Welcome to Chopping It Up. I'm your host, Mike Haleon, the senior restaurant and food Service analyst at Bloomberg Intelligence. I've got a great guest today. I'd like to introduce Deborah Nika, Senior manager of Cybersecurity and Privacy. She's also the privacy services leader at Cone Resnik and she's also been named Top twenty five women in Food Service and Hospitality. Thanks for doing this.
Deborah, Thank you so much for having me on. Excited.
Yeah, this is this is cool because this is a topic that's, you know, become increasingly important. You know, I'm old enough to remember when investors didn't really care so much. You know, I remember trading stocks in the early two thousands and Target or Walmart and somebody would have a security breach and you know, the stock would trade down for about five minutes and then I would go back higher than when it was traded prior to the news, and it was just kind of people thought it was
a cost of doing business. But things have changed a lot over the last two decades.
Yeah, I mean, you know, it's we're not living in that world anymore. Unfortunately, we live in in a economy where a breach is no longer blip on the radar. A cybersecurity or privacy incident is you know, tip of the iceberg, and everything that comes, you know, under the water that you don't see is you know, loss of investor confidence, loss of consumer confidence. And it really is not a fun place to be having to crawl back up and refresh your brand image and capability.
Yeah that's great, and so can you I guess before we really dig in here, can you please tell the listeners a little bit about your background and the cybersecurity practice at Cohen Resnik.
Yeah, so I am. I am a self you know, I am a data geek. I am so excited about information, and you know, spend the very early years of my career decades ago, wanting to be an academic librarian. I was, I was really going down the path of like I want to sit in a crusty old library and just like go through archives and books all day every day. And living in New York City, you really quickly learn
like that's not sustainable. Like I could be a librarian and eat beans, or I could like take this knowledge that I've built up and figure out how to you know, pivot. We love that word pivot right, pivot into the corporate space, and it was the earlier days of what today we known as big data and really the early start of companies figuring out, hey, we have all this information and how do we use that information to make data informed decisions? Right?
Gone are the days where an executive licked their finger and like put it up in the air and to figure out which way the wind was blowing on a deal. Right. So my career has really followed that data life cycle, Right, how do we collect information, how do we curate information, how do we use information and flow it through our technology systems? How do we use that information to make
data informed data informed decisions? And then, you know, ultimately, after a what I'll call a big Brother moment mid career, I was like, hey, we've got to really do more about protecting the data, right and protecting the people that are ultimately the ones that are impacted in that you know,
by that data. So four years ago, I mean it started way earlier, but four years ago had the great privilege of coming over to Cohen Resnik part of their cybersecurity, tech, risk and privacy practice and our you know, our mission in market if you will is to help companies understand that cyber and privacy don't need to be scary, if they don't need to be these unattainable only technology driven capabilities.
But how do you use cybersecurity programs? How do you use competency around privacy, compliance and management to actually drive value in your business? Right? So if it's a transaction, right, how are you preparing your company to make sure you're getting great valuation? How do you make sure that you're prepared to answer the hard questions of the underwriters of how are your systems and how are your data secure? How are you running your business? How are you growing
your business? How are you sustaining that growth? Cyber and privacy are front and center to that equation. But before we go any further, I think it's one of the places I really like to start and chatting about this is what is cybersecurity? What is privacy? Because when we say cybersecurity, I can guarantee you half more audience is going to think of a hacker sitting in a room somewhere at night, tugging red bulls in a dark hoodie, right,
trying to crack code. And it's not that cybersecurity. There are three main tenants of cybersecurity that we call the CIA triad. Confidentiality, so information in your ecosystem is being maintained in a confidential manner. Integrity that the information in your systems can be relied upon. This is extremely important for public retreated companies, especially when you get into things like Starbine z Oxley, compliance and availability that your systems
are available when you need them to be right. And then we layer on this wrapper of privacy, which historically legally has been defined as the right to be left alone. Right, But for companies that means you know, when, how and to what extent can you use the information that you've collected about your customer, about your population, about your consumers.
So you know, love, I always love to lay that out because it really helps contextualize when it means, when it means bringing this into your business, How does this actually impact the decisions that you might be making about a new business line, a growth of business line, an investment in the technology, an investment in a membership rewards program, right, putting an app out there to let folks, you know, order ahead, So it makes an impact.
