The hotel market is one of complexity and face-paced change. With IT systems and technologies advancing at an alarming rate, in addition to increased use of third-party sites such as Trivago, hotels are more reliant than ever on IT programmes. Insurance for this sector is ever-changing as it grapples with new exposures created by technology. Any and all organisations are at risk through their use of online networks and systems, including exposure to hardware and software.
One poignant data breach within the hotel industry occurred back in 2018 when Marriott International suffered a colossal world-wide hack into their guest records. Customers of the hotel had their credit card details, passport numbers and dates of birth stolen by the hackers. It was estimated that 500 million people were affected by this breach.1
Upon investigation, it was discovered that the cyber security issues stemmed from the Starwood hotels group system, a chain that Marriott International acquired back in 2016. Their systems had been compromised in 2014, however this went undetected until 2018. The Information Commissioner’s Office (ICO) proposed a £99.2m fine for the hotel industry giant.
Then, 2 years later in January 2020, Marriott International was struck by another devastating cyber-attack. Although the hack wasn’t discovered until late February, it was revealed that hackers had obtained two members of staff’s login details and accessed the guest data of an unspecified chain of hotels. Customer’s names, phone numbers, dates of birth and loyalty account numbers were compromised.
The ICO concluded that Marriott failed to conduct adequate due diligent upon its acquisition of Starwood, and that the breach might have been avoided if security checks of the chain’s IT systems were carried out. GDPR makes it extremely clear that organisations are responsible for any personal data that they hold, and so, must be held accountable for any breaches. Elizabeth Denham, the information commissioner, advised that companies must carry out proper due diligence, “putting in place proper accountability measures to assess not only what personal data has been acquired, but how it is protected.”2
As you can see, these types of breaches can happen to major firms but sadly, hackers will target anyone from a small B&B up to these multinational corporate firms.
All firms now need to consider cyber risk and appropriate risk mitigation strategies as part of their basic corporate governance. Cyber risk affects all businesses and can seriously damage their viability. Experience in the United States has shown claims being brought against directors for failing to put cyber liability insurance in place, and therefore not taking sufficient steps to protect the assets of the business.
We’ve put together our top tips for hotels to protect their business from cyber-threats:
Ensure that cyber security awareness is engrained within your company culture.
Senior decision makers should be taking a very serious approach towards the security of their customers’ personal data. They should strive to make their systems as safe and secure as possible. Hotels should mandate regular staff cyber training.
Look out for phishing attacks.
Phishing is the crime of deceiving people into sharing personal information such as passwords or credit card numbers, usually via an email masquerading as a trustworthy contact. These attacks account for around half of cyber-attacks in the UK, that’s roughly 20% above the global average.3
Ensure your Point of Sale (POS) system is secure.
These systems hold an incredible amount of your guests’ personal data – 65% of all hotel system hacks occur within them.4 They become exposed to cyber-attacks through weak passwords, insecure remote access, outdated software and malware infections.
Be proactive not reactive.
Risk management is imperative for hotels – a significant proportion of this relates to cyber-risk. Those responsible must constantly challenge and review their cyber systems and security in order to stay ahead of hackers.
Review your insurance policies.
Beware – many cyber insurance policies are not what they seem and can be littered with conditions precedent, enabling an insurer to avoid a claim in certain situations, e.g. if you haven’t kept up to date with the latest software patches. Be sure to review your policies with a specialist.
Brunel Insurance Brokers is an independent broker with extensive experience working within the hotel sector – we fully understand its requirements and ever-increasing demands. We partner our expertise with our open-market access to provide bespoke solutions to our clients’ cyber needs. Our goal is to provide fast, informal, reassuring and informed client service, tailored to the individual needs of our client’s business. We believe in creating a dialogue with our clients and have the expertise to explain the issues so that our clients can make educated decisions.
To discuss your requirements as well as your firm’s cyber-security, contact one of our specialists on 0117 325 2224 or email contactus@brunel-insurance.co.uk.
