Cyberattacks. It’s a word that sends shivers down the spine of IT personnel and executives into a panic. Large and small companies are not immune to them. The most recent one that will come to mind is the ransomware attack on the Colonial Pipeline, in which hackers shut down the largest fuel pipeline in the U.S., until a $5 million ransom was paid.
Hotel companies are not immune to cyberattacks. All of the major brand companies have had data breaches in the last decade. And if hackers can gain access to both Marriott’s and Hilton’s databases, no company or property is invulnerable.
Justin Reese, executive risk management consultant, Insurance Office of America, knows all about cyberattacks. He has worked in risk management for a number of companies, as well as the U.S. Army Space and Missile Defense Command.
He pointed out the different types of cyberattacks that could target hotels. The most basic one is a phishing scam, where someone at the property could receive an email like, “If you don’t send us this information within 30 minutes, your email password will expire. Click here to reply.”
“Don’t do it; don’t click on anything,” Reese cautioned. “If it is clicked, it usually takes over the email account, and the hackers can send out an email pretending to be you. Let’s say a hacker hacked into the email of the hotel’s general manager, who clicked on the link. The hacker now has access and sends an email to the controller or CFO asking to wire $50,000 to Bob’s Cleaners for housekeeping. It looks legit, except the link actually goes to the hacker’s bank account.”
Another one is ransomware, where hackers take over the hotel’s system and won’t release it unless a sum of money is paid.
“A hotel is going to pay out because the hackers may have blocked the point-of-sale (POS) system or locked the rooms,” said Reese. “They’ll say, ‘We’ve locked all your guests in their rooms. If you want to let them out, you have to pay me money and I’ll unlock them.’ Stuff like that has happened, and it’s usually relatively benign. While it’s advised that the hotel not pay the ransom—usually for something like that, the hotel is going to pay it because people are locked in their rooms and they have to be let out.”
There’s also the distributed denial of service (DDoS) attack, where hackers shut down your safety systems, or they can activate them. “They can come in and say, ‘We’re going to turn off your sprinklers or set off the alarms,’’’ noted Reese. “They can hijack your cameras and they’ll say, ‘We’ve filmed people, and we’re going to put that information out there.’ You do not want any of your hotel systems to be compromised.”
Data breaches are a main concern for hotels, especially in the wake of those at the brand companies.
“Everybody thinks about the POS system,” Reese pointed out. “Someone will hack into the credit-card system and he now has all your credit-card numbers. There’s usually a weakness there and it’s almost always human. Someone leaves the system open or leaves credit cards out.”
He added about guest data, “Everything is stored in your app—your points, your status, your number of nights. It has a credit card tied to it, and it stores your birthday because the concierge wants to know when you get there that it’s your birthday. You can open your guestroom door, order drinks at the bar and other things. So, all that information is readily available. The more that you secure that data, the better off you are.”
There can also be cybersecurity concerns about remote workers who are connecting to the hotel’s network.
“There are companies that went from 100% in-person to 100% remote, so if you didn’t have that IT contingency in place ahead of time, that’s big trouble,” said Reese. “Your home security is not going to be as tight as when you’re at the office or hotel. When you’re at home, you may allow someone to use their personal computer or phone [on your WiFi network]. So, the key is: If [the remote worker] is going to use a device for work, you need to implement or have them implement the same security protocols that you would as if you own that piece of equipment.”
Don’t forget about cyber insurance
Another layer of protection for a hotel is a cyber insurance policy. A hotelier may not think it is needed, noted Reese, but “the prudent thing to do [as an insurance broker] is to provide a cyber quote to anybody you do business with and make them decide whether they want it or not. I have pool contractor clients, and they’re like, ‘I don’t need cyber.’ I reply, ‘Yeah, you do, because you use tablets, right?’”
There are two types of cyber policies. First-party cyber insurance covers damage to your system, and third-party coverage—which is going to cost more, Reese noted—is going to be a little more complex.
“That third party is the number of lawsuits caused by a breach on your systems,” he said. “That’s where somebody comes in, hacks your system and gets all the credit card information.”
He offered some advice to those looking to add cyber coverage: “The biggest things are having adequate limits for your business, understanding whether you need first or third—most people do both first and third—and understanding that it’s not covered in your standard [general liability policy]. It’s usually a standalone, or it comes through a tech E&O [errors & omissions] policy that has it built in, but you really need to understand the forms.”
Reese added, “A standalone cyber policy is going to have better terms, it’s going to have better coverage and, sometimes, it’ll come along with cybersecurity breach—post-breach or even pre-breach—counseling and forensic review. So, really just make sure you’ve definitely had that conversation.”