Cool, and so you know, there's there's a few different types of cyber attacks. You know, I guess if you could talk about them a little bit and maybe what what customers should be particularly worried about right now. You know, I think I've read something recently about ransomware attacks being up over one hundred percent year over year, uh, and
things of that nature. So I guess maybe the the you know, biggest issues are may depend on the size of the company, But if you can kind of give us some color on that would be.
So. So ransom I would definitely say ransomware is what we're seeing get the most, the most news coverage, if you will. Right, So, ransomware in simplest terms, is your systems have become unavailable a threat actor. Right. It can be somebody who is out there for monetary you know, monetary gains. They just want to access your system to be able to get paid. That that that that ransom, Right.
It could be political, right, It could be a activist that is not in agreement with something that you've said or put out there in the marketplace, which we see impacting right our our industry today. So somebody comes in takes over all of your systems, a system, a critical financial system. The point of access into your environment and doesn't let you doesn't let you back in until you've agreed to pay a fine, right, or a fee or some sort of cost value. The other thing we're seeing
a lot, interestingly enough, is the theft of intellectual property. Right. So we live in a very fluid marketplace. Intellectual property theft doesn't really get that much airtime, but it is. It is especially especially important. I I worked with a company a few years back, and this was a transaction. So you know, we said, okay, what's your what's your crown jewel? Right, what are you the most afraid of would get exposed? And they're like, there's only one there's
only one thing that we're worried about. I said, okay, what is it? And they go our recipes? Like, if our recipes walked out the door, we're out of business. There's absolutely no reason for us to continue getting up in the morning. Right. So, where we normally think of hey, hackers coming in, our threat threat actors coming in, they're taking over our financial systems, they're taking over our employee data,
they're changing numbers in our finance system. So we're actually paying them when we think we're paying a vendor or our employee, right, this company was like, hey, if this recipe gets out the door, we're done.
Yeah.
It's literally their secret sauce.
Literally, and you know, like I'm a native New Yorker, we're very, very you know, proud of our pizza industry. Right, generally speaking, can you imagine if your favorite pizza place all of a sudden had like a new dough recipe, new sauce recipe, like the whole nine yards, Like, I'm not going back there, yeah, right, And you can say the same thing up uphill right for larger industries, right, if you're gonna change something and all of a sudden you're like, hey, that's what we made money off of.
First thing that came to my mind was the Kernel secret recipe. It's worth a lot, man, it's worth a lot. Oh yeah. So, in addition to restaurant companies, what other types of clients are seeking your help? Other industries, other verticals who seeking your help?
Yep. So so where our team very proudly is industry agnostic. What I focus on day and day out is what I'll call the hospitality adjacent companies. Right, are manufacturing firms that are coming in and maybe you know producing producing items our consumer retail company. Real estate. Everybody always forgets that that real estate is a bigger market than just the you know, the industrial real estate side of things.
A lot of noise being made, especially in states like Illinois on biometrics, Right, what does that mean for the smart building space? What does that mean for real estate companies that are putting technology in to help them manage from afar technology companies a lot of noise today.
Right.
We saw Apple and the Google play Store start putting controls in place around what kind of applications security posture, hygiene, privacy posture and hygiene could be put out there. And then of course, you know, we can't ever forget that the financial services industry spend a good amount of time they're doing cyber privacy diligence in support of transactions. Right, So what is a potential company's potential acquisition look like from a cyber security lens? Right? What kind of risk
is present in their environment? What does that look like for uh, the the you know, let's call it private equity company that that's that's going out and buying them, right, that the risk comes with it? How does that impact the reps and warranties insurance. How does that impact money that that may be set aside an escrow uh to cover potential potential liability obligations. Uh. You know, especially in consumer and hospitality, they're very they're very people centric industries. Right.
Nobody wants to be the company that bought the other company and all sudden to find out that, hey, there was a breach of a million records of personal information and we're doing business in California and all of a sudden, you're you're running a foul of the AG's office in California with CCPA and cpr A. Right, there's a lot, there's a lot of contentious conversations that are happening of what is the obligation of covering that risk in the transaction?
Okay?
Cool?
