What Restaurants Need to Know About Managing Third-Party Cyber Risks

It may have been the ultimate irony when a major third-party vendor to the U.S. restaurant business, Grubhub, was the victim of a cyber incident early in 2025 that originated from one of its own third-party service providers. 

The incident wasn't an isolated event – it was a preview of the industry's new reality. In September, ethical hackers found “catastrophic” vulnerabilities in Restaurant Brands Inc.'s systems affecting Burger King and Popeyes, including hard-coded passwords that could compromise operations.

The pattern reveals something more troubling than individual incidents: if white hat hackers can discover these flaws in routine testing, malicious actors have almost certainly already identified and exploited similar weaknesses throughout the industry. More alarming still, the average restaurant breach goes undetected for 212 days—giving criminals months to harvest payment card data, mine loyalty program information, and extract employee records before anyone realizes the system has been compromised.

Restaurants have grown increasingly vulnerable to cybercrime as digitization sweeps across the industry. About 80 percent of all their transactions are electronic. Tech solutions power everything from point-of-sale systems to kitchen order management to employee scheduling and management. Third-party delivery services run online marketplaces to help restaurants reach more customers. 

And vendors have their vendors, also wired, in a highly interconnected – and risk-susceptible – supply chain. In fact, third-party vendors are a big part of the cybersecurity problem overall, with data breaches involving them doubling to 30 percent of all incidents in the past year. 

Whether caused by vendor failings or their own vulnerability, the cost to the restaurant industry of cyber incidents is substantial. Recent reports put the damage at $3.4 million to $3.9 million for hospitality overall, thanks to factors like lost business, forensic investigations and the price of a stolen record, which can run as high as $225.

However, industry averages can mask the reality for individual operators. Consider a mid-sized franchisee operating 15 locations who experienced a breach through their third-party payroll provider. On top of the direct data breach amount, there are real additional costs for items including mandatory notification across several states, business interruption, enhanced security measures, credit monitoring for affected customers and potential legal defense.   

The reality is that restaurants have a lot of cyber exposure. But tremendously pressured balance sheets make hard choices in how capital is deployed. Cybersecurity initiatives can easily get pushed to the bottom of the list. 

There is substantial room for improvement, and that includes restaurant practices for managing third-party cyber risks, including considerations for structuring cyber insurance.  Here’s what is important to know.

The Importance of Audits

Vendor audits are a necessary starting point. Vendors need to be assessed for their cyber security practices. Moreover, vendor contracts must be audited to ensure that indemnities are clearly laid out. This is instrumental to identify and address gaps in security before a cyber intrusion occurs. A broker with proven expertise in cyber risk will be invaluable for getting this done.

The vendor cyber audit should cover a detailed checklist that underscores the vendor’s security policies and procedures: 

• Specifics should be provided on how their policies covering data security and privacy are documented and enforced. 

• Vendors’ response and recovery plans, including for business continuity in the event of an incident, should be evaluated. 

• Staff training programs and what they cover must be confirmed. 

• Technical controls and data and compliance measures should be spelled out. 

• Evidence of vendors’ own risk assessments and client reporting protocols also are important.

In auditing vendor contracts, the idea is to understand the risk at which they may put your business. In addition to spelling out a statement of work and which parties are responsible – and to what extent – in the event of a breach, the indemnities must be laid out. Here is where a broker partner is invaluable as 99 percent of the time, even higher indemnities provided by a third-party vendor will not be adequate to guarantee an operator’s survival of a vendor-caused data breach.

Another vendor-related safeguard is to regularly assess them for compliance with important standards for controls protecting customer data, like SOC (1, 2 and 3). They also should be checked for compliance with the mandatory PCI DSS security rules designed to protect credit and debit card data from theft and fraud.

Cyber Insurance as a Backstop

Servers no longer write orders on paper. Cash payments are a thing of the past. Digital liability exists and data breaches are just as prevalent as any slip, trip or fall and just as costly, if not more so. Cyber insurance is the natural backstop to digital exposures from a first-party and third-party liability perspective. And it is a rare restaurant that goes unprotected.

But it is key to having a broker who knows the business to help structure the policy. Lining up a cyber policy, in and of itself, is not that difficult. But the particulars of understanding exposures and adequate coverages and deductible structures can be complicated.

Take wire transfer exposures. The way vendors are paid plays into that. How the policy responds to the exposure is a factor, and how that correlates to the balance of the program is important, too. Credit card exposure is another big concern: If a breach blocks access to the point-of-sale system, the restaurant probably cannot take orders or payments and is exposed to significant business interruption loss. 

A further complication is a shifting regulatory environment, even as technology advances. Each state has its own cybersecurity laws, which can pose another risk on the compliance front, depending on the vendors that are being utilized and where they are located.

This also adds another big wrinkle to cyber insurance coverage: Many carriers are excluding indemnity in their cyber policies from these types of regulations like those regulating biometric and consumer privacy until their impacts are understood.