Cyber Application Checklist for Restaurants: MFA, Backups, POS Setup, and Incident Response

Applying for cyber insurance can feel like taking a technical exam you didn't study for. Carriers ask detailed questions about MFA, backup procedures, endpoint detection, PCI compliance, and incident response plans - and if you answer incorrectly (or leave fields blank), you'll either get declined, receive inflated pricing, or worse: buy a policy that won't pay when you need it.

The good news: most cyber application questions are asking about straightforward security practices you can implement (or verify) before you apply. And unlike property or liability applications, where you're mostly stuck with the risks you have (location, construction type, years in business), cyber insurance rewards preparation.

At Anchor Insurance, we help restaurant operators prepare for cyber applications by walking through the questions in advance, identifying gaps, and making sure you can answer honestly and confidently. This guide is your pre-application checklist - use it to prepare before you request quotes.

What Cyber Insurance Applications Ask About

Most cyber applications for restaurants are broken into these sections:

1. 1.
   Business basics: Revenue, number of locations, industry type, employee count, prior claims
2. 2.
   Data and systems: What data you collect, how it's stored, what tech systems you use
3. 3.
   Security controls: MFA, backups, endpoint protection, email security, incident response
4. 4.
   Vendor and third-party risk: Who manages your POS, payment processing, cloud services
5. 5.
   Coverage needs: Limits, deductibles, specific endorsements (like social engineering coverage)

Below, we'll walk through each section and give you a checklist to prepare.

Section 1: Business Basics and Prior Claims

What you'll need:

• Legal business name and DBA
• Annual revenue (last 12 months and projected next 12 months)
• Number of locations
• Total number of employees (FTE and part-time)
• Primary business type (full-service restaurant, quick-service, bar, cafe, etc.)
• Current insurance expiration date (if you have existing cyber coverage)

Prior claims questions:

Carriers will ask if you've had any cyber incidents in the past 3-5 years, including:

• Data breaches or unauthorized access to systems
• Ransomware or malware infections
• Business email compromise or funds transfer fraud
• POS system compromises
• Any claims filed under prior cyber policies

Checklist:

• If you've had incidents, be prepared to explain what happened, how you responded, and what controls you've implemented since then
• If you've never had a cyber incident, simply answer 'No' (don't leave blank)

Section 2: Data Collection and Technology Systems

Carriers want to understand what sensitive data you collect and how your tech stack is structured.

Data Collection Questions

Common questions:

• Do you collect or store credit/debit card numbers?
• Do you collect customer names, email addresses, or phone numbers?
• Do you collect Social Security numbers or other government IDs?
• Do you store employee payroll or health information?
• How many customer records do you have?

How to answer:

• If you use a third-party POS that tokenizes payments (like Square, Toast, Clover), you typically don't store card numbers - answer 'No'
• If you collect emails for loyalty programs or online orders, answer 'Yes' and estimate record counts
• If you use third-party payroll (Gusto, ADP), you typically don't store SSNs yourself - clarify this in your answer

Technology Systems Questions

Common questions:

• What POS system do you use?
• Do you have a website? Does it process transactions?
• Do you use online ordering or third-party delivery integrations?
• What reservation or table management system do you use (if any)?
• What payroll, accounting, and HR software do you use?
• Do you use cloud-based or on-premise systems?

Checklist:

• Make a list of all third-party platforms you rely on (POS, online ordering, payroll, reservations, accounting)
• Note whether each system is cloud-based (SaaS) or installed on your own servers
• Be ready to name specific vendors (e.g., 'Toast POS' not just 'a POS system')

Section 3: Security Controls (The Most Important Section)

This is where carriers decide whether to offer coverage and at what price. Be prepared to answer questions about:

Section 4: Vendor and Third-Party Risk Management

Common questions:

• Do you rely on third-party vendors for critical systems (POS, payroll, cloud hosting)?
• Do you have contracts or service-level agreements (SLAs) with these vendors?
• Do you review vendors' security certifications or insurance?