And so you know, are you seeing you know in the research that consumers are significantly changing their behavior following cyber attacks And I guess, hows how's that changed over the last decade or so?
Yeah? Really, really good question. So the greatest shift that we've seen is in upfront conscientiousness by the consumer. Who am I getting into business with? You know? What are they doing with my information? Is this brand doing right by me as a consumer. A lot of we all remember the days of the Target breach, right, and most forget that Target was breached because of their HVAC system. Right.
It wasn't that Target went out and willingly did something that was running a foul of their of their customers. A big Target fan here, This is not this is not a knock on Target, right, this is the reality of the world that we live in. And you know the response was okay, well, Target was required right to go out and get credit monitoring service for their customers. Most people still think that it was Target's goodwill. But they went out, I got credit service monitoring for their customers.
That's not the case. They were required to do it, right. But today we very much still see this conscientiousness by consumers to say, you know what, I'm not going to opt in. I'm not going to download an app that is knowingly using my information. We're seeing a lot of it now, right with the way that there's this conscientiousness of how is big tech using our information? How are they monetizing my information for their own their own purposes.
In a post ro v wead world, right, there was a lot of a lot of light that was suddenly shown on well, there are all these these apps that help women, and what are their practices around cybersecurity? How
might my information be compromised there? So there's certainly this upfront, you know, conscientiousness, and on the flip side, right, there's a lot of brain reputation that that is impacted when the own no moment happens, not if the owned no moment happens, but truly when, right, what did the brand do to protect my information? What was their social contract
that they had with me? What information did they give me in their privacy policy, their terms and conditions upfront about how that information they were collecting about me it was going to be protected. So we are seeing a little bit of a shift. We're seeing a lot more noise come out when a brand is impacted. And the reality is in the marketplace is that we're no longer living in a marketplace where there's only one makeup store, or there's only one retail shop, or there's only one
shoe store that you that you can shop in. Right, so brands have to take that proactive stance of saying we are in custodians of this information. We have built this reputation in the market with our customers. We have to do right by protecting this information, using it with fairness, using it with transparency, because the reality is that if our clients want it to walk away, it's going to be that much harder for us to reacquire that client.
Yeah, more costly as well. Yeah for sure. Yeah, it's really really interesting. You know, I think there's definitely been more attention paid to it.
Right.
You have have people in the media, you know, looking at you know, TikTok terms of service and things of that nature, right, And so I think I don't know if it's hurt their user base at all, but you know, you have people definitely more cognizant of what's being cappedured, right, and what's being used and how it's being used. So
I think that's a good thing. And when anytime, consumers are willing to educate themselves, right, So, what are the main vulnerability points both at the restaurant level and at the corporate level.
Tough question, and I hate to sound like a consultant here, but I'm going to give the first consultant answer, which is it depends. It depends what the ecosystem looks like. I'll say that, you know, even up to like four or five, six years ago, when we had these types of conversations with brands, it was like, oh, well, I'm PCI compliant, my credit card data is safe, and you're like, okay, that's fine, and I am so happy that you got
through the PCI questionnaire, which is like totally counterintuitive. Let's say, but now we're beyond credit card information, right, and I think that what the what the questions are now that these companies should be asking themselves, especially in a post COVID world, is what does your technology landscape look like? Right? Are you using cloud based platforms to support your orders your fulfillment? What does that look like? How are you how are your restaurant locations or how you know, how
are your store locations interconnect one another? What does that that mesh of network look like? How are you granting access to your systems? How is your customer interacting? Right? Are they coming in making a purchase and that purchase is being shipped? Are they coming in making a purchase, the purchase is going out the door with them? Are
they ordering ahead for pickup? Right? So this this you know, night what we'll call ninety percent reliance on technology has really changed the game of where you need to look for the technology related risks. Your apps? Right, who's developing them? Are they developing them in a secure manner? Are they are they being updated? How is information that you're collecting about your consumer being protected and used right through that app?
