Cyber-Whacked Restaurants: The Hurt You Couldn’t See Coming

Without the right protection, smart crooks may access your POS system and your internal business PC through your wi-fi, literally stealing customer credit card information right out of the air.

I love restaurants so much that they’re the only businesses I insure. Today is a normal day for me, driving to three restaurant insurance appointments. Restaurant operators rapidly adopt new technologies, so I’m spending a lot of time helping them manage the latest threats – mostly “cyber” risks. Few operators understand how pervasive cyber threats have grown. Even fewer know that ordinary commercial insurance rarely covers cyber threats. Without a specialized cyber policy, you’re probably not covered. Ride along with me and see what I mean.

Restaurant #1: Safe & sound

We drive past the suburbs to our first destination. They don’t make restaurants like this any more. This down-home place feels relaxed and welcoming. Nothing is rushed here . . . or electronic, either. They score ZERO against my cyber risk checklist. No website, Facebook, electronic POS (they’re cash only), wi-fi, online banking or HR administration.  Most restaurants resemble our next two stops, and most have significant cyber liabilities that they aren’t prepared to manage.

Restaurant #2: Better keep an eye out

I’m back in the car and heading to the second restaurant. It’s not super high-tech, but is well known for excellent food and a terrific staff.  Their biggest cyber threat is a combination of free public wi-fi, electronic POS system and online business administration (banking and HR). Soon I’m talking to the manager who doubts the threat is big, incorrectly thinking his POS vendor will pay for damages if customer credit card data is stolen from the system.

I show him the relevant paragraph in his POS contract. He is shocked. If data is stolen from the POS system, the restaurateur must hold the POS vendor harmless, not the other way around. And the restaurateur must pay for any damages suffered by the POS vendor!  There are good reasons why the POS contract is written this way. Some of those reasons actually benefit the restaurateur. But the manager needs to know that he is exposed to enough realistic, potential cyber-related damages to put him out of business. He can easily protect his business but he must take the conscious step to add the right insurance.

This is a good time to ask, “Do you know what your POS contract says on this topic?” Odds are you’ll find the same risk – and that it isn’t covered by your current insurance.

Now I have his attention, which is important because the public wi-fi/electronic POS/computerized banking/HR administration combination makes his restaurant a ripe hacker target. Few restaurateurs know that public wi-fi, POS systems and other business PCs should operate on separate wireless routers. Without that separation, smart crooks may access your POS system and your internal business PC through your wi-fi, literally stealing customer credit card information (and confidential banking and personal employee information) right out of the air! It costs little to add a separate router with separate secure access.

What’s a realistic example of damages from stolen customer credit card data? Theft of 100 customer credit card numbers could easily take five figures out of your pocket (determining the damage, notifying customers, plugging the security hole, remedial public relations, etc.). But the biggest damage may be the loss of customer confidence. After the hacking incident becomes a local news headline, your regulars may fear using their cards when they visit. They may buy less (how much cash do they carry?) or dine with a competitor where they feel more comfortable (falsely, perhaps) pulling out their credit card.

With all this explained at stop number two, we hit the road for restaurant three.

Restaurant #3: Run for cyber-cover!

I’m excited as I pull up. This restaurant is a regional icon. Everyone knows its name and thinks it’s a “happening” place. Their website is a masterpiece of fun; people flock there to buy gift cards and place gift orders for their specialty sauces and meats. They’re big on Facebook (tons of Likes). Servers use wireless tablets (iPads, in this case) instead of handwriting tickets. Patrons brag about how many points they’ve earned in the restaurant’s loyalty rewards program. Running down my cyber risk checklist I also spot free wi-fi, electronic POS systems and online administration of human resources, payroll and banking.

Yikes! This restaurant is a poster child for cyber risk! Almost every current threat is present here, and none of them are covered by the restaurant’s standard insurance. Their financial risk is huge, and all this technology feels like a ticking time bomb.

This article is the first of a 3-part series – tune in next time as we reveal the trouble in paradise at Restaurant #3. We’ll also focus on managing the cyber risks that affect your business operations.  Finally, in the third article, we’ll look at risks related to your customers and vendors.

Brad Toft is a restaurant insurance specialist at Kinker-Eveleigh Insurance Agency, Cincinnati, Ohio. Reach him at 513-936-1218 or For a free copy of “3 Most Common & Costly Restaurant Insurance Mistakes,” visit