Cybercrime and data security are top of mind for both operators and consumers. So Texas Roadhouse was well ahead of the game when it went on the offense seven years ago. “We took a look at our whole system. A real deep dive,” says Patrick Sterling, senior director of risk management. “One of the first things we did was buy [cyber liability] insurance.”
While all major commercial providers offer it, cyber liability insurance typically is not included in a general liability policy. It covers an operator if hackers steal payment-card data or shut down the system, plus other cybercrimes. Some carriers do offer restaurant-specific plans, but those just are renamed retail plans, says Tom Reagan, cyberpractice leader at insurance brokerage Marsh. Typically, carriers have plans focused on topics important to restaurants, such as payment- and employee-data security, he says.
Is it something that every operator needs? Maybe, maybe not. But right now, even those with security measures in place have been hit by hackers. In an ideal world, Sterling would prefer not to buy insurance. “I’d rather put all our resources toward mitigation. But insurance is a backstop.”
According to Reagan, a restaurant with about 20 units, revenue of $10 million and an insurance limit of $1 million to $5 million would pay between $5,000 and $50,000 for a policy, depending on a number of factors. “But you’re looking at paying 20 to 30 percent higher premiums if you’re not following best practices,” he says.
Carriers will look at a few things in making that determination, says Reagan: Do you have the current version of your POS system; are you using end-to-end encryption, which keeps card numbers from being exposed at your POS; do you have a staffer charged with cyber security; and do you have ongoing testing and evaluation of your security and the protocols in place in case an event occurs?
At Roadhouse, Sterling oversees insurance issues, safety, loss prevention, enterprise risk management and crisis management (Reagan suggests smaller companies hire a third-party cybersecurity manager versus adding it to a nondedicated employee’s role). The chain’s POS systems are up to date and scanned biweekly for vulnerabilities, and encryption is installed.
To get to that point, Sterling began by conducting penetration tests to identify weaknesses. “It helped us start to get a plan in place,” he says.
Today, the chain conducts annual penetration tests. Sterling’s team also drafted a cyber-response plan, which it tests with a third party.
Reagan says this is the type of plan that needs to be in place. “The best way to manage your [cyber liability] costs is to be prepared to tell a good story [to insurers] about how you’ve taken on the challenge of managing cyber risks.”
And it does pay off, says Sterling. “We haven’t had in increase in our premium in the seven years we’ve had the insurance.”