Cybercriminals continue to attack the hospitality industry, becoming increasingly more sophisticated in their tactics. While high-profile incidents such as Marriott’s data breach earlier this year and MGM Resort’s data breach in 2019 that affected 10.6 million guests make headline news, limited-service and smaller franchise hotels are also the victims of bad actors, with data theft, social engineering, and ransomware among the leading threats. Chris Larson, Distinguished Underwriter, sheds some light on the cyber landscape in the hospitality sector and the insurance coverage available for smaller operations.
Many Hotel Franchisors Require Franchisees to Purchase Cyber Insurance
“Several hotel brands in their franchise agreements now require franchisees to purchase Cyber coverage as part of a comprehensive insurance program,” said Chris. “It’s important for franchisees to understand that a Commercial General Liability policy may either provide very limited Cyber coverage or most likely no coverage at all. Furthermore, CGL policies that do offer limited Cyber insurance don’t necessarily respond to key exposures such as ransomware and loss of income as a result of an attack.” More than half of small businesses that suffer a loss and do not carry Cyber insurance go out of business.
Frequency of Losses on the Rise
Chris also explained that as a result of the rise in digitization and the amount of data hotels collect and store online, the frequency of cyber losses has increased. “The volume of financial transactions that hotels carry out, the use of loyalty programs, and their database of sensitive personal data leaves operations increasingly exposed to cyberattacks.”
Social engineering and phishing attacks have become increasingly more common. These types of attacks involve an employee receiving an email that appears to be sent from a senior leader at an organization asking that he or she execute or approve a transaction, such as sending sensitive, confidential information or wiring funds to a bad actor. DarkHotel hacking, a form of phishing, involves tracking a user’s travel plans. Attackers then use the hotel Wi-Fi to target specific business guests (usually C-level business executives and other high-level figures), typically in a bid to gain sensitive information for nefarious reasons.
Ransomware is also on the rise in which cybercriminals encrypt an organization’s files, allowing them to hold data hostage and demand a ransom in order to restore access. The ransom is typically paid in bitcoin (digital money).
Inside Cyber Insurance
In addition to purchasing third-party Cyber insurance, it’s important for hotels to ensure their programs also provide first-party coverages. “Many think of Cyber insurance covering third-party liability exposures in the event of a customer data breach and, while this is critical, hotels must also consider the significant expenses involved with cyber extortion (ransomware), business interruption, the restoration of data, fraudulent wire transfers, and many other issues following a cyberattack,” noted Chris.
Cyber insurance rates for policies offering Liability limits of $1 million to $2 million have remained flat so far, which is the sweet spot for Distinguished and its coverage for limited-service hotels, according to Chris. “There are quite a few new carriers coming into the lower-end of the market, which is keeping rates competitive. In the higher segment of $5 million-plus limits where there are fewer carriers in the market, rates are increasing.” Distinguished’s Cyber policy for limited-service and franchised hotels is available in all 50 states and includes first- and third-party coverages, cyber-breach response services, notification expenses covered outside the limit of liability, business income, and cyber extortion coverage.