Information technology (IT) is a crucial and ever-increasing facet of modern business. Any modern business is required to store and handle their customers’ data to provide competitive services. However, this data must be stored securely to prevent it from falling to any unauthorized third parties. The damage of such a data breach can be immense, reaching billions of dollars, harming the customers whose data can be exploited, and causing the company indirect harm through reputational harm. In the hospitality industry, this is particularly relevant due to the personal nature of guests’ data.
A recent audit at Padgett-Beale Inc. (PBI) has revealed that the company’s cybersecurity policies are inadequate and completely unprepared to face a data breach. Because of this, CyberOne Business and Casualty Insurance, Ltd, the insurance company, has refused to renew PBI’s cyber insurance policy unless specific steps are taken to address this issue. As mentioned above, a data breach can cause immense and long-lasting losses, as it can remain undetected for years (Burke, 2020). However, the best measures for preventing a breach can prove ineffective, and, therefore, a cyber insurance policy can help mitigate the damages.
Cyber insurance protects a company in case of a data breach. Cyber insurance firms audit a company’s cybersecurity policies and measures and offer protection against damages and litigation in case these measures fail. Their services include covering an organization’s network security, as well as protection from liability in case of customer and employee data leaks and reputational damage resulting from data breaches (Burke, 2020). The case of a recent data breach at Starwood Hotels, a subsidiary of Marriott International, presents a strong example of the damages that can be caused by a data breach in the hospitality industry. This example serves as compelling evidence that PBI should not take its cybersecurity and cyber insurance lightly and improve its policies to renew its cyber insurance policy with CyberOne.
The Marriott International data breach is an incident that lasted four years and led to significant losses by the company. The breach involved a fault in the hotel chain’s reservation system, which exposed the personal data of any guest who made a reservation in any of the Starwood brand properties (Gressin, 2018). The breach was only detected, disclosed, and fixed in 2018, and has affected an estimated 500 million guests (Nohe, 2019). The data compromised by the breach allows one to develop full profiles of the guests, which can then be used for a variety of attacks. The compromised data includes guests’ full names, mailing and email addresses, phone and passport numbers, Starwood preferred guest information, birthdates, genders, and arrival/departure times (Nohe, 2019). The nature of this data, the duration over which the breach was accessible, and the number of people affected make this the second-biggest data breach (Nohe, 2019). This illustrates the scale of damage a data breach can cause.
The losses incurred by the liabilities and penalties related to the breach are estimated to be in the billions. Marriott’s news center mentions a £99,200,396 fine against the company from UK’s Information Commissioner’s Office (ICO) (Marriott International News Center, 2018). The ICO elaborates that this fine is in relation to the hotel chain’s violation of the General Data Protection Regulation (GDPR), a major piece of legislation concerning an organization’s accountability for any personal data they hold (Information Commissioner’s Office [ICO], 2019). This fine was ultimately lowered to ₤18.4 million after Marriott’s actions to improve its cybersecurity measures (BBC, 2020). Other sources mention $28 million in expenses and $25 million of insurance proceeds that are related to this incident (Nohe, 2019). Other sources point to $200 million in fines and settlements (Clark, 2018). Fortunately for Marriott, the company’s cyber insurance was able to mitigate a significant portion of the losses (Nohe, 2019). Nonetheless, the total fines and liability for the company exceed $250 million.
According to experts and government agencies investigating the incident, Marriott International was not only responsible for allowing the breach to happen but for its inadequate response to it. The data breach started on an unknown date in 2014 before Starwood was acquired by Marriott (Krebs on Security, 2018). A possibly unrelated breach was disclosed by Starwood in 2015, shortly after the acquisition (Krebs on Security, 2018). The ICO (2019) points out that as the breach had occurred before the acquisition, Marriott failed to carry out due diligence by investigating Starwood’s cybersecurity policies and measures during the process. Moreover, Marriott failed to respond to the breach in a timely or effective manner. Two months had elapsed between the company detecting the breach and disclosing it, which potentially violates SEC reporting timeframes (Nohe, 2019). This is further likely indicative of lacking security controls within the organizations (Nohe, 2019). Finally, this example is particularly pertinent to PBI as it also shows the lack of a plan to address data breaches.
