Cyber attacks are happening by the minute in every industry, wreaking havoc on operations and finances as well as the lives of clients and guests. The hotel industry is a particularly attractive target to cyber criminals because of the vast amount of private data and records those businesses hold. David Finz, an attorney and insurance broker specializing in cyber risk, discusses with LODGING the losses involved when a hotel falls victim to cybercrime and the protections cyber insurance can offer.
As Finz explains, “When people are reserving rooms, they offer their credit card number to hold the room—that is obviously valuable information, and if it gets into a hacker’s hands there could be breach response costs.” Those costs could include hiring a privacy attorney to determine what went wrong and who should be notified of the breach, he adds. A forensic investigator could be brought in to discover the cause of the incident and what should be done to remediate it.
The business may also need a public relations consultant. Notifying affected guests could require funds to mail notices, offer credit monitoring, and hire a call center to address concerns and inquiries. Finz also points out that a denial-of-service attack on a hotelier’s network can cause platforms to go down, leading to lost revenue when travelers unable to book on the website make their reservations elsewhere.
The good news: The lost income and extra expenses associated with any workarounds to deal with the outage, data breach, or ransomware attack are often covered by cyber insurance. Cyber insurance, Finz says, covers first-party exposure such as:
- An outage to a hotelier’s network and the lost income and expenses associated with it;
- Or a ransomware attack where data is corrupted and hoteliers have to pay to get it restored or hire a threat consultant to see whether they can negotiate a ransom payment.
Cyber insurance also covers third-party exposure such as private party litigation as well as regulatory proceedings, the cost of responding to those, and potential fines and penalties, Finz notes.
Costs of policies vary depending on the size of the organization as well as the cyber security measures they have in place, he explains. Insurance underwriters create an analytics report based on a company’s revenue, the industry that they’re in, their record count, and also a questionnaire around existing security controls. The record count for a hotel would be how much guest data they have on file. “We’d take that and couple it with a vulnerability scan, which is noninvasive, […] to see if there are any open ports,” Finz says. “We would also look at what chatter there may be about them on the dark web, and try to get a sense of what the hackers would see from the outside and whether they’re an attractive target.”
The information is put through a model which provides an estimate of the likely loss and benchmarks the organization against its peers to see how it sizes up in terms of its vulnerability to a cloud outage, a software impairment, or a vendor’s outage that could affect operations.
For a small company, Finz says, cyber insurance can be an add on to an existing policy; however, $10-20 million dollar companies need a stand-alone policy. “Every business that transacts with the public needs cyber insurance both to protect their own operations and to safeguard their customers’ data.”