Managing Ransomware Risks in the Restaurant, Retail and Hospitality Industries

Anderson Kill Restaurant, Retail & Hospitality Advisor

  • Published On: April 25, 2024

Serious cyber perils continue to plague almost all organizations and computer users. The restaurant, retail and hospitality industries in particular remain prime targets, given the volume of sensitive (and valuable) data with which these industries deal. While ransomware is by no means the only dangerous cyber risk exposure, it is the biggest cyber risk to policyholders in these industries, given its ability to impede — if not shutter — operations.

The Uptick in Restaurant, Retail and Hospitality Industry Ransomware Attacks

Hackers kept busy in retail and hospitality in 2023 and kept on going in early 2024. In mid-April 2023, a ransomware attack on one of NCR Corp.’s data centers took down its Aloha point-of-sale software, which is used by thousands of restaurants nationwide. The cyber-criminals held stolen information hostage for a ransom payment. The attack widely affected numerous restaurants’ ability to manage administrative functions. Around the same time, LockBit allegedly launched a ransomware attack on CEFCO, a southern convenience store chain in the U.S. In January 2024, the same group put Subway on notice of a successful ransomware attack with a ransom deadline of February 2, 2024. Customers reported on social media sites such as Reddit that their accounts had been altered without their permission. In the U.K., Yum! Brands, the owner of franchises including KFC, Pizza Hut and Taco Bell, confirmed in January 2023 that a data breach from a ransomware attack temporarily shut down approximately 300 restaurants.

The retail industry also faced numerous ransomware attacks, which cost an average of $3.28 million per claim. VF Corp., owner of apparel brands Timberland, Dickies, Smartwool, Vans and The North Face, suffered a ransomware attack in December 2023 that leaked the personally identifiable information of over 35 million customers. It took VF Corp. a little over a month to substantially restore its IT systems and data. The company continued to experience minor operational disruptions from the attack even beyond that, spurring the company to spend $10.5 million in direct costs, including $4.8 million related to continuing operations. Additionally, a January 2023 attack on fashion retailer JD Sports yielded information on approximately 10 million customers, including customers’ full name, delivery
and billing address(es), email address, phone number, final 4 digits of payment card and/or order details.

Attackers did not neglect the hospitality industry, with the average cost of a data breach in that sector rising from $2.94 million in 2022 to $3.36 million in 2023. A ransomware attack on MGM Resorts by the Scattered Spider attack group in September 2023 affected everything from hotel room digital keys to slot machines. The incident knocked websites for many MGM properties offline, and guests found themselves waiting in hours-long lines to check in and receive physical room keys or handwritten receipts for casino winnings. A day later, Ceasars Entertainment disclosed that it paid millions of dollars to the Scattered Spider Group following an attack and a threat to release company data, although it did not disclose the nature of the attack. MGM and Ceasars now face consumer class action litigation as a consequence of the attack. The same attack group set its sights on Marriott, Hilton and LBA Hospitality in November 2023. The ransomware group claimed the data breach included around 200GB of “highly confidential” internal company data, which encompassed client and employee personal details, financial reports and credit card information.

Insurance Coverage Considerations Before a Ransomware Attack

When a ransomware attack or other cyber incident occurs, policyholders can look to multiple lines of insurance coverage — including standalone cyber, crime, property, D&O, E&O, inland marine, and CGL. To maximize insurance coverage following a ransomware incident, businesses in the restaurant, retail and
hospitality space must take appropriate measures before the attack occurs. First, regularly evaluate your system for vulnerabilities, and timely install patches and updates. This not only helps prevent a ransomware attack, but also protects against an insurance company’s attempt to exclude coverage on grounds that the policyholder failed to patch known vulnerabilities (or vulnerabilities that should be known), or to refuse coverage for remedial efforts the insurance company considers uncovered upgrades. Take all prudent steps to identify and secure your systems and data — including data that is mobile or hosted on third-party platforms — and to vet your vendors’ cybersecurity protocols as well.

Next, approach insurance applications with the utmost diligence. Questions about cybersecurity infrastructure and controls have become more nuanced — and many are poorly worded. Some insurance companies now require separate attestations forms, which often list minimum requirements for specific security controls that must be in place before the insurance company sells the policy. Enlist the assistance of your IT Director; if you are a smaller organization, ask your broker to clarify what specifically is being asked. It is important to provide accurate, up-to-date details, because an insurance company may use inaccuracies as a basis to deny your claim, particularly where state law encourages an insurance company to seek rescission of a policy based on a material mistake — even an innocent one — in an insurance application.

Additionally, if you are a public company, you must adhere to the SEC’s July 2023 rule requiring annual disclosures regarding the company’s cybersecurity risk management and strategy, including its processes for managing threats and whether any risks from threats have materially affected the company. You must also disclose annually your cyber governance, including the role played by the board and management.

Finally, establish and test a cybersecurity plan. Educate and train your employees to spot phishing emails. Limit user access to the most sensitive (and valuable) data. Use a firewall and encrypt information. Also develop a written business continuity and disaster recovery plan — and keep a hard copy to access when your systems are locked. Identify specific procedures to follow and the roles your team members should play. Test and validate that plan regularly. Make sure you have contingency plans in place, such as redundant systems or off-server backups, and redundant means of communication to ensure business continuity.

Insurance Coverage Considerations After a Ransomware Attack

Once a loss occurs, provide notice to all potentially relevant insurance companies as soon as possible to avoid coverage denials based on late notice. Follow these steps to ensure insurance coverage remains available:

  • Coordinate with your insurance broker.
  • Get in contact promptly with law enforcement and open up a dialogue.
  • Ask the insurance company to provide written consent before paying a ransom, even if your policy does not require it.
    If you are a public company and the event is material, the July 2023 SEC rules mandate that you disclose the event within four (4) business days of your company’s determination that the incident is material.
  • Before paying a ransom, also make sure to comply with Treasury Department guidance concerning the transfer of money to those who may be on the OFAC SDN list. The Specially Designated Nationals And Blocked Persons List (SDN) Human Readable Lists prohibits in most instances “U.S. persons” from dealing with anyone who appears among a “list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific.”
  • Work closely with a seasoned computer forensics firm and, if applicable, a PCI forensic investigator to determine the level and scope of the security breach. Remember that more recent malware strains have the ability to not only encrypt data, but to exfiltrate it as well, thus potentially leading to a privacy event as well as loss of access to computer systems and data. Note that your policy may require the insurance company’s prior written consent for these experts or that you use an insurance company’s panel investigator.
  • Calendar deadlines for proofs of loss and pay attention to suit limitations provisions.

The restaurant, retail and hospitality industries have experienced an increasing number of high-profile ransomware events. Make sure you follow at least the above tips in order to preserve insurance coverage under cyber and other insurance policies, perhaps the most indispensable safety net for the potentially devastating financial consequences from a ransomware attack

Related People
Joshua Gold
View Moreimage
Luma S. Al-Shibib
View Moreimage
Diana Shafter Gliedman
View Moreimage
Dennis J. Nolan
View Moreimage
Madilynne Lee
View Moreimage

© Copyright 2024 by Anderson Kill P.C.