Revenue impact aside, cyber insurance is now an absolute for the hospitality industry, considering the mounting frequency and costs of data breaches plaguing hotel companies. Already in 2016, Trump Hotels, Omni Hotels, Rosen Hotels and the Hard Rock Hotel in Las Vegas have all experienced data breaches—and the consequences are striking.
Although the financial ramifications of each respective security compromise haven’t been disclosed, the 2016 Cost of Data Breach Study, conducted by Michigan-based Ponemon Institute and sponsored by IBM, found that the average consolidated total cost of a data breach grew from $3.8 million to $4 million from 2014 to 2015, while the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158. Moreover, 47 of 50 U.S. states have mandatory data breach notification laws.
Changing the Game
“The financial risk of a breach is greater than the hospitality industry thinks, but we’re seeing an uptick as far as the hospitality industry purchasing cyber policies right now and the major cyber attacks that we hear about on the news everyday are fueling that,” said Gamelah Palagonia, SVP at London-based global advisory, broking and solutions company Willis Towers Watson.
The hospitality industry is particularly at risk, in part because as hotels offer guests greater technological access and more interconnected systems, they simultaneously increase the risk of a data breach via properties’ public WiFi networks, new mobile-enabled key cards, data-sharing networks with third parties like OTAs and airlines, and point of sale (POS) purchases, which account for only 45 percent of breaches in the hospitality industry, according to Trustwave’s 2016 Global Security Report, The report also stated that the hospitality industry suffered the highest share of POS breaches among any other industry. Fifty-five percent of data compromises that occur in the hotel business are a result of corporate/internal network breaches; yet, the industry has been lax in addressing the issue of cyber security.
"Hotel companies are attractive targets to attackers because they are usually somewhat behind on cyber security, so they're considered low hanging fruit,” said Shlomo Touboul, CEO of Tel Aviv-based Illustive Networks (stylized illusive networks), a cyber defense firm formed by cyber attack specialists from Unit 8200, Israel’s elite cyber intelligence corps. “Hotels within a specific chain are usually well connected and staff isn’t necessarily computer savvy, making them easier targets for social engineering.”
The industry’s vulnerability makes cyber insurance a vital component of every hotel business’ risk management strategy. Yet, cyber policies are still a relatively new sector within the insurance industry and so there are no standard policies. Premiums are based on a company’s industry and services as well as data risks and exposures, computer and network security, privacy policies and procedures and annual gross revenue. “There are approximately 60 insurance carriers writing this type of coverage and each of those companies has various terms and conditions that apply to those coverages and coverage parts,” said Scott Wolff, managing director at New Jersey-based risk management insurance consulting firm Premier Risk Management.
That can spell more leverage for hotel companies. “The cyber insurance market remains very much in flux and the ability to negotiate better terms and conditions for policies is high now, but wait two years and the coverage may be offered on a take-it-or-leave-it basis and the ability to customize the policy may disappear,” said Lynda Bennett, cyber insurance expert at law firm Lowenstein Sandler.
Bennett advised taking particular note of a policy’s definition section as well as any sublimits that may apply. “Ensuring that all of the data that the policy is intended to protect is included in the scope of the definitions is a critical issue,” she said, adding “many of the these policy forms will provide coverage for payment card industry (PCI) fines and penalties, but not for the full amount of the policy limit, instead capping at a $1 million sublimit.”
Ransomware is also a rapidly growing threat that can cause total system failure, if only temporarily and that is another consideration for coverage. “Hotel companies can’t operate if they can’t transact bookings because their systems are down,” said Palagonia.
Coverage for a Range of Hotels
A system failure can also adversely impact franchise properties that use the corporate brand’s central reservation system, placing the onus on the brand, according to Ben Beeson, cyber risk practice leader at Washington, D.C.-based insurance brokerage firm Lockton. "You would expect the corporate brand to cover that risk because it’s their system, under their custody and control," he said.
Despite the fact there isn’t yet off-the-shelf cyber coverage, it is possible to purchase an issuing policy that includes a suite of support products such as the services of a forensic assessment firm, crisis management companies and legal firms qualified to do data breach response, all included on a pre-approved list provided by the insurer. "The advantage for small and mid-sized hotel companies that don't have a collection of these resources already established and no detailed data breach response plan in place is that a policy with a panoply of support products can kill a lot of birds with one stone," said Sandy Garfinkel, an attorney in the Pittsburgh office of law firm Eckert Seamans Cherin & Mellott.
Regardless of policy inclusions, cyber coverage isn’t a substitute for security either. “Cyber insurance does not replace poor controls,” said Beeson.