Industry Spotlight: Retail
Retail Cybersecurity: Time for Reckoning
The retail sector has become one of the most dynamic and vulnerable arenas in the cybersecurity landscape. As digital transformation accelerates, retailers face mounting pressure to secure billions of daily transactions, protect sensitive customer data, and maintain operational continuity amid increasingly sophisticated cyber threats.
Retail is a study in contrasts. Grocery chains operate on razor-thin margins, around 20%, while department stores and e-commerce platforms enjoy margins closer to 40-45%1. This disparity affects not only profitability but also risk exposure. Online retailers, for instance, are more vulnerable to full operational shutdowns during cyber incidents, whereas brick-and-mortar stores can continue limited operations even during digital outages.
The hybridization of retail, by which physical stores integrate digital payment systems, loyalty programs, and online ordering, has expanded the attack surface. Retailers now straddle both physical and digital domains, requiring layered security strategies that balance protection and response. While this sector may appear to be comprised of dissimilar individual entities, they all have a common enemy, cyber threat actors that target vulnerable organizations.
From Credit Cards to AI-Driven Threats
The evolution of retail cybersecurity mirrors the broader arms race between attackers and defenders. From the introduction of credit cards in the 1950s to the widespread adoption of chip-and-PIN in the 2000s, each innovation has prompted new attack vectors and defensive countermeasures.
The Payment Card Industry Data Security Standard (PCI DSS), first introduced in 2006, has undergone multiple revisions. The latest update, PCI DSS v4.0.1, published in June 20242, clarifies requirements around multi-factor authentication (MFA), encryption, and third-party service provider relationships. In December 2024, version 4.0 was retired, making 4.0.1 the active standard.3 Retailers are now expected to comply with these, or risk penalties and reputational damage.
Retail threats today focus less on the payment card processing, and more on the core business. Common threats include ransomware, credential stuffing/account takeover, supply chain attacks, and even insider threats. This is a natural evolution for an industry that increasingly acts with digital-first mentality, and is evidenced by a spate of recent attacks.
Recent Incidents: A Wake-Up Call for the Industry
Despite a focus on cybersecurity in the sector for the past 20+ years, the retail industry is fraught with examples of costly and crippling breaches. And because of the importance these businesses play in consumers daily lives, the incidents tend to be highly visible and publicized.
In Spring 2025, several prominent retailers suffered devastating ransomware attacks linked to the Scattered Spider group. Hackers infiltrated one company’s systems via compromised credentials, deployed ransomware, and paralyzed online sales, costing hundreds of millions in market value.4
Simultaneously, other retailers faced intrusion attempts and back-office system shutdowns. These incidents reflect a broader trend: 43% of retail breaches now involve credential compromise, and containment takes 19 days longer than in other sectors.5
The impacts can be long lasting — a 2024 study found that 68% of breach victims reduced online purchases, and 42% deleted accounts entirely. Retailers must now treat cybersecurity as a customer experience issue, not just an IT concern. As the business shifts from brick and mortar to ecommerce, this risk grows.6
According to Sophos’ 2025 report, ransomware attacks on retailers have surged, with 58% of incidents resulting in ransom payments, up from 32% in 2021.7 The average ransom demand has doubled to $2 million, and extortion-only attacks, where data isn’t encrypted but ransom is still demanded, have tripled.8
Loyalty Programs: A Hidden Risk
In 2023, a retailer disclosed a breach affecting 10 million customers, with stolen data including names, addresses, and the final four digits of payment cards.9
A 2025 market report revealed that 30% of retail breaches now target loyalty programs, and 35% of victims report identity theft post-breach.10
Technology Trends: Defense Gets Smarter
Retailers are adopting AI-driven threat detection, which reduces breach identification time by 40%. Behavioral analytics tools and zero-trust architectures are gaining traction, helping detect anomalous access patterns and prevent lateral movement within networks.11
Only 29% of consumer goods firms have implemented AI-based security systems, leaving many vulnerable to tactics like MFA bombing and SIM swapping.12
The rise of digital wallets, such as Apple Pay and Google Pay, has improved transaction security by using tokenization. Yet, adoption varies geographically, with Asia leading at 60% of e-commerce transactions, compared to 30% in North America.13
Regulatory Pressure and Privacy as a Growing Concern
The UK National Cyber Security Centre is now involved in major retail breaches, pushing for mandatory breach simulations, standardized encryption protocols, and real-time threat intelligence sharing.14
Consumers, too, are demanding more. 73% want real-time breach updates, and 68% expect complimentary credit monitoring for at least two years post-incident.15
Despite the cyber security challenges faced by retailers, the industry is also suffering from increased Privacy Liability exposure. Numerous US and European privacy regulations (e.g. VPPA, CIPA, wiretapping laws, etc.) have emerged and caused many organizations to unknowingly run afoul due to widespread use of ad-tracking technologies - for example, Retailers are 73% more likely use Meta Pixel tracking than other websites. These features and tools can lead to FTC and other penalties, while serving as low-hanging fruit for class action lawsuits.16
