Over the past several years, cyber risk has become a leading issue for many individuals and organizations – particularly as online connectivity and information have become a constant for both businesses and consumers.
Unfortunately, the speed and convenience that electronic communications and purchasing systems provide can also lead to significant threat in terms of data breaches and other cyber security issues. These, in turn, can result in significant financial ramifications, lost goodwill, and in some cases, even the loss of companies altogether.

Hotels & Cyber Security

Evaluating the Real Risk of Cyber Attack

While identity theft has been in existence for decades, more recently cyber security risk has catapulted up the charts as a potentially devastating peril for both consumers and businesses alike.

One area that has been particularly hard hit is the hospitality industry. In fact, the hospitality industry is a highly attractive target for criminals that want to get hold of a valuable asset – data.¹

Hotels, for instance, can be extremely lucrative targets for cyber hackers – starting with the fact that most hotels and motels have several different points of purchase for their customer use, such as check-in / check-out, a gift shop or other retail entity, and in many cases, a restaurant and / or bar.

Although the risk of breached data can often come from an outside source, infractions that are induced by malicious insiders is also a concern. These can include disgruntled employees (former or current), as well as outside contractors that are affiliated with the company in some way.

According to a study by NetDiligence, the hospitality industry accounted for a substantial portion of cyber attack claims in 2015 that were brought about by an insider. And, when combining the hospitality and restaurant industries together, approximately 24% of claims were caused by malicious insiders during 2015.²

So, what are some of the key risks that hotel operators face when it comes to cyber crime?

There are actually several, including:

• Privacy risks (such as credit card information)
• Personally identifiable information (for hotel guests and hotel employees – and the risk increases if the hotel offers a customer loyalty program)
• Numerous points of purchase (the front desk, as well as in the gift shop and / or restaurant)³

Lately, cyber crime is becoming more frequent, and much more difficult to detect. For instance, in November 2015, Hilton Hotels stated that it was the victim of a security breach. This came after two months of investigating the possibility of a cyber attack. In this case, the cyber intrusion consisted of unauthorized malware targeting Hilton’s payment card information in various point-of-sale systems.

Just how many of its customers were affected is yet to be determined. But with more than 4,500 properties across 97 different countries, it’s likely that the effects will be far-reaching in terms of financial implications and future customer goodwill.⁴

[blockquote]

The average total cost of a cyber attack is more than $7 million, which equates to an average cost of $221 per lost or stolen record. But that’s just the tip of the iceberg.

[footer]Ponemon Institute[/footer]

[/blockquote]

Just how much can a cyber attack cost in terms of hard dollars?

According to the Ponemon Institute’s 2016 Cost of Data Breach Study, the average total cost is more than $7 million, which equates to an average cost of $221 per lost or stolen record.⁵ But that’s just the tip of the iceberg.

For example, post data breach costs have also increased over time. These will typically include special investigative activities, communication and help desk activities (with customers and data experts), and other remediation activities. Also, many customers who have fallen victim to a cyber incident are now suing the victimized businesses, which means increased legal expenses for companies that have been attacked.

In addition, the cost of lost business has also risen over time, as cyber attacks have become more frequent – and more costly to both the companies that are attacked, as well as the affected consumers. Such costs can include the abnormal turnover of customers, increased new customer acquisition activities, reputation losses, and diminished goodwill.⁶

On top of that, in the United States, the Federal Trade Commission (FTC) controls and safeguards the interests of consumers. In fact, the FTC is authorized to conduct enforcement actions against companies in a number of industries, including hospitality, when a compromise of personal information has occurred.⁷

Take, for instance, the case of the FTC versus Wyndham Worldwide Corporation. This situation stemmed from an FTC investigation that followed three separate data breaches. Between 2008 and 2010, hackers had gained access to Wyndham’s network on three occasions, stealing payment card information from more than 619,000 Wyndham customers, and resulting in over $10.6 million in fraudulent purchases.⁸

After it had investigated these breaches, the FTC filed a lawsuit against Wyndham, claiming that the company – even though it was a victim itself – had engaged in “unfair and deceptive business practices.” Here, the FTC alleged that in addition to other infractions, “Wyndham allowed its hotels to store payment card information without encryption, and that is also failed to use readily available security measures, such as firewalls.” In addition, the FTC also stated that the company “failed to employ reasonable measures to detect and prevent unauthorized access to its computer network.”⁹

So, added to the cost of a data breach itself, and the loss of goodwill – and future business – companies can also face some stiff penalties from government entities, which can lead to additional monetary costs and loss of reputation going forward.

How to Tell If a Business is More Vulnerable to a Cyber Attack

While no one is immune to a cyber threat, there are certain organizations that can be at a higher risk. For instance, those that gather, maintain, and/or store private customer information can put a company or an industry at a much higher risk, as are those that have a high degree of dependency on computer networks or electronic processes.

In addition, those companies that offer numerous points of sale can also be at a heightened risk, as there are many more “gateways” for cyber criminals to gain access to customers’ personal and / or financial information.

But, regardless of the type of business or industry in question, across the board, there is a 26% likelihood of any company or firm becoming the victim of a data breach over the next 24 months.¹⁰

Why Standard Business Liability Insurance Still Leaves Companies at Significant Risk

Many companies, including those that are in the hospitality industry, will typically carry insurance coverage in a number of areas. But while these policies can a protect from various tangible losses and liability issues, there is little or no coverage in terms of cyber risk.

For instance, some of the coverage that is carried by organizations in the hospitality industry includes:

• General Liability – This type of insurance provides coverage for property damage and bodily injury, but not the economic loss that is associated with a data breach.
• Property Insurance – A property insurance policy will cover tangible property that is typically caused by some type of physical peril, but not data that is lost.
• Crime – Many companies will also carry crime insurance, which offers coverage for employees and tangible property, however, still leaves third party property such as customer data at risk.

How to Transfer the Risk and the Cost of a Cyber Attack

As cyber criminals become more sophisticated, all organizations should consider themselves a potential victim. So, in the face of increased cyber risk, there are some ways that companies can alleviate some or all of the cost, while at the same time, assuring customers that steps have been taken to better ensure their privacy as well.

One is to secure data across all channels. Some of a business’s data that is at the highest risk includes credit card information and personally identifiable information, as well as loyalty program details and customer rewards points.

Companies should also regularly review their privacy policies. Any entity that collects information about its customers should take a close look at its privacy policy in order to ensure that it accurately reflects the firm’s cyber security. In doing so, it is important to be sure that the privacy policy is in compliance with both federal and state laws and regulations.

Companies should also consider the purchase of cyber insurance coverage. Due in large part to the growing risk of cyber attacks, several of the large insurance carriers have developed policies that specifically address cyber security issues.

Because cyber insurance protection is now offered as stand-alone coverage (versus just a rider or endorsement on other types of liability coverage, if it is offered at all), these policies can often be highly adaptable to the specific needs of a particular business or industry.

In fact, today it is possible for insurance brokers to create customized solutions that are based on particular needs, and that can provide monetary reimbursement, as well as direction and consultation, even in the face of a significant data breach situation.