6t 93% #6 98% #4 96%
Legal Proceedings #6t 93% #9t 95% #8t 91%
Labor (health coverage, union concerns, staffing) #9 91% #7t 96% #5 94%
Impediments to Further U.S. Expansion and Growth #10 90% #12t 92% #17 78%
Dependency on Consumer Trends #11 88% #9 95% #6 93%
Consumer Confidence and Spending #12 87% #15 89% #8t 91%
Credit Markets/Availability of Financing and Company Indebtedness #13 85% #11 94% #11 89%
Failure to Properly Execute Business Strategy #14 82% #12 92% #11t 89%
Changes to Accounting Standards and Regulations #15 76% #14 90% #13t 87%
International Operations #16 73% #17 86% #15 80%
Loss of Key Management/New Management #16t 73% #19 80% #16 79%
Marketing, Advertising, Promotions and Public Relations #18 66% #25 68% #24 64%
Consumer Credit and/or Debt Levels #19 62% #27 65% #23 65%
Joint Ventures #20 61% #21 76% #18 74%

Additional findings from the 2016 BDO Retail Risk Factor Report:

Cyber Risks Include Compliance Measures

As the cyber threat looms larger, retailers are bracing for new and emerging cybersecurity and data privacy legislation. Risks associated with cyber and privacy regulations were cited by 76 percent of retailers this year. This is in line with the findings from the 2016 BDO Retail Compass Survey of CFOs, in which nearly 7 in 10 retail CFOs said they expected cyber regulation to grow in 2016. These concerns have been highlighted by President Obama’s recently unveiled Commission on Enhancing National Cybersecurity and continued debate in Congress over information sharing between the government and private industry.

Retailers have not escaped regulatory scrutiny. The industry is also subject to Europay, Mastercard and Visa (EMV) standards that bolster credit card authentication and authorization. Industry analysts estimate that just 40 percent of retailers are compliant with EMV standards despite the Oct. 1, 2015 deadline.

“Mandating EMV chip-compliant payment systems is an important first step in shoring up the industry’s cyber defenses, but it’s just the tip of the iceberg,” said Shahryar Shaghaghi, National Leader of the Technology Advisory Services practice group and Head of International BDO Cybersecurity. “Online and mobile transactions remain vulnerable to credit card fraud and identity theft, and POS systems can still be hacked and provide an access point to retailers’ networks. New forms of malware can also compromise retailers’ IT infrastructure and disrupt business operations. Every retailer will experience a data breach at some juncture; the real question is what mechanisms have been put in place to mitigate the impact.”

E-Commerce Ubiquity Drives Brick & Mortar Concerns

Impediments to e-commerce initiatives also increased in ranking, noted by 57 percent of retailers in 2016, a significant contrast from 12 percent in 2007. In 2015, e-commerce accounted for 7.3 percent of total retail sales and is continuing to gain market share.

As e-commerce grows and businesses strive to meet consumers’ demand for seamless online and mobile experiences, retailers are feeling the effects in their physical locations. The recent wave of Chapter 11 bankruptcies and mass store closings among high-visibility retailers has raised concerns across the industry. Ninety percent of retailers are worried about impediments to growth and U.S. expansion this year. Meanwhile, risks associated with owning and leasing real estate jumped 14 percentage points to 54 percent this year.

Heightened worries over the impact of e-commerce on physical locations are far reaching, driving concerns over market competition for prime real estate and mall traffic to rise 19 percentage points to 46 percent. Meanwhile, consumer demand for fast shipping fueled an uptick in risks around the increased cost of mail, paper and printing, rising 10 percentage points from seven percent in 2015 to 17 percent this year.

General Economic Conditions Hold Weight

General economic risks have been consistently top of mind for retailers throughout all ten years of this survey. Even at its lowest percentage in 2008, this risk was still the second most cited, noted by 83 percent of companies.

Despite the fact that since 2013, general economic conditions have remained tied for the top risk, concerns about specific market indicators have receded.

For more information on the 2016 BDO Retail RiskFactor Report, view the full report here.

About the Consumer Business Practice at BDO USA, LLP

BDO has been a valued business advisor to consumer business companies for over 100 years. The firm works with a wide variety of retail and consumer business clients, ranging from multinational Fortune 500 corporations to more entrepreneurial businesses, on myriad accounting, tax and other financial issues.

A new report indicates that UK fraud has fallen by 50% in the last 12 months…

BDO’s interim 2012 “FraudTrack” report has some fascinating results concerning fraud trends in the UK and for the public sector it isn’t easy reading.

