Cyber Risk

Across all industries, executives now rank cyber risk as one of the biggest threats to their business.  “Cyber risk” is a large category.  Cyber threats include ransomware attacks, which involve hackers taking your computer systems hostage, and preventing access until a ransom is paid.  “Phishing” schemes are another big threat, where hackers send an email posing as someone else, trying to get the recipient to divulge sensitive information, such as usernames and passwords, or to click on a harmful link.

Cyber-attacks are becoming more common.  Many security experts will tell you that it’s not really a question of if your system will be targeted – it’s a question of when.

At the same time as cyber risk is increasing, franchise systems are looking to and depending upon innovative technologies to help grow their business.  Because new technologies and system success are so closely connected, franchisors simply can’t afford to ignore cyber threats.

Franchise systems are particularly vulnerable to cyber-attacks.  By their very nature, franchise systems are decentralized.  Often, many different people have access to a franchise system’s computers and electronic information, including franchisors, franchisees, their respective employees, suppliers, and other third parties.  Where there is a high rate of turnover for franchisees’ employees, new people are accessing these electronic systems all the time.  This widespread access poses certain challenges, in that it may be more difficult to implement cyber security policies and ensure compliance.

Post-attack

In the case of a successful cyber-attack on a single franchise unit, the resulting damage may have a disproportionate effect on a franchise system’s brand and goodwill.  Customers and others will view the incident as a problem with every unit in the franchise system, rather than a problem with a single unit.  The resulting hit to a franchise system’s reputation can be particularly severe, especially in cases where a cyber-attack results in a data breach, and customers’ personal information is made public.

Of course, such attacks can have a negative impact on sales throughout the system, and impact the financial viability of individual franchisees.  However, there can be other effects as well.  Post-attack, it may be more difficult for a franchisor to grow its system and attract new franchisees.

Where a franchise system stores information online, such as secret recipes, proprietary methods, and business plans, this information becomes vulnerable to cyber-attacks.  Breaches could lead to brand secrets being made available to the public and to competitors.

Cyber-attacks may also lead to expensive lawsuits.

In short, cyber-attacks can damage a franchise system’s brand, and the financial health and future of the franchise system.

In light of all the potential consequences of a cyber-attack, it may be very tempting for a franchisor to step in and try to manage all the risk by itself. However, cyber defence is a team effort.  In particular, the franchisor-franchisee relationship prevents franchisors from stepping in to directly manage its franchisees’ businesses.  Franchisors therefore need to make sure they are working with their franchisees within the context of the franchisor-franchisee relationship, to equip the franchisees  with the right advice, resources, and assistance to mitigate cyber threats.

Know your cyber situation 

Where to start?  Before you can get to where you want to go, you have to know where you are.  A cyber security audit is the first step in your cyber defence action plan.   Consider:

• What technology protections are currently in place? Do you have effective risk mitigation software in place?  Is your software up to date?  Is it being updated periodically?  Is information encrypted properly, where needed?  A qualified cyber security professional can be extremely helpful in making sure your software, systems, and hardware are providing the necessary level of protection.
• What contractual protections are currently in place? With your legal counsel, review and update the franchise disclosure document, franchise agreement, and manuals to ensure that cyber risks have been properly addressed. Most franchise agreements are long-term contracts.  If these contracts were entered into many years ago, they likely do not expressly address cyber risk issues.  Your counsel can help you to determine whether existing provisions in the franchise agreement can address the new risks posed by technology.  For instance, a provision requiring a franchisee to maintain appropriate insurance may be broad enough to include cyber insurance coverage (discussed more below).  Provisions requiring franchisees to obtain ongoing training may be broad enough to include cyber security training.   In addition to your franchise agreements, a franchisor will also want to consider contracts entered into with suppliers and others.  Do these contracts contain appropriate provisions that shift the risk of cyber-attacks to the right entity?  For instance, if a supplier experiences a data breach that leaks your employees’ or customers’ information, does that supplier have any responsibility to pay for the harm that its breach has caused?  A well-drafted contract can help to make sure someone else’s cyber-attack doesn’t become your cyber problem.
• What insurance protections are currently in place? There are now cyber insurance products available that provide protections against the types of harm that can result from a successful cyber-attack.   It’s important when obtaining cyber insurance that you work with a knowledgeable broker who understands your business so that you can make sure your policy: a) protects the right people and companies; b) against the most likely risks; c) in the proper amounts.   Things that you may want included in your cyber insurance policy include the payment of ransoms (for ransomware attacks), legal services needed following an attack, the cost of public relations professionals to help the franchise system post-attack, and forensics (to determine how the attack occurred, and/or to repair computer systems). In the unfortunate event that you find yourself a victim of a cyber-attack, adequate cyber insurance can ensure that there are sufficient resources to handle the crisis in a way that minimizes brand damage.
• What data collection, data-sharing, data security and social media policy protections are currently in place? Has everyone with access to your computer systems been trained to recognize and avoid common cyber threats?  Do they know how to properly report any cyber-attacks or data breaches that may occur?  Remember, policies aren’t going to help if no one knows they exist and no one has been trained on their application.  Consider making cyber security training a requirement for everyone that has access to your computer systems, and a standard part of the onboarding process.  When individuals leave the franchise system, make sure their access to your computer systems is revoked.
• What information is being collected, from whom, and who is inputting the data? This is important for understanding the system’s potential risk exposure, and what potential breaches could occur. It is important to determine what legal obligations you have in relation to collected information.  These obligations vary by region, but generally speaking, an organization that collects personal information will have legal obligations relating to its protection, storage, and use.  Know the laws that apply to you.
• Why is data being collected? Consider limiting data collection to only the information that is truly essential to collect. This will decrease the volume of information that needs to be managed and protected.  Make sure it is clear in all your agreements and policies who owns the data collected from customers and others.
• Who has access to the information? Consider those who are able to access the information, including any third party vendors that may have access. It’s best to limit access to only those who need it.
• Have a crisis plan that addresses cyber-attacks. Even if you’ve taken every precaution, it’s still possible for risk to become reality.  A well thought out crisis plan is essential in the event of a cyber-attack. A crisis plan should identify the most likely risks to your system and develop specific action plans in response to each one.  Responsibilities for managing the crisis response should be clearly defined and assigned to the person best positioned to respond to the risk.  Pre-drafting communications and other public statements in anticipation of likely attacks is a key step in making sure you are ready to deal with a cyber-attack.   For example, customers  affected by a data breach will not be willing to wait days for you to make a public statement.  In the digital age, people want near immediate communication, especially during a crisis.

The nature of cyber risk is constantly evolving, and having a strong “cyber defence” is critical.  The right protections, and crisis-planning, can be the difference between a system that weathers a cyber storm and one that doesn’t.

Adrienne is a partner with Sotos LLP in Toronto, Canada’s largest franchise law firm.  She provides counsel to many franchised businesses.  If you would like to discuss how your business can better guard against cyber risk, Adrienne can be reached directly at 416-572-7321 or aboudreau@sotosllp.com

This article was originally published in the Franchise Voice Fall 2019 Edition.