Mistakes Restaurant Owners Make Related to Cyber Liability

October 25, 2017

By Jason VanGotten, Colorado Restaurant Insurance

Even with all the recent news headlines related to data breaches and cyber attacks, the likes of which have never been seen before, cyber liability is a relatively new area of risk that restaurant owners now face. As customer data continues to be obtained and stored by restaurants, the risk of a data breach inside or outside the restaurant continues to increase year over year. Malicious hackers typically steal credit card data from restaurants that accept cards by hacking into point-of-sale systems remotely and seeding those systems with malicious software that can copy account data stored on a card’s magnetic strip. Thieves then use that data to clone the cards and use the counterfeits to purchase high-priced merchandise, or put them up for sale in a so-called theft bazaar such as Joker’s Stash prior to the card-issuing banks cancelling them.

 

In the midst of this are some very dangerous misconceptions held by restaurant owners. These misconceptions keep them from taking necessary steps to better understand their cyber risk and coverage related to such vulnerabilities.

 

Consider these 4 Common Mistakes a Restaurant Owner Can Make in this area of risk management.

 

My general liability insurance protects me in the event of a data breach or cyberattack. Most restaurant owners purchase a general liability or businessowners policy believing their insurance agent has placed this as an optional coverage on the policy. But for now that is very rare. Even if it that were the case, the policy will only provide defense coverage for the insured, typically up to $25,000 to $50,000. Your general liability coverage lacks the breadth needed to properly protect the restaurant owner from the cyber liability losses. A stand-alone cyber policy provides the broadest coverage a restaurant owner needs for third party costs, data breach response, PCI fines levied from card services, notification resources, legal fee’s and forensic costs. Not investigating this closely is akin to leaving your restaurant door open when you leave at night, not a great strategy for ensuring the safety of your restaurant.

 

A stand-alone cyber policy will be unaffordable. Depending on your restaurant size and gross revenues, a typical restaurant owner can expect to pay between $900 to $3,000 annually for a stand-alone cyber policy. However, the risks of loss may be too great to ignore this protection, in particular your brand image after a data breach or cyberattack.

 

My IT company and firewalls installed will protect me. These entities have a service level agreement (SLA) with your restaurant. When was the last time you reveiwed your SLA? Many times these agreements do not protect you, the restaurant owner, instead it protects them from any involvment related to a data breach or cyberattack. Make sure you check your SLA and have a conversation with your IT company to see what they will do for you in the event of a data breach or cyberattack. Many times your employees pose huge risks to the safety of your cyber data, from opening suspicous emails, downloading malware or even losing smartphones with connections or memorized passwords. Remember that a data breach can also occur with employee records that are not well protected or disposed of properly.

 

My merchant services are protection enough. Again, there is a service level agreement between you and your merchant servicing company. While this may give a restaurant owner hope, chances are that you will ultimately be responsible for protecting your customer’s data as it passes through your IT systems. Therefore, you should consider the costs to your restaurant if your merchant services vendor does not agree, or points the finger in your direction for who is responsible.

 

A cyber criminal can strike with little to no warning, leaving the restaurant owner with tremendous clean up cost; from data recovery to rebuilding your restaurant’s brand reputation. An owner or manager can only do so much. The people that deal in the day-to-day operations of the restaurant also need to be aware of what to do and why to do it. As a restaurant owner you owe it to yourself and your employees to investigate this protection and risk before you decide not to worry about it. A restaurant owner must be deliberate and careful in purchasing cyber coverage. Specific risks must be understood and the appropriate coverage identified.

For more information pertaining to cyber liability coverage, please contact Jason VanGotten at jvangotten@corestaurant.org

Cyber Liability – Are You Covered?

October 3, 2017

By Jason VanGotten, Colorado Restaurant Insurance —

 

Originally, I began writing about this back in 2015 when cyber-attacks were starting to become relevant in our world. Now, the world of cyber criminals have fully evolved and results show that 2017 recorded the highest number of cyber-attacks globally. This is evident in the vast amount of attention recently given to cyber-attacks with companies such as Equifax, Sonic, Chipotle, Time Warner, Anthem, Target, and more. Cyber liability is something all businesses need to consider, even the hospitality industry. Considering that your business likely has a website, uses social media, uses internet connected computers, has a point-of-sale system and most importantly an electronic payment processing system, you probably conduct more cyber business than you may be aware of. Yet, when was the last time you discussed this risk with your insurance agent? Cyber criminals have exploited all sizes of business and cyber liability can no longer be ignored.

 

The discussion around cyber exposure/risk is extensive and complicated. Exposures include computer fraud, hacking, ransomware, phishing, malware, adware, lost equipment and even simple mistakes. Some of the most common occurrences within a small business begin with:

 

  1. Online hacking and data theft of confidential information such as credit card numbers, personal identifiable information, social security numbers, date of birth, etc.;
  2. Accidental loss or sharing of proprietary information; and
  3. The inside threat, known as phishing, of employees stealing sensitive account information from employers and customers.