Again above and beyond just credit card information? Right? How are you granting maintaining access to your point of sale systems? What kind of point of sale systems are you using? Are you are you pushing the you know, are you pushing onus onto your vendors to make sure that they're behaving and coding and developing their own software in a secure manner? Right? How is it information going from store location back to HQ? Right? What is your what is
your cyber hygiene, privacy hygiene and posture look like at headquarters? Right? And that is logically right? How are folks get how are folks interacting with your systems? How are they getting into your buildings technologically? Right? What controls do you have
in place around your technology systems? Again? How are you working in partnership with your vendors to make sure that that if you're if you're using a cloud based system and you're like, oh, yeah, you know so and so companies responsible for security because they're providing me this platform. Guess what, buddy, read the fine print because that risk transfer that you think that you're making is not really there. Right. There are obligations that you've got on your side to
make sure that you've got appropriate controls in place. How are those systems interacting with one another? Right? What does that interface look like between your systems? How are you educating your people and your users to maintain a sense of cybersecurity hygiene? Right? You know one of the latest statistics out there is sixty five percent of cybersecurity incidents start with your people. Somebody click the link that they
shouldn't have, right, and we're we're a click happy bunch humans. Right, So are you educating your people on hey, don't click the link. If your finance team is getting requests for wires, are they calling the person to confirm that it's a legitimate request? The account number has not been has not been compromised in an email transit? Are you? Are you
doing technical testing of your boundaries? Right? Are you having an objective third party come in and look at at all of this And I think the other piece that really really gets lost in all of this is are you empowering your information security and your privacy teams to do what they need to do? Are you giving them, you know, the monetary support. Are you giving them the
right human capital to be able to do this? Are you giving them a seat in the conversation to say, hey, here's where we are today, Here's where we need to be in the future to meet all the obligations that we're putting out there. Right. Are you educating your board again?
You know, the SEC has proposed proposed rules out there for publicly traded companies that you know, in the future, should these rules pass, you're going to have to have board educated members, right, really be aware of what what does cybersecurity mean? Right? And and you've got to be able to train your board on what cybersecurity risk look like for the company. So I think where we talk about,
you know, what is the vulnerability to a brand? What you know, you've also got to really weigh what the impact is going to be. Right. You could have let's say a single location Wi Fi go down, it sticks, right, It could be malicious intent behind that, it could just be the fact that it's Wi Fi and it's not always going to be friendly, right, But what if your critical application goes down? What if your CRM goes down? What if your order payment system goes down? Right? And
it is a threat actor? You know, what does it mean for your business to be out of you know, out of technology service for four hours, for eight hours, for three weeks? How many dollars are not coming in the door because of that? Right? So you've really got to understand what are your crown jewel systems, What technology do you need to keep safe? And what what investment are you willing to make as a company to make sure they stay safe.
Yeah, that's great. And you know what I found when I was doing a little bit of legwork before we spoke that was interesting was like how much they spoke about employees and protecting employee data, right, because I've just been thinking about you thinking about it at the consumer level, right, and the credit card data and the loyalty data and all that kind of stuff, But obviously securing employee data is important too.
Right. So without naming names of brands, because I feel for the brands, irrelevant of size of these companies, I feel for the brands that are dealing with this. The state of Illinois gifted us some new laws around bio biometric information. Right, So I think you're spot on. When companies think about data, we're always thinking about consumer We really also need to include employees in that. And the reason I bring it up is because it is not unmanageable.
Again speaking in broad strokes here, I don't want to throw any any companies under the US on this. Right. When we think about employees, I'll give you this scenario. An employee walks in the door. You're using, you know, upper right quadrant technology for your employee timekeeping systems, and your employee comes in, they scan their thumbprint, they've clocked in, they work the shift, scan back out, end of day. Right,
How are you protecting that information? Are you? Did you give disclosure to your employees that you're going to be using your biometric information to do this? How are you maintaining the security of that information that you're collecting. How are you maintaining information that your employee and their health care status? Right, especially if in the restaurant industry world, right, if there's a health matter that's being investigated related to
an employee. So there are all these laws that are very specific to employee data. I am not into I don't want to ever be a labor attorney. I give that, I give that that group of specialists great great respect. Right, but what are you doing? And do you understand the complex environment that you that you're operating in about that information? Right?
