Best Practice in Cyber Risk Management

05 August 2019

Restaurants are increasingly implementing new technologies to power operations, create efficiencies, and enhance the customer experience. Mobile apps and other innovations are transforming business models, allowing organisations to better collect and use customer data.

However, by doing this they are also creating new risk exposures and points of vulnerability in critical systems, networks, and hardware, and increasing opportunities for data breach and theft.

Indeed, 41% of respondents to Marsh’s 2019 Restaurant Risk Management survey said they had suffered a breach involving corporate or customer data or at the franchise level.

Here’s how restaurant risk professionals can manage their new and evolving cyber risks:

Weighing Up Your Restaurant’s Cyber Risk

Effective cyber risk management starts with a thorough understanding of your exposures. Since restaurants are a high-touch environment for customer data, there are a myriad of opportunities for data theft.

Unfortunately, these threats extend beyond data breaches. Cyber-attacks and technology failures can pose significant risk to operations and supply chains, resulting in revenue loss, extra expenses, and/or reputational damage.

The near ubiquity of online ordering, mobile solutions, production automation, and technology-streamlined back- and front-end processes creates new, often unanticipated risks.

Recommendation: To fully understand the business impact of these exposures, it’s critical that restaurants measure them economically, quantifying potential losses across a range of business interruption and breach scenarios.

What’s on the Menu? Brand Protection

In a business dependent on relationships, it’s important that consumers trust their favourite restaurants to handle cyber breaches and events with transparency, efficiency and care.

Customers typically don’t differentiate between corporate-owned and franchised locations.

Among survey respondents, 8% reported experiencing a breach at a franchisee, reinforcing the importance of managing franchise-level exposures too.

Recommendation: While it may not be feasible to control all processes and technologies used by franchisees.

Franchisors should stay attuned to franchisees’ cyber exposures and ensure robust incident response plans are in place and regularly tested, and that everyone knows their role.

Cybe Decoder Survey banner

The Right Ingredients

Cybersecurity technology cannot always protect a company from cyber-attacks. That’s why it’s essential to purchase cyber insurance, which can protect your balance sheet from the financial impact of cyber events that technology is unable to prevent.

Encouragingly, 85% of survey respondents said they purchase cyber insurance.

Purchasing cyber insurance should be based on quantification of a company’s cyber risk exposures. Since every company has unique technology usage, data and risks, policy limits should be based on an organisation’s loss exposures.

Companies that quantify cyber risks better understand their exposures and tend to buy higher coverage limits: nearly 40% of survey respondents purchase limits of US$20 million or higher.

Among Marsh’s retail, wholesale, food and beverage clients, average limits purchased rose by 25% in 2018, reaching US$27 million.

Recommendation: Regularly review your insurance policies to ensure that limits are adequate to cover your exposures.

This review can also help you to assess whether you have the right types of coverages in place to respond to business interruption events within your organisation and along your supply chain, as well as the many costs and liabilities associated with data theft.




  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 8108 9541.

  • For more articles like this, download our Cyber Decoder

    Share this article

  • Get everything you need, delivered straight to your inbox.

    Sign up to receive our latest news and insights here.


Services provided in the United Kingdom by Marsh JLT Specialty, a trading name of Marsh Ltd and JLT Specialty Limited (together “MMC”). Marsh Ltd is authorised and regulated by the Financial Conduct Authority for General Insurance Distribution and Credit Broking (Firm Reference No. 307511). JLT Specialty Ltd is a Lloyd’s Broker, authorised and regulated by the Financial Conduct Authority for General Insurance Distribution and Credit Broking (Firm Reference No. 310428).

This is not legal advice and is intended only to highlight general issues relating to its subject matter. Whilst every effort has been made to ensure the accuracy of the content of this document, no MMC entity accepts any responsibility for any error, or omission or deficiency. The information contained within this document may not be reproduced. If you are interested in utilising the services of MMC you may be required by/under your local regulatory regime to utilise the services of a local insurance intermediary in your territory to export insurance and (re)insurance to us unless you have an exemption and should take advice in this regard.