3 Ways to Serve Up Best Practices in Cyber Risk Management

Restaurants are increasingly implementing new technologies to power operations, create efficiencies, and enhance the customer experience. Mobile apps and other innovations are transforming business models, including allowing organizations to better collect and use customer data.

But they’re also creating new risk exposures and points of vulnerability in critical systems, networks, and hardware and increasing opportunities for data breach and theft. Indeed, 41% of respondents to Marsh’s 2019 Restaurant Risk Management survey said they had suffered a breach involving corporate or customer data or at the franchise level.

Here’s how restaurant risk professionals can manage their new and evolving cyber risks.

Taking the Measure of Your Restaurant’s Cyber Risk

Effective cyber risk management starts with a thorough understanding of your exposures. Since restaurants are a high-touch environment for customer data, there are myriad opportunities for data theft.

But the threats extend beyond data breaches. Cyber-attacks and technology failures can pose significant risk to operations and supply chains, resulting in revenue loss, extra expenses, and/or reputational damage. The near ubiquity of online ordering, mobile solutions, production automation, and technology-streamlined back- and front-end processes creates new, often unanticipated risks. 

Recommendation:  To fully understand the business impact of these exposures, it’s critical that restaurants measure them economically, quantifying potential losses across a range of business interruption and breach scenarios.

What’s on the Menu? Brand Protection

In a relationship business, it’s important that consumers trust their favorite restaurants to handle cyber breaches and events with transparency, efficiency, and care. And customers typically don’t differentiate between corporate-owned and franchised locations. Among survey respondents, 8% reported experiencing a breach at a franchisee, reinforcing the importance of managing franchise-level exposures.

Recommendation:  While it may not be feasible to control all processes and technologies used by franchisees, franchisors should stay attuned to franchisees’ cyber exposures and ensure robust incident response plans are in place and regularly tested, and that everyone knows their role.

The Right Ingredients

Cybersecurity technology cannot always protect a company from cyber-attacks. That’s why it’s essential to purchase cyber insurance, which can protect your balance sheet from the financial impact of cyber events that technology is unable to prevent. Encouragingly, 85% of survey respondents said they purchase cyber insurance.

Purchasing of cyber insurance should be based on quantification of a company’s cyber risk exposures. Since every company has unique technology usage, data, and risks, policy limits should be based on an organization’s loss exposures. Companies that quantify cyber risks better understand their exposures and tend to buy higher coverage limits: nearly 40% of survey respondents purchase limits of $20 million or higher. Among Marsh’s retail, wholesale, and food and beverage clients, average limits purchased rose by 25% in 2018, reaching $27 million.

Recommendation:  Regularly review your insurance policies to ensure that limits are adequate to cover your exposures, and that you have the right types of coverages in place to respond to business interruption events within your organization and along your supply chain, as well as the many costs and liabilities associated with data theft.