Addressing cyber liability for your franchise system
Doug Imholte
Since 2018, the number of cyber events has grown 150%. The recent attacks on Microsoft Exchange and Solar Winds are just a few high-profile incidents of the many that occur every day. Franchise systems are not immune to cyber attacks and in fact, because of the very nature of franchising, they are attractive targets for cyber criminals. When a cyber-incident occurs within your franchise system, it rarely impacts just one franchisee. Customers can visit multiple locations, franchisees & franchisor together via technology & multiple vendors. This creates the opportunity for an attack on your system all that greater. In particular, ransomware attacks have grown in number of attacks and ransom costs increasing from $90,000 per incident in Q4 of 2019 to over $220,000 today.
As a franchisor, this raises the question of how to address cyber liability as an insurance requirement for your franchisees. Should you require they carry this insurance or not? If so, at what limit will you require? There are countless risk management questions to ask but the bigger question to ask is: what happens if and when there’s a cyber-incident within your franchise system? Especially if there is a ransomware attack that shuts down the ability to share client data, process payments or simply impede their ability to do business.
A cyber issue is a brand issue and not just an individual franchisee issue. What makes cyber insurance different from other franchisee insurance coverages is that when a cyber-incident happens, how that response is handled and who coordinates it is most important. The first hours & days after a cyber-incident are most the important in determining how the event happened and coordinating an effective response, from forensic IT, legal expenses, notifications, public relations to getting franchisees up and running again. As this document outlines, there are 4 key ways to address cyber insurance as a required coverage for your franchisees:
1.Don’t require it because: it’s deemed too costly, our franchisees are too small or it won’t happen to us.
2.Require a limit and let franchisees choose their own insurance carrier. This is a risky and costly approach in that should a cyber-attack occur, you will now have multiple carriers trying to determine where and how it happened. This can severely impede your ability to coordinate an effective response and get franchisees back up and running.
3. Require franchisees to carry a certain limit, $1M for example, and that they all need to carry coverage with the same insurance carrier. The benefit of this is that, should an incident happen, one carrier is handling the claim and assigning the crisis response resources, such as IT support, legal, public relations, etc to effectively manage the claim, mitigate the loss and more quickly get franchisees up and operating.
4.Purchase cyber insurance at an overall franchise system level. Increasingly, this is becoming a viable option for franchisors. By purchasing a master cyber policy, they can ensure that all franchisees are covered, all resources are pre-arranged and there is no question as to whose insurance comes into play.
These are a few items to consider when addressing the cyber exposure within your brand. It IS a brand issue and should be handled as such. Reach out to the MMA Franchise team, or your current MMA contact, for more guidance on cyber-liability and the impact on your franchise system.