Hotels and resorts hold significant cyber liabilities because of the nature of their business. They handle huge amounts of personal identifiable and other sensitive information, including: names, dates of birth, passport details, occupations, as well as debit or credit card details – and that’s just the extensive privacy exposures they face.
Like many businesses today, hotels and resorts operate primarily through computer networks. Room keys, smart elevators, air ventilation and security systems are all computerized. If a system goes down, or there’s a network security compromise, that could lead to significant financial losses, business interruption, and possibly even physical injury or property damage.
“There’s a common misconception that cyber liability always includes a bad actor and data breach, but that’s not the case. There are two key components to cyber risk: privacy and network security. The hotel industry faces both exposures intertwined and independently,” commented Shiraz Saeed, national practice leader, cyber risk, Starr Companies.
“What makes cyber liability unique in today’s hotel industry is the scale of potential third-party involvement,” Saeed told Insurance Business. “How often do people book directly with a hotel versus going through a third-party booking site or independent agent? These third-party entities add complexity to the insurance equation, especially when it comes to the privacy component of cyber. If private information is compromised at the hotel level, this is categorized as a first-party loss. But if data is lost by the booking site or travel agent, it becomes a third-party cyber claim.”
Things become even more complicated when an insurer or broker considers who owns the hotel, who owns the building the hotel is in, whether there’s a franchised brand name associated with the hotel, and who’s managing it. All these nuances impact who holds the cyber policy and what type of claims (first or third-party) are submitted.
The complexity continues when hotel businesses consider what type of cyber liability coverage to pursue. A bespoke cyber insurance policy is probably the best bet, but there are opportunities to gain elements of cyber coverage through different insurance products, such as property, directors & officers, and employment practices liability.
Saeed commented: “The key difference between a traditional cyber policy and an alternate policy with elements of cyber coverage is whether there’s coverage for physical versus non-physical damage as a result of a cyber incident. Non-physical damage traditionally falls within the reach of a bespoke cyber policy. It can also be covered by D&O insurance if, for example, a hotel franchise is accused of poor or misleading communication around a cyber event. EPLI coverage can also come into play if employee information is compromised resulting in a breach of contract.
“Where bespoke cyber policies can fall short is when there’s physical damage to property as a result of a cyber incident. However, most property risk policies today include coverage for cyber-related exposures, including physical damage to equipment caused by a hacking event. What’s new is that these property policies now overlap with cyber policies and cover non-physical computer damage as well, such as business interruption losses caused by a cyberattack, and electronic data recovery.”
So, as well as navigating first and third-party cyber insurance nuances, hotels and resorts must also consider protection for physical and non-physical damages from cyber-related incidents. They must construct a comprehensive risk management program and purchase a mesh of policies to cover all bases.
“It’s complicated and there are lots of moving parts to it,” Saeed added. “Bespoke cyber coverage can be tailored to offer additional benefits to insureds including incident investigation, public relations and legal services. You typically don’t get that in other policies like property insurance.”