Source: Hotel Mogel Consulting Limited

It is a hotelier's worst nightmare – the theft or loss of guest records. Recall the data security failure at Target Stores HQ or the more recent challenges being faced by Sabre Corporation on their SynXis booking system. Now, imagine that this happened to your IT system. How would you explain this to your past guests? What steps would you take to remedy this situation, and at what cost?

The simple fact is that when it comes to cyber security, no one can claim to be 100%, ironclad safe insofar as protection of data. If it is not hackers then it could be an internal breach from, say, a disgruntled employee. As a general manager, it is your responsibility to your guests as well as to your owners to take both the appropriate precautionary steps in protecting data, but also to consider means of mitigating damages to the company in the event of a loss.

I recently had an opportunity to discuss the issue of cyber liability insurance with Bobby Horn, an associate director at Crystal & Company, a national insurance brokerage with significant experience in the hotel sector. While his responsibilities encompassed a much broader field, I wanted to drill down on the specifics of cyber insurance.

"It used to be property liability that was the primary issue for hoteliers. Nowadays, cyber liability is equally important," said Mr. Horn. "And remember, the injured party is not going after your third-party partner (often not transparent to the guest), but after you."

He notes that no two policies are alike. He recommends that when considering a cyber liability policy, you should look at the following aspects:

  • Liability coverage for items such as virus transfer, unauthorized data access, unauthorized use, network security and loss of information/data
  • Media liability for such items as loss of electronic media and trademark infringement
  • First-party costs for business interruption and data restoration, cyber extortion (such as ransomware), forensic analysis and research
  • Breach response including legal council, crisis management, public relations, social media response and potential credit issues

In calculating the policy costs, underwriters will consider total property revenue, how much data you are storing, credit card transactions, and third-party programs, all in addition to the existing security protocols that you may already have in place. Mr. Horn added that the underwriters are getting more proficient at managing these policies as they gain further experience with the risk management issues.

So, should you consider this type of coverage? Given the recent coverage garnered by SynXis and Target, the profile of cyber security is at an all time high. The good news is that coverage costs are not onerous. As a very rough ballpark, Mr. Horn suggested that a 200 room, $30 million annual revenue, $1 million policy with a $50,000 deductible limit would result in an annual premium in the range of $10,000 to $15,000. He estimates that about one third of domestic hotels currently have this coverage. If you do not have cyber liability coverage, perhaps now is the time to ask your insurance broker to consider this addition to your policy. Given all that's happened of late, I certainly would!

(Article by Larry Mogelonsky, originally published in HotelsMag on August 8, 2017)

Larry Mogelonsky
Hotel Mogel Consulting Limited