You know, Illinois, California. You know there are states that are really making it easy for businesses to operate, and there are states that make it a little bit tougher. And you've got to really do the work to understand what are our obligations And a lot of it really comes down to how are you informing your employees about this? Right? What does that look like to inform you employees? Here's
the information we've re collected about you. Here's how that information is being used, Here's where that information is stored, Here's how it might be shared. Because it's not just you know, the yester year of Oh, we're collecting employee information so we can send it to our our you know,
the company that does our health insurance. Right now, all of a sudden, you're saying, Okay, we're collecting really sensitive information about an employee, and maybe we're using AI to decide, Hey, this person works this shift and that person works that shift because of X y Z capability. But there are inherent biases to a lot of this that I think that our industry, well the technology industry least, is still fleshing out. But I will say we're seeing a lot
creeping up, especially in Illinois. What does it mean to use employee information appropriately even if it's for legitimate business practice? And you know where can companies start getting in trouble?
And you mentioned the employee data being upper right quadrant data. I'm not familiar with the quadrants. I can kind of maybe back into a guest there, but if you can kind of talk about the quadrants a little bit, talk about what the upper right quadrant means for you know, you know us layman.
So oftentimes when I talk with businesses and we start having conversations of hey, we're finally out of COVID, right, We're finally back to a world where we can make technology investment. We're like, we're gonna go look at Gartner, We're gonna go look at Forrester, and we're gonna pick like the top leader, right. The leader of this is like the best tool or application that we can get in the space. And this is this you know, Gartner leading or Forrester wave leading technology is going to solve
all of our problems. You know, I'll context I'll contextualize them saying Gartner and Forrester are great resources for information. Right, They're fantastic. I use them quite a bit. But you've got to then say, Okay, we're making this investment technology we're going with you know this this this hr information system, right, but what does that mean for your business? You're making this gigantic investment. These these tools, technologies, applications are not cheap, right,
How are you then deploying that in your environment? A? What technology risk are you introducing to your environment by doing this? B? How are you setting appropriate controls of who's got access to what information is it? Is it? Com measure it with the job that they were doing? Right? See? How are you giving people appropriate disclosure about what information you're storing about them? Right? How are you integrating these systems with other technologies that are that are in your environment?
And I think the big one, which is which is let's call it one of the largest emerging issues in cyber and privacy is what kind of onus are you taking on because of this third party? Right? You got you went out, you spent half a million bucks on a system that is, Oh, but it's great. It's SaaS solution and we don't need to have a server form
anywhere supporting it. And this vendor is going to do all this maintenance and they're going to support it for us and we don't need to worry about like backing it up or disaster recovery or you know, UX and U I updates. It's fantastic. Right, But somewhere there's a paragraph in your contract that could say, hey, we reserve the right to use this data that you're uploading as we see fit. Right, what kind of exposure did you
just introduce to your business because of this third party? Right? Alternatively, right on the extreme opposite side of the example, we'll get cases where the company is like, look, we just need something. I googled first to ad that came up. We went with them, and oh, by the way, we got like the first year free for I guess right,
and it's great. Right, And then very similarly, like you know, you're like, okay, we'll review the contract for you from a cyber or privacy perspective, and the contracts two pages right and a full page of it says, by the way, you got this free year because you're giving us access to use your information turn around and sell it to another customer. And that's why you're not paying the ninety nine ninety nine a month in twelve equal installments, right.
And what happens with those with those smaller mom and pop companies that are that are out there is they're not doing the due diligence to make sure that that tool, application technology right and naven what you will is secure. They're not helping you to shore up and mature your own cybersecurity hygiene because they're introducing right a mode into your environment where this is living. They are they may or may not be acting above board in terms of
what the data sharing. The data sharing is behind, you know, behind the scenes, and all of a sudden, right this thing that you were like, oh this is great, we got out of paying ninety nine ninety nine a month, Well, hey, guess guess what you just took on from a risk perspective, right, So there's there's a lot of the lot of you know, obligation that companies have that doesn't always get seen of What does there look like to manage proactively manage their
their third party risk? Right, and especially in hospitality and especially in in in the food industry. Food companies should be doing food, They're not. They're not technology companies, right, So the likely, the high likelihood is there's a lot of these tools in their ecosystem, right and likely not getting looked at.
Is there a way for them to negotiate, to negotiate out some of that that third party risk?
When when yeah, absolutely absolutely, Again, I'm not not attorney, not legal advice, but consult your friendly neighborhood attorney in a space.
