Marriott Data Breach is a Good Reminder to Review Your Cyber Insurance Coverage
Recent reporting suggests that Marriott International Inc. suffered its second data breach this year.[1] And the headlines are alarming – “Hotel giant Marriott confirms yet another data breach,” “Marriott Data Breach Affects More Than Five Million Guests,” “Marriott Hotels admits to third data breach in 4 years,” and on and on.
Anyone in the hospitality industry, and anyone reading this article, is right to be concerned. No one wants to see, or be named, in headlines like these.
Unfortunately, cyber criminals are continuing to aggressively pursue and exploit vulnerabilities and to find ways to exfiltrate and monetize data.
Some early reporting suggests that the attackers were able to dupe an employee at the BWI Airport Marriott into granting them access to the company’s systems.[2] And while there are numerous security lessons to be drawn from the event, it also serves to highlight the fact that there are insurance products available which can provide both incident response assistance and bottom-line protection in the event of such a breach.
What is Cyber Insurance
In May 2021, the United States Government Accountability Office (GAO) published a comprehensive report entitled “Cyber Insurance: Insurers and Policyholders Face Challenges in an Evolving Market.”[3] The GAO aptly outlined the market as follows:
Some private insurance companies offer businesses and other entities cyber insurance to protect against first-party (policyholder) and third-party losses (policyholder’s clients or customers) from an event that jeopardizes the confidentiality, integrity, and availability of an information system. The insurance can be provided through a standalone policy that provides only cyber insurance coverage or as part of a package policy that provides multiple types of coverage, such as a general commercial liability insurance policy.[4]
Marsh McLennan, the largest commercial insurance broker of U.S. business, assisted GAO with the report and said that between 2016 and 2020, its clients’ cyber insurance take-up rates rose from 26 to 47 percent.[5] Per the report, hospitality and retail – as sectors that commonly take payment card information – were among those experiencing the most significant growth in take-up over that period.[6] In particular, the hospitality and gaming sector grew from less than 40 percent take-up in 2016 to more than 70 percent take-up in 2020.
While more and more organizations, particularly in hospitality, have taken up cyber insurance, the market has become more challenging for policyholders. Per the report, premiums are going up and limits are coming down. In other words, companies are being asked to pay more in exchange for less coverage than they may have received in the past. In a February 2022 article about cyber insurance and the hospitality sector, one hotel chain risk manager reported “200% to 300% rate increases and deductibles doubling in some instances.”[7]
But even with that said, cyber insurance does have certain benefits.
The Benefits of Cyber Insurance
There are three primary benefits to cyber insurance.
First, as the underwriting process has become more challenging, insurers are taking a deep dive into the security practices of companies. Cyber insurance applications are growing longer, and the questions are getting deeper into the systems, personnel, and processes in place to protect an organization, its data, and systems. While invasive, these exercises do have the effect of causing companies to improve their systems to meet the demands of cyber underwriters and this improves the overall level of security of those companies.
As reflected in a recent lawsuit by an insurer against an insured,[8] the application process can be very challenging so it is important for companies to: (1) take their time with it, carefully reviewing each question; (2) ensure that all stakeholders are involved so that there are no gaps in knowledge; (3) pose questions to the broker or insurer if anything is unclear, and; (4) feel free to provide addenda with additional information if the question cannot be answered within the confines of what is being asked (such as a yes or no question).
Second, cyber insurers often provide robust incident response services as part of their insurance offering. These services can include technical/forensic services, legal services, public relations, and even ransomware negotiation specialist services. And since cyber insurers and their vendors are often seeing incidents on a macro-scale, they may be better able to respond than a hospitality company acting on its own initiative.
Companies should work to integrate insurance resources and vendors into their incident response plans. Companies sometimes lose out on reimbursement if they do not use approved vendors. Alternatively, companies can work with their brokers and insurers to try to get their preferred vendors, already in their incident response plans, pre-approved for incident response services.
Third, insurance for cyber risks provides bottom-line protection for companies who have been the victims of an incident or a resulting lawsuit. In the first-party context, such as where there is a ransomware attack, this can include reimbursement for loss of business income, damaged infrastructure, ransom payments, and the extra expenses associated with keeping the business running following the incident. In the third-party context, such as when there is a class action lawsuit against the company by customers impacted by the breach, this can include legal costs for defending the action as well as for the pre-suit notification of impacted individuals, as well as the costs for any settlement. In some cases, there may also be coverage for the defense and payment of damages associated with any related regulatory action. Because there is no standard form policy, the coverages, definitions, and conditions will vary from policy to policy. As such, a simple tip here is to read and familiarize yourself with your policy, and to work with your broker, risk management, operations, and legal to ensure that the policy offered is fit for purpose.
ABOUT THE AUTHOR
Peter Halprin is a Partner with Pasich LLP in the firm’s New York office. He is a frequent writer and speaker on cyber insurance topics, a Faculty Member with the Global Cyber Institute, and obtained a Harvard VPAL certificate for completing “Cybersecurity: Managing Risk in the Information Age.” Halprin may be contacted at (646) 974-6470 and [email protected].
[1] https://www.theverge.com/2022/7/6/23196805/marriott-hotels-maryland-data-breach-credit-cards
[2] https://venturebeat.com/2022/07/07/marriott-social-engineering/
[3] https://www.gao.gov/assets/gao-21-477.pdf
[4] Id. at 4.
[5] Id. at 5.
[6] Id. at 6.
[7] https://www.businessinsurance.com/article/20220216/NEWS06/912347777/Cyber-concerns-stress-hospitality-sector-insurance-rates-technology-
[8] https://www.law360.com/insurance-authority/other/articles/1509388/misrepresentations-voided-co-s-cyber-policy-travelers-says