Retail food chains have become technology companies that happen to sell food, and it comes with downsides.
Digital transformation is no longer a trend, it’s just the new reality, and it’s moving fast. Management teams also understand it comes with tradeoffs. New tools are needed beyond cybersecurity for better managing the downsides.
To understand the macro factors contributing to cyber attacks like the one impacting Ahold Delhaize’s Food Lion and Hannaford grocery store chains in the US in mid-November, it’s good to start with the larger business and risk context.
After tens of billions of investment in digital transformation over the past several years, grocery stores are now technology companies that happen to sell food. A trend that gathered pace during Covid-19, it has only accelerated with the continued adoption of AI over the past three years. Companies like Ahold Delhaize, one of the largest food retail groups in the world, are driven by the need to enhance customer experiences through more seamless, more personalized experiences, improve operational efficiency through better inventory management, and generally meet the rising demand for e-commerce capabilities. The more companies know about their customers’ buying habits, including what and how they purchase items through things like digital loyalty programs, the more efficient the businesses become.
Food retailers spent $13 billion on technology investments in 2022 alone. To put that number into context, it’s almost the size of the global cyber insurance market. 85% of retailers said they were experimenting with new technologies to improve the customer experience in 2022. And it’s not just retailers. Food suppliers spent almost twice as much (2.4%) on technology as food retailers did (1.3%) as a percentage of sales in 2022.
It’s driving the transformation of delivery, automated operations and digital payments. AI, specifically generative AI, has major implications, making it easier for brands to interact with customers on social media platforms, chat with customers online, and send out personalized recommendations and promotions.
Ahold Delhaize has been investing aggressively in digital transformation because it’s integral to their growth: In November 2021, Ahold Delhaize projected that starting in 2023, its ongoing digital and omnichannel investments would contribute around €10 billion ($11.4 billion) in incremental sales by 2025. This included deepening relationships through digital loyalty programs and increasing the role of automation and analytics in their logistics and customer interactions.
Management teams and shareholders love the upside that comes with digital transformation. Proof of this can be found in Ahold Delhaize’s new strategy, Growing Together, aimed at improving topline and bottom-line growth. President and CEO, Franz Muller said in the Q4 2024 Report, “Rolling out new technology is fundamental enabler of our Growing Together strategy, particularly as we look to elevate the customer experience and bring more value to shoppers in real time….”
Other stated goals of the strategy include:
Innovate for growth and efficiency
“By leveraging our data to drive retail media, data and insights, partnering with other industry leaders to develop strategic capabilities, and scaling new business models in the B2B and B2C areas, our ambition is to grow complementary income streams to around €3 billion by 2028.”
Leverage and lower our cost base
A key driver of our industry leading margins is our Save for our Customers program. We continue to have a relentless focus on driving operational efficiency and cost discipline, to fund growth and simplify our ways of working. Between 2025 and 2028, we are raising the bar to €5 billion in cumulative savings, by stepping up our efforts in areas like joint sourcing, infusing AI and automation in logistics, distribution, store operations and back office, and by simplifying and refining our operating model to enable us to operate more efficiently and sustainably.
The upside for companies that execute well on digital transformation investments is clear, but this has translated to significantly more cyber risk to the downside.
And Ahold Delhaize, like most large companies that have also invested considerably in cybersecurity, recognize this tradeoff. According to Ahold Delhaize’s Annual Report in 2022: “Our focus on omnichannel and digital transformation has continued during 2023, increasing our ‘attack surface.’ We continue to see increasing levels of malicious attempts to access our networks, internet-facing sites and applications. Although there has been no direct impact on our organization to date, there has been a continued increase in the frequency and size of payouts by companies whose systems and data have been exploited by malicious hackers.”
The company foresaw this growing risk at least two years prior to the large breach and continued to invest in security to minimize the risk of an event like this. Yet it occurred anyway.
It speaks to the dynamism of cyber risk. Note the reference to ‘frequent change’ in this disclosure from $11billion US food retail giant Albertsons in their 2023 Annual Report in reference to attackers:
“We regularly defend against and respond to data security incidents. While we are vigilant in monitoring the security of our information technology systems, we may not be able to prevent all unauthorized access or remediate the impact of such unauthorized access. The techniques used by cyber criminals change frequently and often cannot be recognized until launched against a target.”
We’ll find out the financial impact of the Ahold Delhaize attack in the coming months. But a couple things are clear: large, sophisticated companies like Ahold Delhaize understand the new reality of digital transformation comes with tradeoffs. What’s missing are better tools for understanding, assessing, financing and transferring this increasingly dynamic risk.
Establishing risk pricing and determining appetite based on an annual assessment of something changing as quickly as cyber is no longer sensible for many companies. This is one reason why more large companies are turning towards more self-insurance like captives that enable them to structure and manage the risk in a more dynamic manner. Companies with cyber in their captive can use tools like the CyFi Platform to reassess (and as necessary reprice) the risk on an ongoing basis throughout the year.
Many large companies, including shipping and logistics company A.P. Moeller Maersk, are finding it more cost-effective to bring the risk in-house. According to Zurich’s latest captive report, following the company’s benchmarking exercise, they priced their risks on average 25% below the market. Maersk attributed this to having a lower expense ratio, lower profit expectations and a better understanding of the risk.
Though the move to captives for cyber risk has continued regardless of the drop in premium rates, we expect this trend to accelerate among large companies in the new year as the understanding of the risk and how to price it better improves.