The other thing that companies really should be considering is what does their data sharing agreement look like with these with these vendors, are they are you know, are companies setting out the appropriate rules of the road based on their business there, the jurisdictions where they're, where they're conducting business,
their type of end consumer. Are they setting out the right rules of the road with these vendors saying here's how you may or may not use information, right, here's how you here's how you are obligated to help us in the case we have a need around this information, especially for the companies that are required to be GDPR compliant, especially for the companies that are required to comply with CCPA CPR, companies that are operating states with emerging or
newly enacted privacy laws. This is going to become critically important. Understand what your data sharing landscape looks like, and the risk around third party is front and center and that conversation. Understand Yes, you as a company, you're collecting information, you're using it right for again fully legitimate business purpose, but then you're sharing it right and you may not think of sharing it in that way, but ultimately that that
is what it looks like. Right, you are sharing information with your technology platform. What are the appropriate rules of the road for that platform to be able to use your data?
Okay? Cool? And you know, can companies also ensure some of their risk against cyber attacks and third priority risk?
I love that question. I spend a lot of my time talking about that question. So cyber insurance is incredibly expensive, it is harder and harder to get. There are more and more exclusions being put into policies. So yes, you can go out and you can get it. It is not a set it and forget it. Most cybersecurity insurance pols today are very descriptive of what capabilities a company has to have in place in order for the cyber insurance policy to be effective and cover a potential breach loss,
whatever it is. So most of the time you speak to folks and they're like, no, I don't need to do anything. I have cyber insurance and it'll be great. And then the oh no moment happens because again nobody is immune from an oh no moment, and they go to their cyber and share and they're like, hey, I have to pay like two million dollars if ransom right to get my finances the back. The cybernture is like, no,
I'm not covering that. It's like, what what do you mean? Like, we've been paying you a hundred thousand dollars right for this, and cybernture is like, well, you didn't have any proactive controls in place. You weren't doing your job in making sure that you're authenticating traffic that's crossing network. You weren't doing annual risk assessments to understand where you might have cybersecurity risk exposures. You weren't doing a good job at
managing your third party risk. And even though you had a great CRM platform that you paid half a million dollars for right two years ago and you finally got the implementation, and that's where the vulnerability came from. You didn't do enough to proactively understand what your cyber risk landscape looks like internally and to mature your capabilities to
mitigate those risks. So, yeah, cyber insurance is available out there, but there is a large obligation that's still put on companies to have that oh no, right file ready if you will. Hey, we've been doing every year, we've been doing, you know, an objective you know, cybersecurity risk assessment. We understand that we have areas that we can mature, but we've got these baseline competencies in place. We're making sure that folks are accessing our network in a secure manner.
We're using multi doctor authentication for people coming in. We're doing proactive scanning of our network to detect any any potentially malicious activity. You know, We're doing annual penetration testing to make sure that that the walls around our castle are intact. We're educating our users with security awareness training. We're training our leadership to be able to identify spearfishing
and you know, whale fishing. And if you have those in place, you're in a much better position to go to your insure and say, look, the own no woman happens. We need help, you know, we need hey, we ensure, we need your help being able to engage a an incident response team or a ransom you know, uh recovery team and somebody's got to go figure out how to buy bitcoin for me to pay this ransom. Right, But we did everything that we were supposed to do, and
the own no, theman still happened. And in those cases, the insurers are looking. You know, it's a more favorable outcome for the most part. Now that's not written in stone. There are some insurers that are better than others. I will not name names here, right, but but that's really where we try to help folks understand. You could have a great cyber insurance policy. That doesn't mean that you're fully protected.
Okay, cool, cool? Yeah, And I guess in terms of the insurers you you recommend, I guess we have to pay for that.
You can we could we could have a one on one a lovely one on one chat on you know what that space looks like. But I'll refrain from publicizing too widely my my fearing.
So what should a restaurant chain do if they suffer a cyber attack?
