Threats are up but insurance prices are down, and coverage is expanding. It is important to partner with an insurance company that’s dedicated to the franchise industry and understands its challenges. 

By Peter Taffae 

Cyber insurance was once a luxury that only very large franchisors could afford. Today, given the frequency and severity of online attacks – and lower premiums – every franchisor, regardless of size, needs to seriously consider securing this important protection. The question to ask is no longer “Will I be hacked?” but “When will I be hacked?” A 2017 PricewaterhouseCoopers survey reported a 38 percent increase over 2015 in cyber hacking events. 

The days of thinking your company is too small to be hacked are gone. In fact, we have seen a shift in behavior where many hackers are targeting smaller companies because they have weaker controls and detection than larger companies. Further, the proliferation of hacker services for sale on the “dark web” has accelerated this trend. 

Now, anyone can go online and purchase – cheaply – hacker services to take down a website or steal information without any prior hacking experience. This has opened the door for traditional street criminals to take their crimes online with a much lower risk of prosecution compared to traditional types of criminal activity. 

Seek trustworthy, knowledgeable insurance brokers 

Hackers can be cyber criminals, disgruntled or prospective employees, angry customers, competitors, foreign governments, or activists – the so-called hacktivists. 

The actual costs and reputational damage are astonishing. Industry experts estimate the average cost per record is $158. Thus, a franchisor with just 25,000 records could suffer over $4 million in damages as the result of a breach. In addition, we continue to see the cost of breaches trending upward, especially with respect to cyber extortion. As cyber criminals are becoming bolder, they continue to up the ante as they experience success in extorting larger amounts of money from small companies. 

“The days of thinking your company is too small to be hacked are gone.” 

Unfortunately, no two cyber insurance policies use the same wording and approach; the insurance industry lacks standardization in this area. This makes it more challenging when determining the best product. Price alone is not a good determining factor – in fact, the least expensive option is usually the most restrictive. Seeking a trustworthy and knowledgeable broker is paramount in the acquisition of cyber insurance. 

Industry presents unique challenges for coverage 

During the procurement of cyber insurance, there are important differences between carriers and coverage enhancements that are compulsory in obtaining the appropriate coverage. 

The franchise industry presents unique challenges with respect to cyber liability, given the nature of the relationship between franchisors and franchisees. While the latter are independently owned and operated, they are often interconnected with the franchisor. 

Franchisors are usually able to access the POS credit card terminals of the franchisee in order to calculate and track the appropriate royalty payments. This type of access increases the cyber exposure of the franchisor exponentially because a hacker could, potentially, access all the franchisees through the franchisor, exposing both the franchisor and each franchisee to liability.  

Furthermore, the franchisor often selects the POS credit card terminal equipment and software that the franchisee must use, which further exposes the franchisor to liability from franchisees. Therefore, franchisors should seek a policy that is specific to the franchise industry written so as to address the unique characteristics of franchisors and franchisees. 

For example, an acceptable cyber policy must address the vicarious liability that almost certainly will be part of any privacy litigation. Franchisors can substantially minimize, but never eliminate, vicarious liability by insisting that their franchisees secure cyber insurance and add the franchisor as an “additional insured.” Another example is that many underwriters will exclude litigation brought by franchisees against the franchisor, which will result in a significant gap in coverage. 

Protection from claims 

Franchisors want to secure a cyber policy that protects them from “first” and “third” party claims. First party costs are those associated with the expenses incurred by franchisor in complying with federal and state privacy laws with respect to notifying individuals, conducting a cyber forensic investigation, providing credit monitoring to affected individuals, legal counsel, costs to restore destroyed data, public relations, business interruption for loss of income, and costs to pay ransom in the case of cyber extortion.  

Forty-seven states have their own unique requirements when a breach has occurred. The legal and compliance costs in fulfilling these requirements can be considerable. Buyers should make sure these expenses will be covered under any cyber policy purchased. 

“There has never been a better time to secure cyber insurance protection.” 

Third party refers to the legal fees and any settlement arising out of a breach. The correct policy will respond when the franchisor is named in litigation, not just by the affected individuals but also by any regulatory agencies. The U.S. Federal Trade Commission and state attorneys general have become aggressive in pursuing litigation in this area. 

Prices Lower, Coverage Expanding 

Franchisors securing cyber insurance should consider insurance companies with established relationships – often on retainer – with expert service providers. A franchisor does not want, nor have the time, to go through a hiring process for experts required at the time of a cyber breach. Immediate implementation of legally required notification, proactive and immediate customer service and public relations are paramount and require immediate implementation in order to minimize the potential damages. Finding a cyber insurer that provides a “cyber coach” will decrease the stress of coordinating and managing all the numerous service providers that will be required. 

There has never been a better time to secure cyber insurance protection. Prices are down, and coverage is expanding. It is important to partner with an insurance company that is dedicated to the franchise industry, understands its unique challenges and is committed to long-term relationships. 

Peter R. Taffae is Managing Director of FranchisePerils, a national insurance firm dedicated to the franchise industry. Find out more at www.franchise.org/franchiseperils-supplier.