Originally published on CyberInquirer.
In a prior post ( here), we discussed the frequency of cyber thefts in the hospitality industry in 2009. We have a decent idea of how many of you read that article. For those of you who haven't, here's my topic sentence: "38% of the credit card hacking events in 2009 involved the hospitality industry." Yep. 38%.
And guess what? The hospitality industry remained a high-level target in 2010. Alright, if you're connected to the hospitality industry, you probably knew that already. But what you might not realize is that you're not out of the clear. And, things may be getting worse as the frequency of cyber criminality grows, and as the perpetrators become more sophisticated and cyber attacks propagate (more on that below).
Having a keen academic interest in broking, underwriting and marketing, I am interested in knowing the percentages of hospitality industry companies that do — and don't — have cyber/tech/privacy insurance. Not who has been attacked, mind you, but who does and doesn't have insurance, and the percentage increases over time. I'm sure that such a report exists, but to date, I haven't seen it perhaps someone else has. In the meantime, I'm very much looking forward to the 2011 statistics.We'll probably have to wait a few months for the numbers crunchers to figure it out. But my (only semi-educated) guess is that while more and more companies are purchasing these insurance products, the percentage of those who have bought them is less than you think.
On the other hand, what has been published is the 2011 Global Security report issued by Trustwave Spider Labs which has been posted on-line by our good friends at Immersion. In that highly-informative 59 page survey, Spider Labs has this to say:
"While a reduction of breaches within the hospitality industry was observed from the prior year, hospitality businesses should remain on high alert. At this time, it appears that the organized crime group responsible for the majority of hospitality breaches in 2009 expanded their target list. Instead of focusing exclusively on the hospitality industry, this group became active within the food and beverage and retail markets as well. Evidence suggests this single organized crime group was responsible for 36% of all data breaches investigated by SpiderLabs in 2010."
Read again what Spider Labs has said: "while a reduction of breaches within the hospitality industry was observed from the prior year, hospitality businesses should remain on high alert."
But they didn't stop there. Here's more:
"Propagation
In 16% of cases, the attacker was able to propagate to additional physically dispersed targets through site-to-site internal network connections, such as MPLS. Though the hospitality industry was less represented this year, additional franchised industries experienced similar propagation techniques by attackers resulting in large-scale data breaches affecting multiple locations.
In these cases, many of these multi-location breaches were recently "upgraded" to fully shared connectivity across locations resulting in criminals being able to access many locations at once. Perhaps this was just an oversight in planning by corporate entity IT or security staff; however, a few hours of additional analysis and planning to develop simple network access rules could have prevented this type of propagation."
Think about it. What Spider Labs is saying that if a hacker intrudes one of a number of connected or semi-connected hotels or other hospitality operations, they might have the key to all of them. No longer is each property limited to its own problems. The problem faced by one location should become the problem faced each and every location. In the wink of her eye. (for those who remember, a special shout-out to The Sweet's classic ode, Ballroom Blitz).
What's more, hotels now can obtain coverage to protect themselves against bad PR. Indeed, at least one London market insurer is selling hotel reputation insurance with limits in excess of $25 million which are intended to provide crisis management and lost revenues coverage.
The upshot of all of this is that Risk Managers, brokers and underwriters around the world need to get together to discuss risks, solutions and insurance. Perhaps with a cyber lawyer present? I'm happy to host such a meeting at one of our global offices if it would make sense for all. But regardless of who, what where, when or how (see, Mom, I DID pay attention during broadcast journalism classes at B.U.), such meetings need to take place at or even well before renewal time. The risks and costs are too great. The bad guys are numerous, spirited, and way too sophisticated. Premiums are reasonable. Most underwriters I know are too. As are the retailers and wholesalers who regularly play in this space. Let's all get together and put a risk management plan together. If you're a public company, its almost imperative that you do so in light of the recent SEC Guidance published on October 13 (which we discuss here).
In closing, hospitality industry Risk Managers, brokers and underwriters, we'll summarize in four iconic lyrics: "Hey ho, let's go". (RIP, Johnny, Joey and Dee Dee).
www.cozen.comThe content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
