Skip to main content

Why Investing in Cybersecurity Insurance has Become Vital for Hotels

Global cybercrime is expected to grow 15% year over year for the next five years, costing companies worldwide an estimated $10.5 trillion by 2025 – more than triple the cost of $3 trillion in 2015.
a close up of a computer keyboard
Advertisement - article continues below

Dependence on technology is part of our daily lives, both personal and business. Whether we’re on a computer for work or scrolling through social media on our mobile phones, technology is an easily accessible and expected part of life. However, its prolific use also means increased risk at every turn.

Advancements in technology also have brought a rise in cybersecurity threats as hackers get craftier and more adept at finding new ways to infiltrate computer systems. Four of the most common cyberthreats faced by companies today are phishing, ransomware, distributed denial of service (DDoS), and spoofing attacks. If your hotel business suffers any of these strikes, you may be subject to not only a major disruption in operations but also the payout of thousands of dollars to recover critical data or in lawsuits as a result.

Unfortunately, costs are projected to continue climbing, according to a report by Cybersecurity Ventures. Global cybercrime is expected to grow 15% year over year for the next five years, costing companies worldwide an estimated $10.5 trillion by 2025 – more than triple the cost of $3 trillion in 2015. If you haven’t invested in a cybersecurity risk management plan for your hotel, you’re already behind.

Understanding the Different Threats

Cyberthreats come in as many different forms as hackers can dream up. The key to protecting your business is to first understand the fundamentals of each threat.


Phishing attacks often come in the form of emails to employees asking them to click on a link or open an attachment. Think of them as presenting something fishy; they just don’t look or feel right. Often, a phishing email is designed to look like it is coming from a co-worker to disarm the receiver and lull them into thinking it’s safe to open. However, once the link is clicked or the file is opened, your software or network can be corrupted. Most computers come with software built in that prevents these emails from coming through, but it’s always important to remember not to click on anything that is questionable or seems out of the ordinary.


It’s all about the Benjamins when it comes to ransomware attacks, which are currently the most notorious and expensive threats. When hackers get access to your valuable information, they lock it away and demand a sum for its return, spanning anywhere from $10,000 to several million.

The ransom figure, however, often pales in comparison to the overall costs associated with an attack. “Remediation costs, including business downtime, lost orders, operational costs, and more, grew from an average of $761,106 in 2020 to $1.85 million in 2021,” according to Sophos’ State of Ransomware 2021 survey. Recovery costs are now 10 times the ransom payments themselves, which is a devasting reality facing the hospitality industry. Remember, it is recommended to never pay a ransom.

Distributed Denial of Service

Just the name, distributed denial of service, should make any hospitality business owner shiver. DDoS is all about sending overwhelming amounts of connection requests or data to exceed a computer system’s capacity and render it inoperable. For an industry all about service, the inability to deliver a consistent customer experience presents a serious reputational risk for owners.

Some DDoS attacks are minor and come with a ransom demand and a more serious threat if payment is not received. Diversion also is a widely used tactic. While the targeted businesses focus on the initial attack, hackers may be stealing data or installing malicious code.


Spoofing is an insidious type of cyberattack due to its stealthy nature. A hacker may be a guest at your hotel who sets up a WiFi network that looks like the hotel’s network. Other guests attempt to log in to the hotel’s network, don’t notice anything amiss, and use the spoofed network instead, which then collects all their data.

Once a hacker has a guest’s information, it will likely be used in some fraudulent manner, such as for credit card purchases. Should this type of activity be traced back to your hotel, it potentially could damage the hotel’s reputation and cost more than the attack itself.

Protecting Your Systems

Despite the countless threats that work in the shadows of the internet, there are steps that businesses can take to protect themselves. It starts with training. The more your staff knows about cybersecurity threats, the more aware they will be when it comes to spotting them. With so much turnover in the hotel industry and new types of threats popping up, it’s clear that establishing a consistent training schedule is important. Training sessions don’t have to be long, however. A half-hour session once a quarter will help keep your staff knowledgeable and able to spot an attack quickly.

It’s important that every staff member participates in the training – from the hotel cleaning service and the valet workers to back office full-time staff. The use of technology is prevalent in every position. The iPads or keycards that staff carry, POS systems in the bars and restaurants, computers at desks, cellphones, and more all hold data valuable to hackers.

Make sure all your technology is secure at all times and employ multifactor authentication where possible. With the pandemic shifting nonessential employees to remote work, it also would be wise to invest in a virtual private network (VPN) for staff. While there may be a learning curve for some employees, it will save your company money in the long run when faced with cyberthreats.

If you’re still on the fence about investing in cybersecurity tools, work with a third-party vendor to test the weaknesses in your current setup. This exercise will reveal the ways a hacker can get access to your valuable information. You’ll also get guidance on how best to address the deficiencies in your network.

Today, the chances of your business facing a cyberattack are not an if but when. You need to ensure you have the protection provided by a cyber insurance policy, which can act as a safety net. Previously, it was easy to secure cyber coverage. However, with the continuous rise in cybersecurity incidents, it is becoming more of a challenge to obtain the right policy for your hotel. It is best to consult with your independent insurance broker about your current policies and any additional coverage you may need to protect your hotel from cyberthreats.





Justin Reese is an executive risk management consultant at Insurance Office of America. He can be reached at [email protected].

Justin provides property and casualty insurance risk management solutions to clients across the U.S. Prior to joining IOA, Justin was the national risk services lead for HUB International’s hospitality practice. He has more than 19 years of professional risk management, safety, health, and environmental consulting experience.

His work experience includes six years with a national insurance carrier and the operation of a private consulting firm for six years. Justin also served as the regional safety manager for a national general contractor, which provided him with opportunities in the private sector as well as defense contracting. He worked overseas in support of the U.S. Army Space and Missile Defense Command at a remote operating garrison providing risk management, safety and compliance for base infrastructure improvement.

Additionally, Justin has extensive experience in hospitality, construction, municipalities, real estate and transportation risk management. Justin received his BBA in risk management and insurance from the University of Georgia and his MBA in accounting and finance from Charleston Southern University.

This ad will auto-close in 10 seconds