In the wake of large-scale data breaches against retailers such as Target, Neiman Marcus and Michaels, the Retail Industry Leaders Association has launched the Retail Cyber Intelligence Sharing Center in an effort to strengthen defenses against cyber-attacks and protect consumers.
Companies participating in the initiative include Target, Lowe's, Nike, Safeway and Walgreens, according to a statement from RILA.
Through the R-CISC, retailers will share cyberthreat information among themselves and with public and private stakeholders, including the U.S. Department of Homeland Security, Secret Service and FBI. The R-CISC also will provide advanced training and education and research resources for retailers.
Recent data breaches have caught the attention of retailers' senior executives to the need to share cyberthreat information. "Even though a firm may be able to weather a data breach in the long run, it's now something that can affect the careers of senior management in the short run," says Allan Friedman, a research scientist at the Cybersecurity Policy Research Institute at George Washington University, where he works on cybersecurity policy issues.
Picking up Friedman's point, David Navetta, co-founder of the Information Law Group, sees the initiative going beyond security "to improve the perception of the retail industry when it comes to consumers. That perception issue is certainly more prominent due to these high-profile incidents."
Al Pascual, fraud analyst at Javelin Strategy and Research, says retailers have gotten significant heat from not replicating information sharing forums found in other industries. "Given the federal government's recent rumblings regarding the need for greater cybersecurity oversight, everything has coalesced to make this the right time to get a program like this off the ground."
Michael Bruemmer, vice president of Experian Data Breach Resolution, sees the sharing of information and resources in all industries as being in the "best interests" of consumers. "Recent incidents in different sectors have heightened the awareness of data breaches and the urgency to address security," Bruemmer says. "We will continue to see movement in this area to educate on data breach preparedness and advance protection capabilities at all levels from the federal government to the small business space."
Cyber Intelligence Sharing Center
The R-CISC was developed with the insight from more than 50 of America's largest retailers, in consultation with key stakeholders including federal law enforcement, government agencies and subject matter experts.
The center has also consulted with other organizations including Financial Services Information Sharing and Analysis Center and other ISACs, the National Cybersecurity and Communication Integration Center and the National Cybersecurity Alliance, among others.
The R-CISC will consist of three components, a Retail Information Sharing and Analysis Center, education and training and research.
The Retail-ISAC will identify real-time threats and share actionable intelligence to mitigate the risk of cyber-attacks, RILA says. The ISAC will allow retailers to share cyberthreat information among each other and share anonymized information with the American government via a cyber-analyst and a technician embedded at the National Cyber Forensics and Training Alliance.
Around education and training, RILA says retailers will be able to learn from key stakeholders and advance leading practices on cybersecurity, cyber risk mitigation and data privacy in a trusted environment.
Additionally, the R-CISC will collaborate with academia to provide research on emerging technologies and potential future threats.
Phyllis Schneck, DHS deputy undersecretary for cybersecurity and communications, says the Retail Cyber Intelligence Sharing Center will further enhance DHS's collaboration by providing information and resources that can help companies keep their networks and information secure. "We have seen a sharp increase in the number of malicious actors attempting to access personal information or compromise the systems we all rely on, in the retail industry and elsewhere," she says. .
In December 2013, Target reported a massive data breach that exposed 40 million credit and debit card accounts, along with personal information on 70 million customers. Following the breach, Gregg Steinhafel resigned on May 5 as the company's chairman, president and CEO (see Breach Aftermath: Target CEO Steps Down).
On April 17, arts and crafts retailer Michaels confirmed its stores were hit by a data breach that potentially compromised account information for 3 million payment cards (see Michaels Confirms Data Breach). The breach involved "criminals using highly sophisticated malware."
Neiman Marcus in February reduced its estimate of the number of payment cards compromised in its breach last year (see Neiman Marcus Downsizes Breach Estimate). An investigation has determined that the number of potentially affected credit and debit cards was about 350,000, down from the original estimate of 1.1 million.