It is worth noting before reading the extract from the BDO report that the data only relates to frauds of £50,000 or over. This leaves a considerable amount of discussion on the decline or growth in smaller areas of fraud for instance Credit Card fraud which is never likely to exceed £50,000 due to improved fraud prevention techniques.

 “Fraud reporting habits are increasingly being influenced by fear of reputational damage” says Simon Bevan, Head of Fraud Services at BDO LLP, as the accountancy firm releases its 2012 Interim FraudTrack report.

The report states that the total value of reported fraud plummeted to £424m between December 2011 and May 2012.

The report indicated

  • a 54% drop on last year’s figure against the 2011 figure of £920m
  • a 55% decline in the average value of fraud, which fell from £4.5m to £2m
  • an increase in the number of cases reported, with 212 cases between December 2011 to May 2012, in comparison with 204 in the same 2011 period

The report has a breakdown by sector

  • Public administration has seen the highest value of fraud reported in this 6 month period, accounting for almost £253m – 60% of the all fraud reported. This has fallen 41% from the 2011 figure of £431m.
  • The Finance & Insurance Sector accounts for 17% of all fraud in the period (£71m). This has fallen 74% from 2011 when the recorded figure was £274m.
  • Fraud in the retail sector stands at £49m, just 12% of the total figure. However, this has risen dramatically from last year’s figure of £11m – a fourfold increase.

Simon Bevan commented: “The only sector where we’ve seen an increase in the value of fraud reported is in retail. This is a sector which is currently under a lot of pressure, so this isn’t particularly surprising. Fraudulent activity is often uncovered when businesses are paying closer attention to their finances, especially in situations such as property acquisition and store refurbishment.”

Breakdown by type of fraud

  • Tax fraud accounts for the greatest amount, at £249.5m – 59% of all fraud for this period.
  • After tax fraud, management fraud accounts for 9% (£39m).
  • Mortgage fraud is down dramatically from last year’s figures, currently sitting at around £9m (just 2% of total fraud) in comparison to last year’s £82m.
  • Employee fraud counts for £34m (around 8%) – again, down significantly on the same period last year (£192m).
  • Procurement fraud has dropped dramatically, from £25m last year to £3m in 2012.
  • Third party fraud has more than halved in the same period from £78m between December 2010 and May 2011, to £30m in the last 6 months.

Breakdown by location and for the first time in 6 years, London has not been the location with the highest amount of reported fraud.

  • The Midlands: £184m
  • London: £165m
  • North East: £38m
  • East Anglia: £16m
  • North West: £9m
  • West Country: £5m
  • National: £4m
  • Northern Ireland: £1m
  • Wales: £1m
  • Scotland: £700k

Simon Bevan commented: “This really is a dramatic fall. This year’s interim figures are not even a quarter of last year’s total, which was more than £2bn between December 2010 and November 2011. That said, it’s important to remember that these only represent fraud which is reported to the police. In fact, it is in the area of civil investigations and prosecutions in which BDO is most active. We certainly haven’t seen less fraud occurring.

So what does it tell us? Despite this drop in value, we’re actually seeing more cases going through the system, but of lower value. We suspect that organisations are only bringing in the authorities for small, relatively simple frauds. If that’s the case, I’m in no doubt that reputation management is a key factor in this decision. Organisations just don’t want to air their dirty linen in public. It would appear that the police are no longer the first port of call when it comes to dealing with the larger, complex frauds that can be so damaging to reputation.

We’ve certainly seen this in our own work. Whilst quantum has historically been the key driver for our appointment in fraud investigations, reputational issues have become much more important. Organisations are increasingly aware of the impact that reputational damage can have in terms of loss of earnings, loss of future customers, unsettled employees, increased regulatory oversight and damage to share price, amongst other things!

There are other reputational issues at stake that can have far reaching consequences. Take for example a case where a fraudster convinces the accounts payable team to change supplier contact details and bank account details. This is a simple fraud but something we are seeing increasingly, the result being that millions are then paid away to a bogus account. The reputational impact of a supplier not receiving their payment on time is significant. Such circumstances could force that supplier to reconsider their association with you and ultimately affect your ability to run your organisation. Most frauds like this one are not complex and could easily be prevented by simple due diligence, but one thing they do have in common is their impact on your reputation”.

The original BDO post can be found here.


Create a free website or blog at

Up ↑

%d bloggers like this: