New Zealand’s e-commerce landscape is growing. E-commerce businesses now represent 12 per cent of retail sales in New Zealand, with 49 per cent of internet users making weekly online purchases.1
But, online selling comes with as many risks and exposures as opportunities. If you are running or developing an e-commerce business, having a risk management plan or strategy in place may be a good idea to help protect you against potential risks.
Examples include cyber threats, data breaches and reputational damage. Let’s look at some e-commerce risks and how to manage the threats.
According to CERT NZ’s Cyber Security Insights, the average direct financial loss from cyber attacks in New Zealand is $5 million.2 Online security risks and threats include hackers, malware and ransomware, and phishing and phreaking scams (where hackers attempt to get money or information through email and telephone scams).
As online businesses grow, they become bigger targets for cybercriminals. Protecting your business and your customers by investing in cyber security measures is a good idea. Use multifactor authentication, have a firewall, ensure your systems are patched and up-to-date, use SSL certificates for transactions, and vigilantly monitor your website and servers for system vulnerabilities and suspicious activity.
If you employ people, train your team to be digitally savvy to help them spot potential scams and phishing emails. Your bank may be able to provide a list of rules for social engineering to help you and your team identify scams.
A DDOS (distributed denial of service) attack is when a hacker overloads a website, slowing it down or rendering it unusable. Hackers do this by directing vast amounts of web traffic to the target’s servers.
Like other types of cyberattacks, planning ahead can help you prevent a DDoS attack. Monitor your site regularly so you know what a ‘normal’ amount of traffic is for your e-commerce site. Increasing your bandwidth (for example, by using a cloud-based service provider), using a content delivery network (CDN) provider and choosing a web host which includes server-level DDoS mitigation tools are some of the ways you could help prevent an attack.
As e-commerce businesses primarily use online transactions to sell goods and exchange money, they can be vulnerable to several types of payment fraud. This can affect you or your customers.
Chargeback fraud, sometimes called ‘friendly fraud’, is when a customer purchases something online and disputes the charge with their credit card company to get a refund. There’s not always malicious intent here – sometimes, the customer doesn’t recognise the transaction.
Credit card fraud is where a fraudster uses someone else’s credit card details to make purchases, and account takeover fraud is when customer data is stolen, and a fraudulent actor uses this personal data to log into an account and make purchases.
Remember that all credit or debit card transactions must comply with the Payment Card Industry Data Security Standard (PCI DSS), a global standard that prioritises security and customer privacy. Encrypting and protecting customer data and implementing secure payment gateways and other data protection methods can also help reduce the risk. A robust Point of Sale (POS) system can also help reduce your risk of payment fraud.
Online shoppers have a lot of choices, so customer satisfaction is critical to encouraging good reviews, repeat orders and profitability – or you will risk shoppers going elsewhere.
With an online store, customer experience is paramount. If your website is slow or difficult to use, customer service is unprofessional, or products are not delivered as described, you risk damaging your store’s reputation. Even what you post on social media could impact your business’ reputation.
Likewise, the fallout after a cyber security breach or incident could call for crisis management, particularly if your customers’ personal data has been affected.
Risk reduction here could look like planning and implementing business processes to keep your operations running smoothly and having policies for how you and your employees interact with customers online (including on social media).
If, despite risk mitigation, something does happen, having insurance with third-party liability cover could help cover the costs of litigation, fines and other fees.
This is an operational risk which can affect electronic commerce and brick-and-mortar stores alike. Examples include a pandemic or illnesses affecting your business’ ability to operate, a natural disaster damaging inventory in your warehouse or, in the case of SaaS companies, a bug affecting your core service or product.
Online retailers who use drop shipping to fulfil orders are vulnerable to fraud and supply chain issues if there’s an issue with an order.
Mitigating the risks of supply chain disruptions and other operational issues requires a robust plan. A disaster recovery plan (DRP) may be a good idea to help you set out the potential risks your business faces and what to do should those events occur.
E-commerce is growing in New Zealand – but so are the potential risks of online selling as hackers and fraudsters try to take advantage of vulnerabilities in business systems. Sometimes, events out of our control – like public relations issues and natural disasters – can pose a problem for operations, profits and reputation.
Effective risk management is key:
· Perform a risk assessment for your business. A risk analysis will help you identify your business' risks and exposures. Collaborating with a risk assessment professional like Marsh could help. Our experts analyse factors such as cyber vulnerabilities, payment processing risks, and supply chain complexities to develop customised risk management strategies. Our Online Cyber Self-Assessment Tool is designed for large organisations but could help businesses of any size start thinking critically about cyber security and cyber risk management.
· Design risk mitigation strategies for your business. Develop cyber security measures, establish secure payment processing systems, and implement supply chain risk management practices. Not sure where to start? Talk to your Marsh broker about how we help SMEs minimise their exposure to potential risks and enhance their resilience in the e-commerce landscape.
· Invest in insurance that addresses the unique needs and risks of e-commerce so you have financial protection if something does happen. Our cyber security insurance options include cyber liability insurance, data breach response insurance, product liability insurance, and business interruption insurance.
Online selling offers many opportunities for New Zealand SMEs, but, like any business model, there are potential risks and exposures, too. From cyber threats and data breaches to supply chain issues and reputational damage, e-commerce businesses need robust risk management strategies to protect their customers, their data and their reputation. Regularly doing risk assessments, implementing strategies to mitigate risks and having the right insurance policies in place to help you if something does happen can help protect your business and set it up for growth and success.
If you need help, talk to our expert brokers. They’re here to help you understand your business risks and to take the hard mahi out of insurance.
References
1 E-commerce in New Zealand – statistics & facts, Statista Research Department, published July 2023, accessed November 2023, https://www.statista.com/topics/10921/e-commerce-in-new-zealand/
2 Quarter Two Cyber Security Insights 2023, CERT NZ, published November 2023, accessed November 2023, https://www.cert.govt.nz/about/quarterly-report/quarter-two-cyber-security-insights-2023/
This publication is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein.
LCPA 23/150
Marsh Ltd (NZBN 9429040918792)(“Marsh”) arranges insurance and is not an insurer. This webpage contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire the product, refer to the specific policy wordings and/or product disclosure statements available from Marsh on request.