The headlines never seem to change: Cyber crime is on the rise globally. At a seminar held at the University of Washington's Law School in early October, FBI and Secret Service agents reported that cyber crime is becoming more professional and in many ways, easier to commit. Among the reasons is that cyber criminals have become more effective at using the Internet to organize and form cyber "gangs" that include individuals with different areas of expertise. Operating as a skilled underground team, criminals are more effective and are capable of launching sophisticated attacks, silently spreading their malware to thousands of websites to run scams and infiltrate computer networks to access personal information of thousands of people.

These cyber criminals are now focusing on small and mid-sized businesses that do not have the same protections in place for network security as large corporations. Restaurants are among those businesses under attack. CNBC reported last April that 40 percent of breaches in 2010 occurred in the hospitality industry. Point-of-sale terminals have been a primary target for cyber criminals engaging in credit card fraud and resulted in the compromise of millions of credit and debit cards. With more restaurants embracing social media and mobile devices as part of their business plan, the exposure to potential cyber crime only increases.

Restaurants have a three-point list to protect themselves against losses related to cyber crime:

  1. Take steps to prevent a cyber attack
  2. Insure against losses to the greatest extent possible
  3. Prepare a crisis management plan that can be quickly implemented in the event of a breach.

A qualified cyber security professional will assist a business by advising on the implementation of best practices related to information security and safe computing. A comprehensive cyber insurance program will include important coverages as well as crisis management services that will go a long way toward addressing both items two and three.

Assessing Cyber Risk

Restaurants that regard cyber risk coverage as optional may not be accurately assessing their potential uninsured exposures. Most restaurants have websites, point-of-sale terminals and computers networks that store employee and frequent customer information, and are key to business operations. Increasingly, restaurants are using social media like Facebook and Twitter to reach customers, which further increases cyber exposure. The cost of cyber liability losses can add up quickly. For example, the fifth annual "U.S. Cost of Data Breach Study" conducted by the Ponemon Institute found that data breach incidents cost U.S. companies an average of $204 per compromised customer record in 2009 with the cost continuing to rise each year.

Cyber liability insurance addresses first- and third-party risks associated with electronic data and communications of all types. Common cyber risk exposures include data/security breach, copyright or trademark infringement, firewall and network security attacks, cyber extortion, hackers, worms and other cyber attacks, and data destruction or corruption as a result of a virus.

Many restaurant owners perceive that these exposures are covered by the general liability policy. However, cyber liability exposures are frequently not covered by a typical general liability policy and more insurers have been adding new exclusions to make it clearer that such exposures are not covered. General liability coverage forms vary by carrier and certain cyber claims may be covered on a case-by-case basis. But know that relying on this possibility does not provide the comprehensive approach to insuring against these losses that a specialized cyber insurance form provides.

It is the responsibility of any professional insurance agent to review with his or her restaurant clients the current coverage in relation to potential cyber liability exposures based on the nature and size of the operation. Failure to do so will create an errors and omissions exposure for the agent as clients are left open to uninsured claims.

Although this list is not all-inclusive, there are several key areas to include in this assessment:

  1. Network security. Restaurants that maintain a computer system that is connected to the Internet have a potential liability due to a breach of that system. Unauthorized access may result in the dissemination of personal information held on the computer system and the transmission of a virus to a third party. Additionally, the restaurant may incur costs to replace or restore electronic data or computer programs that are damaged or destroyed as a result of a security breach.
  2. Loss of income. A restaurant may experience a loss of business income or extra expense as a direct result of an e-commerce incident. For example, if a virus or other malicious attack damages or destroys a computer system vital to the restaurant operation, it may result in a shut down of operations for a period of time and a corresponding loss of income.
  3. Website publishing. A restaurant that maintains a website and social media sites may be held liable for wrongful acts associated with the content posted on that website. A wrongful act may include actual or alleged errors, misstatements or misleading statements that result in an infringement of another's copyright, trademark, service mark or right to privacy.
  4. Extortion threats. Cyber extortion is a crime involving an attack or threat of attack against an enterprise, in combination with a demand for money to avert or stop the attack. Cyber extortion may take different forms, including the use of software that encrypts a victim's data and then the cyber criminal demands money for the decryption key. Cyber extortion also includes threats to publish a client's personal information or destroy or corrupt records. In recent years, incidents of cyber extortion have grown significantly and the criminals often operate from countries other than those where their victims are located, thus making it difficult to prosecute.
  5. Security breach expenses. Insurance agents should point out to their clients the requirements of data breach notification laws in the state or states where they operate. The cost of compliance with notification laws can be a major expense for a business to absorb. When evaluating possible insurance products to address cyber risk, it is important to consider what services the product includes for dealing with the potentially devastating consequences of a data breach. With more companies outsourcing their data processing to third parties or the "cloud," it is important that a cyber policy provides coverage if the security breach happens to one of the insured's service providers.

Most businesses will need outside expertise to manage the crisis and to ensure they are meeting regulatory requirements. The leading insurance products today include assistance with tasks like developing an incident response plan and sending notifications to affected people, credit bureaus and government offices. In some cases, crediting monitoring services must be provided which can cost from $10 to $200 per person per year. Some insurance carriers provide data breach services via a third party firm that specializes in assessing, mitigating and managing a breach crisis.

Public relations expense is another area that it would be wise to consider. A restaurant may suffer damage to its reputation in the event negative publicity results from an e-commerce incident. The most comprehensive insurance policies will provide coverage for public relations expenses related to protecting or restoring the reputation of the business.

Getting the message to the client

Cyber liability insurance premiums, including minimum policy premiums, have decreased in recent years, making it a more affordable option for small to midsized businesses as the number of insurance carriers offering the coverage has expanded to 30 plus. With the market offering more options, it is up to the agent to demonstrate the benefits of the coverage to his or her client. Here are a few tips for selling cyber insurance to restaurants:

  1. Develop a concise marketing piece that is specific to the restaurant industry. Many business owners believe that if they are not specifically engaged in e-commerce (selling products over the Internet), they do not have a significant cyber liability exposure. To combat this misconception, provide the client with a one-page document that gives specifics of how their business is exposed to cyber liability. Include "real life" cases involving restaurants that can be found with a basic Internet search. Searching with phrases like "restaurant data breach" will turn up many examples that will hit home with clients and prospects. Also include costs estimates for meeting the state data breach notification requirements in the event of an incident.
  2. Be prepared to present premium indications that demonstrate the coverage is affordable. Some carriers will provide a general premium guide to agents that will allow you to estimate the cost of cyber liability insurance for a specific restaurant based on revenues and a few other basics. Hopefully, this will encourage the insurance buyer to see that it is worth taking the extra step to complete an application and secure a firm quote.
  3. Take advantage of insurance carrier marketing materials. Insurance companies that are serious about cyber liability coverage have developed some excellent brochures to help you in the client education and sales process. The best marketing material provides a concise overview of not only the coverages available but also the additional crisis management and disaster response services that are provided with the policy. Explaining the value of these services that are included in the premium is important to your client's understanding of the benefits of purchasing the coverage.

Cyber risk poses a true threat to restaurants—one that the well-informed agent will address with the many insurance products and services available in today's marketplace.

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.