We all know that person at the gym (and if you don’t, it may be you)…the individual who is always on the treadmill cranked up to 8.0 for seemingly hours…but you never see them lifting any weights. Or the individual who looks like they can hardly move their arms because their biceps are 2x the size of your neck, but you never see them on an elliptical machine. They have a focus. They have a purpose. They have a plan. But is it a comprehensive plan for their well-being and health overall?
The same question should be asked of gyms. Gym owners and operators carry the requisite coverages that they must per their lending requirements and often per the franchisor agreement contract under which they operate. This largely consists of general liability and property insurance. Often a package policy, especially if procured through a valued independent insurance broker, contains some professional liability for the group exercise instructors and personal trainers, some abusive acts coverage and maybe some additional enhancements.
This coverage is vital and needed to operate your business; perhaps the same as getting in good cardio to keep the heart pumping healthy. But just as that workout warrior who is a cardio machine in and of themselves may not be doing the necessary strength training to prevent injuries or issues as they get older, a package policy without cyber coverage may leave you vulnerable in ways you’re not even aware of.
Often gym owners and operators believe that cyber security concerns aren’t a big deal within the gym space. They think financial institutions and larger retail operations are the main targets for cybercrime. In fact, this is not the case as more and more businesses of all sizes are potential targets for cyber criminals who have become more emboldened during the pandemic.
First let’s look at some of the data that gyms may have that could be of value to hackers or create vulnerabilities:
- Payment information including credit cards, bank routing information, etc.
- Personal health history of members
- Email and contact information that could be used for identity theft
- Operating capabilities that can be crippled by hackers with ransomware (i.e., check-in computers, personal training logs, maintenance logs, email capabilities, point of sale systems)
If you’ve been through a cyber-attack, you know how difficult it is to try to have some sort of business continuity without trusted computer access and capabilities. Couple this with the associated costs of forensic computer engineers, loss of business, notifying your client base of the data breach, and a cyber-attack can really disrupt or even cause your business to close.
So, the questions are: What coverage should I consider for my gym and what should a good cyber policy provide for my business? Let’s start by outlining and defining the primary risks cyber insurance is designed to cover:
- Network Security / Privacy – data breaches, malware infection, ransomware, etc.
- Network Business Interruption – designed for revenues that are unrealized due to the cyber event that has closed or interrupted business
- Media Liability – intellectual property infringement
- Errors & Omissions – failing to fulfill contractual obligations and delivering services to your customers
Now let’s look at how a cyber policy can provide the protection against these so that in the event of a cyber-attack your gym’s fitness level will be at its peak:
- Legal Expenses – retaining counsel to represent you in any lawsuits, filings for your business that may be needed to get back to the operating efficiency level prior to the attack
- Forensic IT Services – highly skilled IT Forensic experts may be needed to remediate the damage done by the hackers
- Negotiation and Payment of Ransomware – in the event this is necessary
- Data Restoration – finding, capturing and restoring your data to pre-attack or near pre-attack levels
- Breach Notification to Consumers – states have laws surrounding notification to consumers as to the cyber-attack, so customers are aware of their potential vulnerabilities
- Public Relations Expertise – on larger scale attacks especially, crisis communication is needed to restore consumer confidence
- Credit Monitoring and Identity Restoration – if individuals become victims from information secured from the attack to your business
The Public Relations component is often overlooked when it comes to any risk mitigation and response within the gym space. There are many options for consumers when it comes to gyms, fitness centers, clubs and at home workout modalities. If your gym or club is seen as unsafe, whether it be from a serious injury that hits the local news cycle or a cyber-attack, it can be extremely damaging to your reputation and may deter members from continuing their memberships or new members from joining.
Just as there are many ways to workout, there are many ways to protect yourself and your business from loss. Risk mitigation measures can be put in place such as dual-identification verification for certain system access or working with a vendor to provide thorough malware and cyber security protection on your systems. You may choose to avoid an activity (I’m not planning on sky diving any time soon personally) or not provide it for your members. You can self-insure that exposure meaning you would take on the resultant expenses incurred in the event of a loss or, in this case, cyber-attack. Or you can transfer the risk through the counsel of your trusted risk advisor and independent insurance agent to an insurance carrier and the services and support they can provide.
I’ve gone through phases of health and wellness both in habit and in the way I work out (who can forget the P90x phase – I was looking the best I had in maybe forever!). I eat right at times and during some periods I don’t. I’ve trained for and run a half marathon, focused heavily on cardio when I’ve worried about the old ticker and hit the weights a little harder before a beach vacation. Balancing cardio and strength training is important for everyone. Taking that approach with your gym by adding a cyber policy to supplement your package policy will help prevent injury and protect your business holistically.
Brian Rawlings is Practice Leader for FITLIFE, administered by Venture Insurance Programs. Reach him at firstname.lastname@example.org or 800-282-6247 ext. 323.