How to prepare:

• List your critical vendors and their roles (POS provider, payment processor, payroll service, etc.)
• Review your vendor contracts to understand their liability limits and SLAs
• Ask vendors about their security practices (do they have SOC 2 certification, cyber insurance, incident response plans?)
• If you don't have formal SLAs, note that in your application - it's common for small restaurants

Section 5: Coverage Limits, Deductibles, and Endorsements

Common questions:

• What total policy limit are you requesting? (e.g., $500K, $1M, $2M)
• What deductible are you comfortable with? (e.g., $1K, $2.5K, $5K, $10K)
• Do you want any optional coverages?

Optional coverages to consider:

• Social engineering / funds transfer fraud: Covers losses from fake invoice scams or CEO fraud (typically $50K-$250K sublimit)
• Dependent business interruption: Covers lost income if a third-party vendor (like your POS provider) suffers a cyber incident (often included, but check sublimits)
• System failure (non-malicious): Extends coverage to non-cyber outages (like software bugs or hardware failures)
• Regulatory defense and fines: Covers costs to respond to data privacy investigations (check if included or optional)

How to choose limits:

• Business interruption: Calculate your average daily revenue x 7-14 days to estimate a realistic outage cost
• Data breach liability: For small restaurants with limited customer data, $500K-$1M is often adequate
• Ransomware: Most policies include $50K-$100K for ransom payments; higher limits may not be necessary unless you're a large operation

Pre-Application Checklist Summary

Use this checklist to prepare before requesting cyber insurance quotes:

30 Days Before Applying

• Enable MFA on all email accounts and admin portals
• Set up automated daily backups with offline or immutable storage
• Install endpoint protection on all devices
• Enable email filtering and anti-phishing tools
• Draft a simple incident response plan

1 Week Before Applying

• Gather business basics: revenue, employee count, location details
• Inventory all third-party systems (POS, payroll, accounting, online ordering)
• Document security controls (take screenshots of MFA settings, backup logs, etc.)
• Review vendor contracts for liability caps and SLAs
• Decide on coverage limits and deductibles based on your risk exposure

During Application

• Answer honestly - don't exaggerate controls you don't have in place
• Provide specific vendor names and system details
• If a question is unclear, ask your broker for clarification before guessing
• Attach supporting documentation if requested (incident response plan, training certificates, backup test results)

After Submitting

• Be responsive to follow-up questions from underwriters
• Don't make changes to your security controls until after binding (if you remove MFA after applying, you may void coverage)
• Review the quote carefully - make sure limits and deductibles match what you requested

How Anchor Insurance Helps You Prepare

At Anchor, we don't just hand you a cyber application and wish you luck. We walk you through the questions before you apply, help you implement missing controls, and make sure your answers position you for the best pricing and coverage.

Our process:

• Pre-application review: We discuss the major application questions in plain terms and identify any gaps in your security setup.
• Control implementation guidance: We recommend low-cost or free solutions for MFA, backups, and endpoint protection that work for restaurants.
• Application assistance: We fill out the application with you (not for you) to make sure answers are accurate and complete.
• Multi-carrier shopping: We submit your application to 3-5 carriers to compare pricing and coverage terms.
• Quote comparison and recommendation: We explain the differences between quotes and help you choose the best option for your risk profile and budget.

Frequently Asked Questions

What happens if I answer a question incorrectly?

If you make an honest mistake, you can usually correct it before binding coverage. However, if you intentionally misrepresent your security controls (like claiming you have MFA when you don't), the insurer can deny your claim or rescind your policy. Always answer truthfully.

Can I apply for cyber insurance if I don't have all the controls in place yet?

Yes, but you'll likely get higher premiums or lower limits. Some carriers may decline coverage entirely if you lack basic controls like MFA. We recommend implementing at least MFA and backups before applying to get competitive pricing.

How long does the application process take?

Once you have all your information and documentation ready, the application itself takes 15-30 minutes. Underwriters typically respond with quotes within 2-5 business days, depending on the carrier and complexity of your risk.