The cyber threat landscape to franchise systems has grown significantly over the past two years. The issues leading to the rise of cyber claims within franchise brands include: increased frequency and severity of ransomware attacks, vulnerabilities from multiple vendors and suppliers, social engineering fraud and lack of IT and data security across the franchise network.
Historically, many franchisors have attempted to address this cyber exposure by recommending their franchisees carry cyber insurance. Often, this coverage was recommended but not a required coverage within the FDD insurance process. Cyber insurance provides a number of solutions to respond to cyber threats including loss mitigation guidance and it should be considered part of an overall risk management strategy.
When analyzing and evaluating the state of cyber security and insurance coverage across your franchise system, here are a few key best practices to follow:
View this risk as a franchise-wide issue and address accordingly. Regardless of how many franchisees are affected, cyber incidents impact your brand and require a coordinated response. Unlike other insurance coverages like General Liability and Workers’ Compensation that are typically written at the individual franchisee level, cyber insurance coverage should be addressed holistically. Consistency in coverage, limits and claim handling is imperative should an incident occur.
Review IT security & privacy controls throughout your franchise system. Some franchisors may require franchisees to adopt their technology platforms. They may also require that security and privacy controls are universal among their franchisee network. Others are more “laissez-faire” and do not dictate operations or security systems integration. Franchisors and franchisees should understand how this impacts their daily operations and be aware that inconsistencies as these can complicate incident response, risk mitigation strategies and preparedness.
Protect your supply chain by preparing for cyber events. Many franchisors operate as the critical cog in the delivery of good and services to franchisees. If that supply chain was disrupted due to a cyber breach, what contingencies are in place for the franchisor and their franchisee to minimize business income loss and reputational harm?
In the event of a cyber event, preparation is key. How will you continue critical operations like product delivery and payment processing? To be prepared, a contingency plan should include an audit element to ensure adherence to certain security frameworks and coordination requirements.
Breaches from outside that impact the whole franchise system. Breaches stemming from third party relationships with vendors and suppliers consistently rank as a top source of cyber security incidents. It is important to review contract language with key suppliers and vendors specifically around security and privacy risk and disruptions such as ensuring awareness of indemnification provisions, audit provisions, cyber insurance requirement, notification reporting timelines and breach coordination requirements.
Business Continuity/Disaster Recovery Plan. Time is of the essence should a breach occur and having a pre-arranged response is essential. For the franchise system, it is critical to establish a business continuity plan should the cyber incident impact many of the franchisees from accessing POS and other client information systems.
Consider having a communications plan in place with defined roles & responsibilities so franchisees, strategic partners and the public are all receiving timely communications from an appropriate member of your leadership team.
It is more important than ever for franchisors and franchisees to understand and adapt to the evolving cyber risk landscape. The need for cyber insurance is just one element, and reviewing your data security measures throughout your system is a must in today’s environment.
Reach out to your MMA Franchise team to talk in depth about cyber coverage, and ways to adapt to the evolving risk landscape.