Back to BlogCoverage Guide

If Your POS Vendor Gets Hacked: What Cyber Coverage Can (and Can't) Do for Restaurants

What happens when your POS vendor suffers a cyberattack? Learn what coverage you need and what your BOP won't cover.

Your restaurant's POS system is the backbone of daily operations: it processes payments, tracks sales, manages inventory, and integrates with your online ordering and accounting software. You've chosen a reputable vendor, kept your software updated, and assumed you're protected.

Then one morning, you arrive to find your POS is down. Not because of a power outage or a hardware failure - because your vendor was hit by a ransomware attack. Your terminals are locked, you can't access transaction history, and you have no idea when service will be restored.

This isn't a hypothetical scenario. In the past few years, major POS and hospitality software vendors have been targeted by cyberattacks, leaving thousands of restaurants unable to operate normally for days or even weeks. And when this happens, your standard Business Owners Policy (BOP) or general liability coverage won't help you.

At Anchor Insurance, we help restaurants understand what cyber insurance can (and can't) do when a vendor incident disrupts your business. This guide walks through the coverage gaps, what to look for in a cyber policy, and how to minimize your risk exposure.

What Happens When Your POS Vendor Gets Hacked?

When a POS vendor suffers a cyberattack, the consequences ripple across every restaurant that relies on their platform. Here's what you might experience:

1. Immediate Operational Disruption

  • Terminals go offline: You can't process credit or debit card payments, which means most customers can't pay.
  • Order systems fail: If your POS handles online orders or third-party delivery integrations, those may stop working too.
  • Sales data is inaccessible: You can't track daily revenue, run shift reports, or reconcile cash drawers.
  • Inventory management breaks down: You lose visibility into stock levels, which can lead to over-ordering, waste, or shortages.

2. Financial Losses Pile Up

  • Lost revenue from customers who leave when they learn you can't accept cards
  • Extra expenses for manual workarounds (paper tickets, standalone card readers, emergency IT support)
  • Employee wages you still have to pay, even if your revenue drops significantly
  • Potential spoilage if inventory systems are offline for days

3. Uncertainty and Stress

Unlike a power outage or equipment failure, vendor cyberattacks have no predictable timeline. The vendor might provide vague updates like 'we're working on it' without committing to a restoration date. You're left scrambling to keep your restaurant running with no clear end in sight.

What Your BOP and General Liability Won't Cover in a Vendor Hack

Most restaurant owners assume their existing commercial insurance will protect them if a vendor fails. Unfortunately, that's not how Business Owners Policies or general liability policies work.

Why BOPs Don't Respond to Vendor Cyber Incidents

  • No physical damage trigger: Business interruption coverage in a BOP typically requires direct physical loss or damage to your property (like a fire or storm). A software outage or ransomware attack on a vendor's servers doesn't qualify.
  • No bodily injury or property damage: General liability responds when your business causes injury or damage to a third party. A vendor's cyber incident doesn't meet that definition.
  • Service interruption exclusions: Many BOPs explicitly exclude losses caused by failures of utility services or service providers unless those failures result from direct physical damage.

In short: if your vendor's cyberattack doesn't physically damage your restaurant, your BOP won't cover the lost income or extra expenses.

What Cyber Insurance CAN Cover in a POS Vendor Hack

A well-structured cyber insurance policy can step in where your BOP falls short. Here's what to look for:

1. Dependent Business Interruption (DBI)

Also called contingent business interruption or system failure coverage, DBI pays for lost income and extra expenses when a failure at a third-party service provider (like your POS vendor) disrupts your operations.

What this typically includes:

  • Lost net income during the outage period
  • Continuing expenses like payroll, rent, and utilities that you still have to pay even if revenue drops
  • Extra expenses to minimize the loss (like renting backup terminals or hiring emergency IT help)

Key limitations to watch for:

  • Waiting period (deductible): Many DBI coverages have a time deductible (e.g., 8 or 12 hours) before coverage kicks in. If your vendor restores service quickly, you might not reach the threshold.
  • Sublimits: DBI is often subject to a sublimit (like $100K or $250K), which may be lower than your overall cyber policy limit.
  • Proof of loss: You'll need to document the vendor's outage, show that it directly caused your business interruption, and provide financial records to prove lost income.

2. System Failure Coverage

Some cyber policies include coverage for non-malicious system failures - meaning even if your POS vendor's outage wasn't caused by a cyberattack, you might still be covered if it's a software or hardware breakdown.

This is broader than dependent business interruption tied to a cyber event, but it's not universal. You need to ask specifically whether the policy covers non-malicious third-party failures.

3. Extra Expense and Mitigation Costs

Even if your policy's DBI sublimit is relatively low, extra expense coverage can help with immediate costs to keep your doors open:

  • Renting standalone credit card terminals or mobile readers
  • Hiring third-party IT consultants to set up workarounds
  • Paying for rush delivery of backup hardware
  • Public relations support to reassure customers and vendors

What Cyber Insurance Does NOT Cover in Vendor Incidents

Cyber insurance isn't a catch-all for every vendor failure. Here are some common exclusions and limitations:

1. Vendor's Liability to You

If your POS vendor's contract includes a limitation of liability clause (which most do), they may only owe you a refund of your monthly subscription fees - not compensation for your lost revenue or extra expenses.