This trend is expected to continue and exacerbate - 57% of retail attorneys report increased litigation in cyber/data protection, according to 2024 Annual Litigation Trends Survey conducted by Norton Rose Fulbright. E-commerce, video content retailers, and California-based companies are expected to see the highest levels of exposure.17
Call to Action: From Reactive to Proactive
Fortunately, while hard learned, these lessons can help make the entire industry more resilient. A few opportunities include:
- For Privacy Liability, audit all tracking technologies, ensure explicit user consent, and review privacy policies
- Shift from reactive breach response to proactive threat hunting. This means:
- Mandate at least quarterly cybersecurity training for staff (data suggests currently only 41% meet this standard)
- Implement zero-trust architectures to prevent lateral movement
- Utilize behavioral analytics to detect insider threats
- Explore AI-powered fraud detection to reduce false positives
Broker Considerations for Retail Cyber Risk Submissions
When preparing a cyber risk submission for a retail customer, brokers should ensure they address both historical risk factors and recent incident trends. Key areas to highlight include:
- Demonstration of Strong Preventive Controls:
- Multifactor Authentication: Evidence that robust MFA is in place, as it remains one of the most effective deterrents against unauthorized access
- Endpoint Detection and Response: Confirmation of 24/7 monitoring and rapid response capabilities to detect and contain threats
- Network Segmentation: Details on how the customer segments its network to limit lateral movement in the event of a breach
- Resilient Payment Operations: Information on backup payment processes, such as store-and-forward capabilities and relationships with multiple payment processors
- Front-Line Defense Against Social Engineering:
- Highlight the customer’s policies and procedures to prevent social engineering attacks, including employee training, secure credential reset processes, and layered email security
- Business Model and Risk Profile:
- Provide a comprehensive overview of the customer’s business operations, including any vertically integrated functions (e.g. manufacturing, distribution, digital sales)
- Include details on revenue channels, transaction volumes, margins, and order management/fulfilment processes, as these can materially impact first-party exposure
- Adoption of Emerging Technologies:
- Disclose any use of new technologies (e.g. facial recognition for loss prevention) and describe how privacy and compliance risks are manage
- Risk Improvement Services:
- Consider recommending risk mitigation services available through insurers, such as security awareness training or regulatory landscape reviews
Final Tip for Brokers: Encourage customers to provide as much detail as possible in these areas to support a comprehensive underwriting review and maximize potential coverage terms and achieve pricing credits.
Sources
- 1 What Is a Good Profit Margin for Retailers?
- 2 https://www.pcisecuritystandards.org/document_library?category=pcidss&document=pci_dss
- 3 CI DSS 4.0.1: A Cybersecurity Blueprint by the Industry, for the Industry - SecurityWeek
- 4 From Retail to Insurance, Scattered Spider Changes Targets | Security Magazine
- 5 https://www.ibm.com/reports/data-breach
- 6 https://www.verizon.com/business/resources/reports/dbir/
- 7-8 https://www.sophos.com/en-us/content/state-of-ransomware
- 9 JD Sports hit by cyber-attack that leaked 10m customers’ data | JD Sports Fashion | The Guardian
- 10 https://www.forrester.com/report/the-state-of-retail-cybersecurity/RES178456
- 11 Zero Trust Architecture: Strategies and Benefits | Gartner
- 12 Malicious actors increasingly put privileged identity access to work across attack chains | CSO Online
- 13 Indonesia: increase in search queries for Korean food 2020| Statista
- 14 https://www.ncsc.gov.uk/news/retail-cybersecurity-guidance
- 15 Consumer Study on Aftermath of a Breach FINAL 2
- 16 Usage Statistics and Market Share of Meta Pixel for Websites, September 2025
- 17 Norton Rose Fulbright’s 2024 Annual Litigation Trends Survey | Global law firm | Norton Rose Fulbright
Disclaimer
This material is provided for informational purposes only and is not an offer to sell, or a solicitation to buy, any particular insurance product or service for a particular insured. It is intended for licensed insurance professionals. Cyber incident examples may be based on actual cases, composites of actual cases or hypothetical claim scenarios and are provided for illustrative purposes only. Facts may have been changed to protect the confidentiality of the parties. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued, and applicable law.
The practices, services or service provider(s) discussed herein are suggested as risk mitigation or incident response resources only. Use of any practice, service or service provider does not guarantee the performance or quality of the services provided, including the avoidance of loss, the fulfilment of any obligations under any contract, or compliance with any law, rule, or regulation. AXIS is not responsible for the effectiveness of a cyber risk management program and encourages each policyholder, together with advice from their professional insurance advisor, to perform its own independent evaluation of any practice, service or service provider as part of its overall risk management strategy.
For information about our products and underwriting companies, please see https://www.axiscapital.com/product-information