Marriott’s procedure for the acquisition of Starwood should have included a thorough investigation into the property’s existing cybersecurity measures and, if possible, detect the breach sooner. The company should also have developed stronger cybersecurity policies and plans to detect, eliminate, disclose, and otherwise respond to the breach as early as possible. Finally, Marriott International should have worked closely with its cyber insurance providers and cybersecurity experts to ensure adequate measures and response plans were in place.
Best Practices Review
Experts suggest best practices a company’s leadership can follow to minimize the risk of data breaches as well as improve its response when such breaches occur. A regular rigorous evaluation process must be implemented that includes stress testing of the company’s various IT components (Hanniford, 2021). This will help uncover security risks and potential security losses, which should be incorporated into the company’s policies and response plans (Hanniford, 2021). Based on this information, PBI should draft and maintain an incident response roadmap, a policy describing potential data breach scenarios, and the appropriate response to each of them (Woodruff-Sawyer & Co, 2019). This policy should specifically outline people and organizations who must be involved in each scenario and other appropriate steps in the response (Woodruff-Sawyer & Co, 2019). Ultimately, ensuring cybersecurity and insurance policies are based on the company’s situation and processes regarding data collection, storage, and handling and constantly updated to account for new and emerging threats.
The company’s employees should be educated in matters of cybersecurity to prevent unwittingly creating any security threats or breaches (Hanniford, 2021). Furthermore, employee education will allow employees to assist with the detection and identification of potential security threats and breaches. Specifically, as the Starwood breach may have started with a phishing attack, particular emphasis should be placed on training employees to recognize such phishing and social engineering attacks (Nohe, 2019). Similarly, as cybersecurity is a rapidly developing field and cyber insurance is emerging, formulating strong cybersecurity policies and plans requires specialized expertise. Therefore, personnel trained in these areas, supplemented, if necessary, with external consultants, are a necessity for any large organization (Hanniford, 2021). Cybersecurity specialists are required to identify and prevent threats while also guiding new cybersecurity plans and policies, while education in these matters among staff helps ensure compliance with these plans and policies.
Technological measures are another facet of cybersecurity that will likely be required in a cyber insurance audit. Security software, such as antivirus, should be maintained and up-to-date, and security best practices should be enforced. These practices include choosing and regularly updating secure passwords for employees, using multi-factor authentication where appropriate, and controlling access and logging any unauthorized attempts (Farnham, 2021). These measures will complicate the creation of data breaches, both intentional and unintentional.
Cybersecurity is a necessary consideration for any company that handles its customers’ data. Experts agree that suffering a data breach is inevitable despite the best efforts to implement security measures. Thus, cyber insurance can be a significant asset in mitigating any losses such a breach can cause. The case of the Marriot International/Starwood breach provides compelling evidence for PBI to update its cybersecurity policies and plans and renew its cyber insurance policy. To that end, the company’s leadership should follow best practices, which include employee education and training, preparing comprehensive security and breach response plan, and employing technological security measures. Cyber insurance will reduce the likelihood that PBI suffers a data breach soon and mitigate some or all of the damages, including reputational damage, when it occurs.
Burke, D. (2020). Cyber 101: Understand the basics of cyber liability insurance. Woodruff Sawyer. Web.
Clark, P. (2018). Marriott Starwood data breach highlights silent cyber risk in acquisitions. Insurance Journal.
Farnham, K. (2021). Cybersecurity best practices for 2021. Diligent Insight.
Gressin, S. (2018). The Marriott data breach. Federal Trade Commission Consumer Information.
Hanniford, K. (2021). NYDFS issues best practices for cyber insurance risk management. Alston & Bird.
Information Commissioner’s Office. Statemen: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach. Web.
Krebs on Security (2020). Marriott: Data on 500 million guests stolen in 4-year breach.
Marriott International News Center (2018). Marriott International update on Starwood reservation database security incident.
Nohe, P. (2019). Autopsying the Marriott data breach: This is why insurance matters. Hashedout.
Woodruff-Sawyer & Co. (2019). Guide to cyber liability insurance.