Engage a good attorney. I say that tongue in cheek, but you know this is really where your service providers that you have relationships with come into play. So most of you know, very very you know openly your attorney is going to be critical in a lot of this. There's going to be a lot of conversations that happen of what do we know, what don't we know? And frankly, attorney client privilege is going to be very helpful right
until you get your feet under you. Obviously, there are obligations in certain jurisdictions to let h you know, an Attorney General's office know if you're if the cyber event that happens is a data breach and there's a disclosure of uh personally that the fiable information right, there are obligations there. You know that is again, we're a really good attorney in the space in the room is going
to help you through that process. Your cyber insure if you've got cyber insurance in place will be dramatically and drastically helpful in terms of getting boots on the ground to help you get you know, systems back to help you understand how how you know what is the breadth and depth of this cybersecurity incident to your environment? You know, if it's if it's an internal you know, insider threat, it's a you know, totally different game. You're getting departments
like HR involved. But leading up to this, you know, the cyber incident, the point of cyber incident is not the time where you want to be figuring this out. You want to do a lot of this planning for the own no moment before it actually happens. So we always make the recommendations that on a regular basis, you should be simulating, right, even if it's a table top event,
you should be simulating these discussions. Sit folks in a room and that includes your CEO, that includes your investor relations, that includes your your legal team, that includes you know it, if your insurer is proactive, your you know, your cyber and ensure and talk through, Hey, here's a scenario, how are we going to respond to this? How are we going to get to the other side of this moment, because there is light at the end of the tunnel. At the end of the tunnel, a cyber event is
not the end of your company. Right, So you know, if you feel that there's capabilities in house to lead that in house, do it partner with a third party. Right, and shameless plug for our team here, Right, We do these regularly. Right, We're sitting down with with with the board, We're sitting down with the incident response teams to say, how are you actually going to respond to this? What does this mean to be able to go out to the market and say, yes, we brand ABC that is
a publicly traded company in this many states. Here's what happened to us, Here's what we're doing to respond to it. Here's how to you as a consumer. This may impact you if there is a data breach. Here's how your information what types into and how your information might have been exposed. But look at your partner landscape to help
support that that response. It should not happen in a silo, and it certainly should not be you know, that cyber event or you know, the privacy beach event should not be the point where you're figuring it out.
Yeah, by then it's too late.
Right.
Oh yeah, all right, So how is cybersecurity impacting loyalty programs? And do you think privacy and data concerns are going to slow down the shift to one to one marketing?
Yes? So here's here's kind of the you know what we talk about when it comes to loyalty programs. Loyalty programs are great. I and myself will say that I love my loyalty programs. I love getting to know that my tenth pizza is free. And I'm not going to name the brand, but we all know, right, I love my tenth pizzas free. Right. But the reality is, to sign up for a loyalty program, you're giving them a
lot of information about yourself. So let's first talk about from a consumer perspective, right way, whether or not the loyalty programs really worth it. Right if this is an ongoing brand that you have an ongoing relationship with, Yeah, maybe you want to say, okay, look if I you know, if I give my information, I get my tenth pizza free, I get twenty percent off my my my purchase of you know, linens and whatever. All right, totally at it. Let's say this is a brand that it's a one
and done. You're on the road, you're grabbing a soda, you're grabbing a coffee somewhere to rest stop. Right, what does it look like for you to actually give that information? Right? Is there an ROI for you for doing that? So I don't wanna I don't want to ignore the fact that a consumer plays a really big role in this relationship right on the marketing front. Now, let's go to the company side of this. Right, So companies are looking to say, Okay, we want to understand better who our
consumer is. We want to figure out you know, we're we're piloting products, let's see who buys my membership perspective, We're using this to maintain customer loyalty, right, to increase customer lifetime value for us. You know, gone other days where we can just put cookies and pixels on our websites, right and have at it. Because again, thanks thanks right to the powers that be for disallowing us to do that. Right.
