Is cyber insurance worth having?

NATIONAL REPORT—It’s certain: All companies are at-risk for cyberattacks. Data breaches, monetary transfer fraud, cyber extortion and other cyber-related crimes are just some of the threats. This poses the question: Does my business really need cyber insurance?

Hotel Business caught up with industry professionals, who all agreed that the answer is increasingly yes, as the digital landscape becomes more sophisticated and as more data becomes readily available.

“For many companies, there’s simply too much at stake; the cost required to fully recover from a cyber event is enough to put many out of business,” said Tim Francis, enterprise cyber lead, Travelers. “The resources that come with certain cyber insurance policies—cyber-readiness assessment tests capable of identifying exposures, access to a breach coach and forensics experts to help respond to a cyberattack, for instance—can be critical to ensuring a company’s survival in the wake of a crippling cyber event.”

Jackie Collins, senior director, VP, hospitality practice, Arthur J. Gallagher & Co., said that cyber insurance covers a range of online attacks and losses.

“Coverage can be purchased for not only third-party damages but first-party losses as well,” Collins said. “Costs associated with third-party settlements, legal expenses, PCI fines, loss of income, breach notifications and credit monitoring can all be included in coverage. Coverage is also available for expenses associated with extortion and fraudulent instruction.”

She said new endorsements are also being added to policies to address invoice manipulation, crypto-jacking, bricking and voluntary shutdown.

In an industry like hospitality—one that requires personal information via online reservation systems—these attacks are that much more prevalent.

Collins said that the industry is unique because many hoteliers work with franchisors and third-party management companies, and their data is housed in the franchisor’s reservation system; however, the hotel owner also has exposure through point of sale systems.

“In the case of hotels, almost all allow customers to make reservations online, and many require an individual’s personal information—along with a credit-card number—to complete a booking,” Francis said. “If customers are trusting a hotel enough to provide such personal and financial details, they expect that sensitive information will not become compromised.”

Having cyber liability insurance is a response to this, data breaches and hacks, helping to cover claims regarding network security, privacy for both customers and employees’ data, business interruption, media liability and more, according to Chris Larson, underwriter, Distinguished Programs.

“The larger in size and more data stored, the more vulnerable the business is,” Larson added. “There are many cyber threats that one may not think of where cyber insurance would be extremely valuable in helping to handle and respond to these incidents—cyber insurance will help not just if data is breached and stolen, but many cyber insurance policies will cover eCrime (also known as social engineering) which would include funds transfer fraud, cyber extortion, etc.”

Obtaining cyber insurance is relatively easy. With an insurance policy already in place, typically, a hotel can add on cyber coverage to its existing insurance package.

“Work with an insurance broker who understands your operations and the exposures presented as well as the nuances of cyber insurance and the exposures covered,” Collins recommended. “The insurance broker will work with the owner to complete a cyber application. Having a cybersecurity program, including a data recovery program, in place is key to obtaining the best coverage and pricing. Don’t just rely on protections provided by a third-party vendor. Third-party vendors transfer exposure to the owner by way of contract, and liability follows the owner of the merchant identification number.”

Francis recommends seeking input from the company’s IT leadership because they have knowledge of the property’s computer network and operating systems.

“They should be able to explain what might be needed to protect everything,” Francis said.

Hospitality is an attractive target for hackers not only because customers supply hotels with personal information online, but because many properties offer customers a free WiFi network and complete a high volume of credit-card transactions.

“This exposure and vulnerability are increased even further due to hotels often having rewards programs where customers can log in online to manage. These programs offer even more stored information that hackers may be interested in stealing,” Larson said.

Francis said that if a hotel falls victim to a cyberattack, it may need to notify customers of the breach, provide credit monitoring for those impacted and the hotel may be responsible for the cost of repairing the damage from the cyber event and any resulting reputational harm.

Social engineering scams are also a threat, in which a cybercriminal poses as a legitimate individual within the company in order to convince an employee to send company funds to a fraudulent account.

“The cyber landscape is always evolving, but a company can protect itself by staying up to date on current cyber threats, communicating the importance of smart business practices with all employees and addressing any known exposures through a risk management program,” Francis said.

Other major cyber risks include email phishing, Larson said, an easy and cost-effective way for criminals to obtain information and access company computer systems, along with cyber extortion.

“It can be very difficult to handle the situation of your businesses systems being locked down by a criminal asking for money to restore them,” Larson said. “The best way to prepare would be to make sure they have a cyber liability policy in place that offers 24/7 claims service, as well as making sure to keep all employees trained on common cyber threats such as phishing, and just making sure employees generally have good password management.”

Collins suggested that owners and operators buy policies that provide a suite of pre-breach response services, preparing clients to avoid exposures. She also recommended offering ongoing employee training to teach the best courses of action to mitigate losses.

“Hotels have not had sufficient data controls in place to protect their systems and private information,”
Collins said. “Hotel owners have relied on third-party management companies, third-party vendors and franchisors to provide protection from breaches, and that has not always played out as the owner expected. What has been learned is that the owner, the management company and the franchisor must all purchase their own coverage in order to be fully covered. Even though the information may be stored in a third-party system, the owner is still responsible for the data.” HB