I recently attended the Americas Lodging Investment Summit (ALIS) Summer Update in Boston, which provided networking and insights for the hotel investment community across America. During the presentation I came across some a number of key takeaways when considering risk management in the hospitality industry. In particular, cyber risk was one of the hot topics of the convention.
The risks from a DDOS (Distributed Denial of Services) attack or Ransomware attacks (methods by which an attacker would ‘shut down’ online business) are gaining the attention of the hospitality industry. The average loss in productivity and sales, according to a 2014 study by the firm Accenture, was in excess of $600,000 USD. Cyber Security experts advise engaging multiple DNS providers, however this approach is only likely to lessen the impact of a DDOS attack.
Although large chains and corporations are the most lucrative targets, they also spend heavily on security and network infrastructure to safeguard against these threats. Small and medium sized (SMB) businesses present a “softer” target; which is increasingly being exploited by hackers. As detailed in the SonicWall 2017 Annual Threat Report, there has been an exponential increase in the number of advanced threats via ransomware, from nearly 4 million attack attempts in 2015 to 638 million in 2016, a 167x year‐over‐year increase. According to SonicWall, attacks were typically delivered by phishing campaigns and hidden from detection using SSL/TLS encryption. Yet, despite the near-daily occurrence of these attacks, most SMB executives remain ambivalent of the true danger posed by cyberattacks.
Further complicating the matter, there is much confusion about how “business interruption” coverage applies in these cases. This often leads business owners to underestimate their total exposure to uncovered loss.
All cyber policies are not standardized, so each may have different exclusions and endorsements. Because these policies are not on a “standard form” there is no consistency in the endorsements or exclusions, so they may come with different provision for what appears to be a similar form. For example, some policies offer ransomware coverage while others do not, and not all cyber policies include the use of bitcoin (the most commonly demanded currency for these types of ransoms).
Without a customized cyber insurance program, companies may be on the hook for business interruption losses, system remediation costs and any number of potential liabilities resulting from an attack. For small to medium sized corporations in the hospitality industry and beyond, this could be a catastrophic scenario. Buying an ‘off the shelf’ cyber policy isn’t enough; careful attention must be paid to sub-limits, endorsements and definitions. To discuss this more please contact me at firstname.lastname@example.org or by phone at 484 581 2813.