But you're collecting as a company, massive amounts of information about people that they may or may not understand the impact of. Right, So how are you going to collect information about your user base? How are you going to aggregate that information? How are you then going and buying let's say consumer sentiment information to layer on top of this, right? How are you potentially using deal location data as an
additional layer here? Right? And what does that mean now to that massive data set and aggregate instead of just hey, you know Debra Nica who lives in xity and meets the demographic measurement, right now you're like, hey, Debra is more likely to buy you know, shoes A versus shoes B, and she's going to she's more likely to go to store one versus store two. Right, So, now that data set has become a lot larger and a lot more
risky for your company if a cyber event topic. Right, So, I think a lot of what the what the loyalty program you know, is showing us is yes you can do it, Yes you can do it in a smart way. But you've got to be really really measured of what is it that you're trying to push out there to your customer and how much risk and you know, are you taking on and is that ROI is still going
to be worth it at the end? I still am I'm going to age myself for a second, But I remember the really really early days of like the shop right card and key card beef. Anybody they'll put on the little key card right, and it was like, well, like you want to the point you have to like go into the store right to swipe your card, and that is not the shopping experience reality. Right, I'm biased. I'm in New York, right, and I'm not. There's there's no shop right where I live. I missed my little
membership card, right. But now, what does it look like for me to have a loyalty program for a supermarket that I am going to right, or an online grocery service that is kind of my way? So I think that there's a great from business perspective, there's a great utility for the loyalty program. It's also going to impact the breadth of your security, right. So so we look at this from the lens of you as a company, have certain information assets that you're going to use to
drive value for your company. You're gonna support revenue, You're gonna put the loyalty program out there the own no moment happens or the own no moment is about to happen. Right, you have one hundred million pieces of data in your ecosystem, right, every every one of those, every piece of that of information, there is an exposure point for you. So let's say
the own moment happens. We have fifty states in our in our country, every single state has its own data breach law, right, none of which are the state you're crazy, right, we have great precedent here for why privacy laws are day by state, right, because we couldn't get it right with data breach, so why should we get it right
with privacy right. So there are thresholds of in each state, because a threshold that says, you know, all it takes is one person's record to be breached and that is going to trigger you to have to inform your attorney general's office, and it's going to trigger some sort of requirement for you to respond to this bridge. Other states are like, nope, it's got to be over you know, five ten thousand whatever it is records for it to
actually trigger a response for you to need to do something. Now, let's say you have a loyalty program and you've got you know, you've got this hundred million data points, right, and you've got all these records about people. What does it mean in that Oh no, woman, how much of that information is actually a value additive information that you are utilizing to support business? And how much of that is information that you were collecting because you could, because
you could take on that information? And what does that mean in protecting it? Right? Are there appropriate controls around it? Is there a locks on the treasure box of this treasure trove of information? Right? Or it's information that ultimately exposed you to requirements and to cost of responding to a breach and you know, cost of responding to the impact of you know, brand erosion in that own a moment.
That's great, thanks and you have time for one more.
I have time for one more?
All right, good stuff. So last question, are ESG investors placing a focus on cybersecurity? Are they focusing enough on cybersecurity? I'd imagine this is probably a big part of the governance piece of ESG.
Oh yeah, So we're seeing a lot a lot of conversations happening from an ESG lens on this. So cybersecurity is certainly from a governance lens, and then privacy from a social lens. Right. So I'll say that that for the most part art right, unless a fund is purely
an es G play. Right. There are still i would say, conversations that are emerging in this space, right, But there's a lens that says we have to report out, we are required to report at out on our ESG activities, and we're going to use cybersecurity or privacy as a means to quantify ESG for us. So what we see a lot of the time is there's this focus on what does cybersecurity mean and how can cybersecurity hygiene be
used to inform that governance metric? And from a privacy perspective, how are companies you know, how are are let's say called up a port code right in this example? How is a portfolio company maintaining the privacy standards of you know, of their their consumer base, of their of their data in order to really understand this social social contract aspect
with their customers. So I think that there's a there's a really I this is personal opinion, right, I think that that we're going to see an increase in a in a lot of these types of conversations. I think that as we see more perforation of you know, e s G based funds, we're going to see a lot more traction in the conversation of you know, the seat at the table that that cyber and privacy you know have in that value edit creation.
Very cool. Uh, that was awesome. I learned a lot. Is there is there a best way you know, in an email you'd like to share something like that, best way for our listeners to get in touch with you if if they have any questions.
Yeah, absolutely so. Always happy to chat and geek out about this, Debra cofres dot com. Happy to to chat with you. Uh, I am going to say, feel free to Google because Google is still very much one of our best friends. Cohen Resnick Cybersecurity, tech risk and Privacy team, and we're always happy to have a chat, have a thought, you know, a moment of thinking and sharing and looking forward.
Awesome. Well, thanks for doing us, Thanks to our listeners for listening it, and have a good day everybody,