When it comes to risk management, hotel owners/operators not only need to know what could go wrong with the assets they handle, they also need to consider the plethora of “what ifs” that can cause sleepless nights for even the most seasoned hotelier.
One such stressor—and a complicated one—is the potential for cyberattacks on data systems. Insuring against cyberattacks has become a hot topic among hoteliers, galvanized into action by the upswing in such strikes since the onset of the coronavirus pandemic, with a 600 percent increase in incursions, according to Washington, D.C.-based cybersecurity firm PurpleSec.
Some hoteliers may think mitigating such risk “is for the big guys,” but they’d be wrong. Joe Addison, U.S. entertainment, hospitality & gaming practice leader for global insurance broker and risk advisor at Marsh (a business of Marsh McLennan), noted that cyber threats impact every industry.
“Every business—large and small—now must manage cyber risk. There’s no one-size-fits-all answer, either; with new digital transformation technologies comes an increased attack surface for cybercriminals to penetrate,” he said.
Concurring is Jackie C. Collins, senior real estate and hospitality director and senior area VP for Arthur J. Gallagher & Co., a global insurance, risk management and consulting services firm: “Hotel companies of all sizes and locations are targets for data breaches, including ransomware attacks. Many hoteliers feel they are protected by the brand; however, that is not always the case. Point-of-sale systems and other systems owned by the hotelier leave the owner exposed.”
Recent Marsh research shows that companies increasingly are realizing the importance of being covered.
“Marsh data showed 73 percent of our U.S. hospitality and gaming clients purchased standalone cyber insurance coverage in 2020, compared to 61 percent in 2019 and 57 percent in 2018,” Addison said. “This continued growth in the number of organizations across industries purchasing cyber coverage is driven by the growing recognition of cyber threats as a critical business risk and appreciation for cyber insurance’s role in mitigating its economic impact.”
With many hospitality employees working in remote situations due to the pandemic, there is ongoing concern surrounding cybersecurity, Collins said. “Not having proper security measures in place for the remote workforce left hotel companies and others vulnerable … Prior to the pandemic, we were starting to see requirements from the brands that franchisees must have coverage in place; now, we also are seeing requirements for cyber insurance included as part of management agreements. We have even seen requirements from brands requiring franchisees to sign up for security services through companies such as CrowdStrike.” CrowdStrike is focused on endpoint protection, threat intelligence and response.
Putting Controls in Place
By their very nature, the components of the hospitality industry differ in terms of their coverage needs; however, certain preloss security measures, such as multifactor authentication need to be in place ahead of cyber coverage.
“Marsh suggests hotel operators and owners prioritize the following five to have the most impact on insurability, mitigation and resilience: multifactor authentication; endpoint detection and response; secured, encrypted and tested backups; privileged access management; and email filtering and web security,” Addison said.
“The requirements differ by insurance company depending on revenue amount,” Collins said, but noted the concern around ransomware and the need for MFA holds throughout the industry.
“All insurance companies require MFA in order to provide a substantial limit of coverage for ransomware attacks,” she stressed. “Otherwise, there are a few carriers that will provide a very small sublimit.”
Regarding MFA requirements, Collins said most carriers are looking to see the following controls in place for increased ransomware limits: MFA for all remote access into the client’s network (first-party employees and third-party clients/vendors); MFA for email access; MFA for privileged/admin users.
“Hoteliers also may be required to utilize Microsoft Office 365 Defender in conjunction with Office 365 email services,” she said, adding: “Many carriers also require phishing training for all users.”
Cybersecurity isn’t the only concern for owners and operators. As a company in growth mode, Raines Co. has pursued a “more-holistic strategy with regard to risk management and the requisite investment(s) in the protection and well-being of both our physical and employee assets,” said Michael O'Brien, SVP of human resources at Raines, which has 20 owned and managed properties and 600 team members.
Partnering with USI Insurance Services and taking advantage of its reach and consulting services, O’Brien said the company has been successful in transitioning its position with carriers from a local, family-owned business to a midmarket presence. “We’ve been able to right-size our property/casualty coverage investment, identify additional business risk within our investment strategy and achieve more competitive pricing by leveraging the power of numbers,” he said. “Ultimately, we’ve been able to shift our focus from ‘what is required’ to increasing our investment in known (to larger companies) risk areas such as cyber security, errors and omissions, and/or to address increased competitive pressures, such as expanded health and wellness offerings.”
Like Raines, many hoteliers are reassessing their coverage needs. Similarly, carriers are reassessing who and what they are insuring. With the bulk of the lodging industry taking a significant hit—revenues, labor, materials—and still in recovery mode due to the ongoing pandemic, values being used by those insured are under the microscope.
“A number of carriers are scrutinizing values due to the discovery at the time of loss that many properties have been undervalued,” Collins said. “When coverage has been written on a blanket basis, carriers have found they are paying claims that are much larger than the values reported.”
Additionally, she noted the lack of materials and the labor shortage as a result of the pandemic have increased values even more. “Hoteliers will need to adjust values in order for carriers to be willing to provide coverage,” she said, adding that when hoteliers have been unwilling to increase values, “we have seen
According to Marsh’s Addison, valuation is one of the major issues for the industry and the property-insurance-brokering process today. “No one is sure whether it is an acute problem related to supply or inflation from the pandemic crisis or a more pervasive problem,” he said. “What is true is that underwriters are pushing insureds to scrutinize their values and, in many instances, mandating value increases to a threshold.”
Addison stressed the company’s responsibility to ensure clients are insured to value and Marsh, which overall generated $10.2 billion in revenue last year, will continue this process, often using a negotiated process between the insureds and the insurers. “However, a question remains,” he said. “If it is proven that the replacement-cost inflation was simply a pandemic phenomenon, will underwriters and appraisers be willing to reduce values appropriately when the cycle changes? There remains silence on this issue. It might be the market cycle that dictates the answer instead of the reality of construction costs.”