 

There are a lot of misconceptions regarding both your exposure and how to protect yourself. Unfortunately, many times the realization of insurance shortfall comes after something drastic happens. The common mistakes an operator can make regarding cyber liability are:

 

  1. Assuming, because you are a small business you are not a target;
  2. Assuming your general liability policy affords the proper coverage needed to protect against a cyber claim;
  3. Assuming cyber liability coverage is too expensive; and
  4. Assuming your point-of-sale, merchant service, and server (IT) companies afford you coverage/protection when a cyber-attack occurs.

 

The most common cyber liability a restaurant faces is a data breach. A data breach happens when an unauthorized individual gains access to electronic information (typically names, credit or debit card numbers and/or bank account numbers). This information is highly desirable to a criminal looking to sell their stolen information on the “Black Market” or to utilize the information themselves. The costs associated with resolving a potential data breach are significant. According to a 2016 Fortune report, a data breach for the Hospitality Industry can cost approximately $139 per record stolen. Consider that the average time to identify a breach is 201 days and that the average time to contain a breach is 70 days. Therefore, depending on the number of credit card transactions you process monthly and some of the potential efforts needed after a data breach (see below) the costs of a cyber-attack adds up quickly.

 

  1. Costs of notifying affected individuals;
  2. Costs of notifying regulatory authorities;
  3. Regulatory fines at home and abroad;
  4. Forensic costs to discover the cause;
  5. Business income loss;
  6. Cyber extortion payments (Ransomware);
  7. Lost customers and damaged reputation;
  8. Implementation of credit monitoring services;
  9. IT expert services; and
  10. Defense and settlement costs.

 

The lesson in recent stories making the cyber headlines is that security goes far beyond simply having the right technology. It also requires training your employees with the proper mindset, attention to detail, as well as a clear awareness of these possibilities. Remember, you cannot possibly think of everything that might happen. My advice to all restaurant owners is to strongly consider reducing some of your risk through securing your IT systems (update software regularly, train employees, monitor social networks, encrypt data, change passwords and confirm your vendor’s security). Even performing all these recommendations will not ensure full protection from a cyber-attack. Therefore, we also suggest transferring some of the risk by purchasing a cyber liability insurance policy to protect your restaurant from losses you would be forced to pay for if you are to ever experience a cyber-attack and your client data is successfully stolen.

 

For more information regarding cyber liability insurance for restaurants please contact Jason VanGotten at jvangotten@corestaurant.org

Understanding How to Become PCI Compliant

September 1, 2017

By Jason VanGotten, Colorado Restaurant Insurance —

 

Have you heard of the PCI DSS (Payment Card Industry Data Security Standard)? If not, they provide the standards for all merchants that store, process, or transmit cardholder data. If you are processing credit cards in your restaurants, you are responsible to comply with this standard. Click here for the details.

 

Nearly every restaurant owner has heard of it, but it remains a source of confusion as to what is required of small businesses. However, the good news is that PCI DSS compliance does not have to be confusing. Before we dive into what it takes to become PCI DSS compliant, let’s talk about the challenges restaurants face.

 

The big piece to the PCI DSS compliance pie is limiting employee access to data. Keep in mind the number of servers on a given shift who run credit card transactions, this means multiple machines and multiple staff members with access to physical credit cards. To help ensure you are in compliance, it is imperative that you use unique employee IDs and properly encrypted systems. An outdated point-of-sale (POS) system or credit card terminal typically will not encrypt the data that is processed through them. If your POS software or credit card terminals are outdated, you can contact your merchant processor to see what they offer as an upgrade to provide data encryption and if your systems require an upgrade.

 

The National Restaurant Association states that, typically, restaurants that run the highest risk of a data breach use unsecured Internet-accessible networks, like DSL, cable modem, or wireless technology. They may also be using non-compliant POS software that stores credit card data improperly.

 

There are six categories of PCI DSS compliance (refer to the link above for detailed information) requirements, which are:

 

  1. Maintaining a secure network
  2. Protecting cardholder data
  3. Protecting your systems against malware/spyware
  4. Putting strong access control measures in place
  5. Monitoring and testing your networks
  6. Creating an Information Security Policy

 

You may be thinking after looking at these six categories, “How can they expect small businesses to manage these six categories to stay compliant?” The keys to PCI DSS compliance include proper network security, careful handling of customer cardholder data and the use of only the PA-DSS-validated (Payment Application Data Security Standard) POS and payment processing systems. You can find a list of PA-DSS- validated POS providers HERE.

 

You are also required to complete a “self-assessment questionnaire” (SAQ) on an annual basis. The basic SAQ generally takes about 15 minutes to complete and provides the restauranteur with an opportunity to review their business policies and practices related to credit card transactions and data storage.

 

The bottom line is that PCI DSS compliance is required and this process helps your restaurant from data breaches and the fines and penalties that come with them. Card data theft is costly. Therefore, familiarizing yourself with the policies, and properly training your staff will end up saving you time and money while also protecting your customers and restaurant from a data breach.

 

For more information pertaining to PCI DSS compliance, please contact Jason VanGotten at jvangotten@corestaurant.org

 

Sources:
Clinard Insurance – Restaurant Blog 2016