Key Takeaways:
- McDonald’s and other fast-food chains have been found to have significant cyber security exposures due to vulnerabilities in their third-party vendors.
- The average time to detect a breach in the restaurant industry is 212 days, allowing malicious actors to extract sensitive data.
- Restaurant management must prioritize cyber risk management and focus on their vendors’ security practices as much as their own.
- Franchisees must understand their franchisor’s requirements for purchasing insurance, including cyber coverage, to avoid costly mistakes.
- A thorough vendor cyber audit is essential to ensure that vendors’ security practices meet the necessary standards.
Introduction to Cyber Security Risks in the Restaurant Industry
The restaurant industry has become a prime target for cyber attacks, with many high-profile breaches making headlines in recent years. McDonald’s, in particular, became an unintended case study in the security risks that restaurants face from their third-party vendors. A group of "white hat" hackers testing the McHire chatbot hiring screener, Olivia, were able to easily gain access to the system by exploiting basic security flaws, including an administrator default password of 123456 that had been left in place by Paradox.ai. This vulnerability potentially exposed the personal information of 64 million job applicants, highlighting the alarming scale of the problem.
The Prevalence of Cyber Security Exposures in the Restaurant Industry
The issue is not unique to McDonald’s, as other fast-food organizations have also been found to have significant cyber security exposures. A team of ethical hackers discovered "catastrophic" vulnerabilities in the systems of Restaurant Brands International’s fast-food chains, including Burger King and Popeyes, including hard-coded passwords. These breaches are particularly alarming due to the ease with which they were discovered by ethical hackers, suggesting that malicious actors have likely already identified similar weaknesses across the industry. The average time to detect a breach in the restaurant industry is 212 days, which is more than enough time for criminals to extract payment card data from thousands of transactions.
The Importance of Third-Party Cyber Risk Management
Third-party cyber vulnerabilities have been worsening as technology becomes an increasingly important driver of restaurant operations. The majority of restaurants use at least one online ordering solution, and 67 percent of operators say that the majority of their software systems integrate into their point of sale (POS) system. Meanwhile, data breaches involving third-parties have doubled to 30 percent of all incidents in the past year. This highlights the need for restaurant management to prioritize cyber risk management and focus on their vendors’ security practices as much as their own. By doing so, they can reduce the risk of a breach and protect their customers’ sensitive data.
Evaluating Vendor Cyber Security Practices
To mitigate the risk of a breach, it is essential to evaluate the cyber security practices of vendors. This includes auditing their data security and privacy policy documentation, response and recovery plans, staff training programs, technical controls, and compliance measures. A thorough vendor cyber audit should also cover evidence of vendors’ own risk assessments and client reporting protocols. By taking a proactive approach to vendor cyber security, restaurant management can reduce the risk of a breach and protect their customers’ sensitive data. Additionally, franchisees must follow the franchisor’s security guidelines in their own operations and for vendors they hire locally, and understand the franchisor’s requirements for purchasing insurance, including cyber coverage.
The Complications of Franchisee Insurance
Insurance for franchisees presents a complex situation, requiring expert guidance to navigate. Franchisees may own one or two restaurants or 100, but each must have the same type of coverage. The franchisee must consider whether the $5 million aggregated limit under the master policy will be adequate protection when hundreds or thousands of other franchisees are also exposed. They must also decide whether to go with the franchisor’s master program, which limits their place in line in the event of damages, but is less costly, or to ensure their costs and exposures are covered first. Managing cyber risk becomes more complicated in the franchise environment, and the risks only mount for a growing franchisee as each new store opens another door for exposure.
Conclusion and Recommendations
In conclusion, cyber security is a top priority for successful restaurant organizations, and it starts with choosing an insurance partner who truly understands the complexity of the franchise operation. By prioritizing cyber risk management, evaluating vendor cyber security practices, and understanding the franchisor’s requirements for purchasing insurance, restaurant management can reduce the risk of a breach and protect their customers’ sensitive data. It is essential to work with a broker experienced in cyber risk management and familiar with franchise systems to navigate the complexities of franchisee insurance and ensure that the franchisee has the right coverage to survive a cyber event. Ultimately, the goal is to minimize the risk of a breach and protect the franchisee’s reputation and financial well-being.
