Debunking 5 Cyber Security Myths for Restaurateurs
By Karen Samuels, Hub International Florida
Restaurants are often underinsured when it comes to cyber risk. Restaurants collect and store a tremendous amount of personal data – of both their patrons (think: credit card numbers, frequent guest programs) and staff. With greater risk comes additional coverage needs.
This can be exacerbated when restaurants are owned or managed by third-party franchisees. While corporate network servers may be covered by the parent company’s cyber policy, local franchise IT networks likely are not.
Because restaurants – both chain locations and mom and pop venues – collect and store data from residents across the globe, when there is a data breach, the restaurant will be liable for notification in every state jurisdiction and country in which a breach victim resides. This can include up to 50 states and the District of Columbia, and international regulations. In addition to proper notification, a data breach requires crisis management, an IT forensics investigation, a privacy attorney, regulatory defense and more. Having the right coverage is critical.
How much do you know about your cyber risk and exposure?
Consider the following 5 cyber risk myths.
Myth #1: Hackers aren’t interested in my data.
Truth: Any data that can be monetized, such as credit card numbers and contact information, is desired. The easier it is to get, the more appealing it is to hackers, even in small quantities.
Myth #2: A data breach is covered under my general liability insurance.
Truth: They are not. Most general liability and other policies explicitly exclude losses due to cyber breaches. When they do offer coverage, it has very low limits.
Myth #3: I only need to secure my network.
Truth: As many as 63% of data breaches are tied to a business’ third-party vendors, including contractors and suppliers. In the six years since Target’s data breach, in which 40 million credit cards were accessed through their HVAC subcontractor’s network, third party exposures have only multiplied.
Myth #4: Restaurants don’t need cyber insurance.
Truth: Small to mid-sized businesses – including restaurants and hospitality venues – account for 43% of all data breaches. As much as 93% of all data breaches in hospitality and food service are intrusions at the point of sale, through web applications and crimeware.
Myth #5: Cyber insurance is too expensive.
Truth: A cyber insurance policy can cost as little as $1,000 annually, whereas crisis response costs following a breach can easily climb well into six-figure amounts. Legal costs and settlements are also important to consider. Few events can be more damaging to your restaurant than a full-scale data breach.
Cyber breach prevention
While there is no way to totally prevent a cyber breach, there are ways you can minimize your restaurant’s risk. Consider the following 4-pronged approach to cyber risk prevention.
- Avoid cyber risks by making sure all sensitive data is encrypted, including employees’ Social Security numbers, health care information, passwords, etc.
- Prevent intruders by deploying strong firewalls and intrusion detection systems as well as developing robust policies and procedures about document handling, storage and destruction.
- Mitigate your potential cyber risks by developing an incident response plan in advance. Don’t wait until a cyber security breach occurs to create a response and continuity plan. Speak with attorneys, put in place a notification vendor, and public relations firm to mitigate the financial impact on the company. Most Cyber insurance policies also provide pre-vetted vendors and free access to the carrier’s web portal to help you develop your plan.
- Transfer your risk with cyber insurance. Do you have a stand-alone cyber policy? If so, does it have the right coverage, limits and does it minimize exclusions?
Cyber Coverage Considerations
Restaurants should not assume that their business’ general liability policy will cover a data breach. Instead, restaurants need specialized cyber insurance to provide the right amount of liability and first-party coverage for breach expenses, regulatory investigation, non-physical interruption and extortion.
Stand-alone cyber insurance typically incorporate robust breach response and loss prevention services free to insureds. Consider the following first-party, post-breach and third party liability expenses that are covered by a stand-alone policy:
- Legal Compliance attorney
- IT forensic investigation
- Compliance with state notification laws
- Credit monitoring for breached individuals
- PR firm to manage the crisis
- Regulatory fines and penalties, including PCI DSS
- Defense expenses including those from class action lawsuits resulting from the breach
While there is no standard cyber insurance policy that can be applied to every business, it’s important to have an experienced broker to make sure you’re adequately insured.
About the author:
Karen Samuels is an Executive Vice President and the Financial Products Practice Leader for HUB International Florida – www.hubinternational.com- a top global insurance brokerage serving the entire state of Florida. With over 30 years of experience, Karen oversees the firm’s practice for Cyber, Professional Liability and Management Liability insurance. HUB International Florida’s key areas of expertise include: Specialties (hospitality, transportation, healthcare, financial services, real estate, construction, agribusiness and entertainment); Risk (hurricanes, floods, etc.); Personal; and Retirement and Wealth Management. With more than 300 employees throughout nine locations, HUB is able to leverage its resources and expertise to serve local clients throughout the state. linkedin.com/in/karen-samuels-2793144b