Why Cyber Insurance Is Critical for Limited-Service, Franchise Hotels’ Business Continuity

April 19, 2024 / Distinguished

Hotels are favorite targets of cybercriminals, who are upping their game with increasingly sophisticated tactics to breach and shut down networks, demanding a ransom to get a system back online, and duping employees into providing confidential data and wire transfer of money. According to Cornell University and Freedom Pay research, 31% of hospitality providers have reported data breaches, and basic web attacks surrounding guest information represent 90% of hospitality breaches.

“Hotels of all sizes continue to be vulnerable to cyberattacks due to the high volume of credit card transactions and personal data collected through third-party online and mobile booking, check-in, and payment systems and loyalty programs, which is a treasure trove for bad actors,” explained Haley Cagle, Distinguished Cyber Product Manager.

“There is also a great deal of employee turnover in the hospitality industry, which contributes to a lack of awareness and training on social engineering and other types of cyberattacks,” Haley said. Haley explained that, because hotels, like other service-oriented industries, must be operational quickly in the face of an attack, cybercriminals know they can seek large payouts.

“Artificial intelligence (AI) is another vulnerability point with the rise in chatbot and generative AI use by hotels to facilitate planning and booking trips,” explained Haley. “Incorporating generative AI in phishing schemes helps create believable, context-rich messages to fool employees into providing confidential information.”

Franchisees Are Typically Required to Purchase Cyber Insurance

According to IBM data, the average cost of a hospitality breach is $3.4 million. Due to the importance of reputation in the industry, a breach can significantly harm a hotel’s bottom line.

“It’s critical that all hotels, including smaller operations, have robust cybersecurity measures in place and carry a comprehensive hospitality Cyber liability coverage to respond in the event of a loss.”

In fact, several hotel brands in their agreements require franchisees to purchase Cyber liability coverage as part of a comprehensive insurance program.

Distinguished’s Cyber Insurance Program

Our Cyber Liability program is available nationwide and provides coverage for the following:

Cyberattack Costs: Direct costs associated with being the victim of a cyberattack, including theft of funds, extortion, and phishing schemes
Response Costs: Costs associated with responding to a cyberattack, including forensic, legal, and privacy breach management costs
System Costs: Costs associated with repairing systems after an attack
Business Interruption, including Dependent Business Interruption Costs: Expenses and loss of income due to an attack
Media Costs: PR expenses to help protect a brand after a breach
Liability Costs: Legal fees and regulatory fines caused due to an attack
Payment Card Liability and Costs

Distinguished’s Cyber liability insurance for hotels also covers specific fraudulent instruction, funds transfer, and telephone fraud.

“In addition, we provide access to a specialized breach response team to help clients manage a breach,” said Haley.

Our program is competitive and through an industry leader in Cyber insurance. We make it easy to submit and get a quote. Limits up to $2 million are available.

Common Cyberattacks Against Hotels

Customer data or identity theft is the most common attack for hotels, with point-of-sale breaches being the most significant threat, as they come from third-party vendors. Phishing and ransomware are also major threats. Phishing tactics involve sending an email that looks authentic to gain access to a system and confidential data via the email recipient. Ransomware blocks access to specific data or systems until payment is made. Safeguarding against these threats is crucial, highlighting the importance of cyber insurance for hotels.

“Social engineering techniques have become more sophisticated,” explained Haley, “with cybercriminals able to bypass multifactor authentication (MFA). Without MFA in place and with weak, unsecured, and shared passwords, it’s even easier to commit a cyberattack.”

Recent Cyberattacks Against Hotels

It’s important to note that, although the larger hotel operations, including the ones featured here, make headline news when a cyberattack occurs, every hotel is at risk for the same type of cyber exposure. Most recently, Omni Hotels & Resorts was forced to shut down its system following a cyberattack. The Dallas chain confirmed the breach that occurred on March 29 on social media and is investigating the scope of the event.

In mid-2023, MGM Resorts International reported a massive cyberattack that resulted in over $100 million in costs and the theft of an unspecified amount of personal guest information.

Last summer, malicious actors penetrated Virgin Hotels North America’s systems, impacting more than 4,000 people.

In September 2023, Caesars Entertainment disclosed a significant breach in which hackers obtained the company’s loyalty program records. The database contains highly personal information for many customers, including driver’s license information and Social Security numbers. The attackers used social engineering to breach a third-party IT vendor before gaining privileged access to Caesars’ loyalty program database. After stealing the database, the organization demanded a $30 million ransom and threatened to publish it online if it was not paid. Ultimately, Caesars agreed to pay a $15 million ransom to prevent the stolen material from being released.

Budget hotel Motel One was hacked in late 2023 by the cybercrime group AlphV/BlackCat. The attack resulted in downtime for the hotel and the theft of an unspecified amount of customer data, such as postal addresses, email addresses, and telephone numbers.

Cybersecurity: A Top Priority

“It’s critical to prioritize staffing training on phishing and social engineering techniques and how to mitigate risk,” explained Haley. Network security is also critical, with strong passwords and training to help prevent breaches. Also, a hotel should ensure its third-party vendors have the best cyber practices. Carefully choose and audit these providers to ensure their security measures meet the hotel’s standards.”

Hotel operations should update their cybersecurity plan at least annually.

About Distinguished Programs

Distinguished Programs is a leading national insurance Program Manager providing specialized insurance programs to brokers and agents with specific expertise in Fine Art and Collectibles, Environmental and Construction Professional, Executive Lines, Inland Marine, Real Estate & Builder’s Risk, Community Associations, Hotels, and Restaurants. Property and Liability products are distributed through a national network of agents and brokers. Serving the same core markets and partnering with the most stable and reputable carriers, Distinguished’s high-limit Umbrella programs remain the clear choice in its area of specialty for superior coverage, competitive pricing, and attentive service. Through thoughtful innovation, stemming back to 1995, Distinguished Programs fosters growth and opportunities for its brokers, carriers, and employees.

View a full list of our programs and submit business with Distinguished.

‣ Register Your Agency
‣ Learn More
‣ Contact Us