Cyber insurance can fill this gap, but it doesn't give you the right to sue your vendor for more than their contract allows. It just pays you directly for your covered losses.

2. Non-Cyber Vendor Failures

If your vendor's outage is caused by a simple hardware failure, human error, or internal IT issue (not a cyberattack or system failure), some cyber policies won't respond. You need to check whether the policy includes broad 'service provider failure' language or is limited to cyber events.

3. Losses Beyond the Policy Period

If a vendor outage extends beyond your policy's maximum period of restoration (often 30, 60, or 90 days), you won't be covered for losses that continue after that window closes.

4. Indirect or Speculative Losses

Cyber policies typically don't cover reputational harm that doesn't result in measurable lost income, penalties you owe to third parties (like delivery platforms), or future business you might have lost due to the incident.

How to Choose the Right Cyber Coverage for Vendor Risk

If you rely heavily on third-party vendors for critical operations (and most restaurants do), here's what to prioritize when shopping for cyber insurance:

1. Ask About Dependent Business Interruption Coverage

Not all cyber policies include DBI as standard. Some carriers offer it as an optional endorsement; others build it in with restrictive sublimits.

Questions to ask your broker:

  • Is dependent business interruption included or optional?
  • What's the sublimit for DBI?
  • Is there a waiting period before coverage starts?
  • Does it cover only cyber events, or broader system failures?

2. Understand How 'Service Provider' Is Defined

Some policies limit DBI to specific types of vendors (like cloud hosting providers) and exclude SaaS platforms or software-as-a-service tools. Make sure your POS, payroll, and reservation systems qualify.

3. Compare Waiting Periods and Sublimits

A policy with a 12-hour waiting period and $100K sublimit might sound adequate - until you realize a multi-day vendor outage during your peak season could cost $50K in lost revenue plus $30K in extra expenses.

At Anchor, we help you model realistic loss scenarios based on your average daily revenue and fixed costs, so you can choose limits that actually protect you.

4. Review Your Vendor Contracts

Your cyber policy should work alongside your vendor contracts, not duplicate or contradict them. We recommend:

  • Reading your POS and software vendor's terms of service to understand their liability caps
  • Asking vendors about their own cyber insurance and incident response capabilities
  • Discussing with your broker whether your cyber policy's DBI terms align with how your key vendors are structured

How Anchor Insurance Approaches Vendor Risk in Cyber Coverage

At Anchor, we don't just sell you a cyber policy and move on. We help you think through your vendor dependencies and compare how different carriers handle third-party incidents.

Our process includes:

  • Vendor inventory: We ask which third-party systems are critical to your operations (POS, payroll, online ordering, reservations) and help you assess your risk if each one fails.
  • Coverage comparison: We shop carriers that offer robust DBI coverage and explain the differences in waiting periods, sublimits, and definitions.
  • Scenario modeling: We walk through realistic 'what if' scenarios - like a 3-day POS outage during a busy weekend - to help you understand whether your limits are adequate.
  • Plain-English explanations: Cyber insurance is full of jargon. We translate terms like 'contingent business interruption' and 'service provider failure' into language you can act on.

Frequently Asked Questions

Will my POS vendor's insurance cover my losses?

Usually not. Most vendor contracts limit their liability to refunding your subscription fees or a nominal cap (like one month's service fee). Their cyber insurance protects them from lawsuits, not your lost revenue. That's why you need your own dependent business interruption coverage.

How long does a typical POS vendor outage last after a cyberattack?

It varies. Some vendors restore service within hours; others take days or weeks, especially if they need to rebuild systems from backups or negotiate ransom payments. Cyber insurance with DBI coverage helps you survive the uncertainty by replacing lost income and covering extra expenses during the outage.

Can I buy cyber insurance that only covers vendor failures?

Not typically. Dependent business interruption is almost always part of a broader cyber policy that also includes data breach response, ransomware, and other coverages. But you can work with a broker to prioritize DBI limits and terms if vendor risk is your biggest concern.

Related Articles

Coverage Guide

Business Owners Policy (BOP) Insurance for Small & Mid-Sized Businesses

Protect your business with a single, powerful policy that combines property and liability coverage.

Read more
Coverage Guide

How Startup Insurance Works

Plain English guide to startup insurance explaining limits, deductibles, exclusions, bundled policies, and whether to use a broker or buy online.

Read more
Coverage Guide

Do Startups Have to Pay for Insurance?

Understand which startup insurance is legally required vs contractually required vs optional, including workers comp, COIs, and smart starter coverage.

Read more

Have questions about your coverage?

Our team is ready to help you find the right insurance for your business.

Get a Quote