The complexities of cyber liability in the hotel industry…
Complied by Insurance24
HARARE, Hotels and resorts hold significant cyber liabilities because of the nature of their business. They handle huge amounts of personal identifiable and other sensitive information, including: names, dates of birth, passport details, occupations, as well as debit or credit card details – and that’s just the extensive privacy exposures they face.
Like many businesses today, hotels and resorts operate primarily through computer networks. Room keys, smart elevators, air ventilation and security systems are all computerized. If a system goes down, or there’s a network security compromise, that could lead to significant financial losses, business interruption, and possibly even physical injury or property damage.
“There’s a common misconception that cyber liability always includes a bad actor and data breach, but that’s not the case. There are two key components to cyber risk: privacy and network security. The hotel industry faces both exposures intertwined and independently,” commented Shiraz Saeed, national practice leader, cyber risk, Starr Companies.
“What makes cyber liability unique in today’s hotel industry is the scale of potential third-party involvement,” Saeed told Insurance Business. “How often do people book directly with a hotel versus going through a third-party booking site or independent agent? These third-party entities add complexity to the insurance equation, especially when it comes to the privacy component of cyber. If private information is compromised at the hotel level, this is categorized as a first-party loss. But if data is lost by the booking site or travel agent, it becomes a third-party cyber claim.”
Things become even more complicated when an insurer or broker considers who owns the hotel, who owns the building the hotel is in, whether there’s a franchised brand name associated with the hotel, and who’s managing it. All these nuances impact who holds the cyber policy and what type of claims (first or third-party) are submitted.
The complexity continues when hotel businesses consider what type of cyber liability coverage to pursue. A bespoke cyber insurance policy is probably the best bet, but there are opportunities to gain elements of cyber coverage through different insurance products, such as property, directors & officers, and employment practices liability.
Saeed commented: “The key difference between a traditional cyber policy and an alternate policy with elements of cyber coverage is whether there’s coverage for physical versus non-physical damage as a result of a cyber incident. Non-physical damage traditionally falls within the reach of a bespoke cyber policy. It can also be covered by D&O insurance if, for example, a hotel franchise is accused of poor or misleading communication around a cyber event. EPLI coverage can also come into play if employee information is compromised resulting in a breach of contract.
“Where bespoke cyber policies can fall short is when there’s physical damage to property as a result of a cyber incident. However, most property risk policies today include coverage for cyber-related exposures, including physical damage to equipment caused by a hacking event. What’s new is that these property policies now overlap with cyber policies and cover non-physical computer damage as well, such as business interruption losses caused by a cyberattack, and electronic data recovery.”
So, as well as navigating first and third-party cyber insurance nuances, hotels and resorts must also consider protection for physical and non-physical damages from cyber-related incidents. They must construct a comprehensive risk management program and purchase a mesh of policies to cover all bases.
“It’s complicated and there are lots of moving parts to it,” Saeed added. “Bespoke cyber coverage can be tailored to offer additional benefits to insureds including incident investigation, public relations and legal services. You typically don’t get that in other policies like property insurance.”
Marsh subsidiary enters into strategic alliance with global hospitality advisory firm
By Insurance24
HARARE, Marsh & McLennan Agency (MMA), a subsidiary of Marsh, has entered into a strategic alliance with the global hospitality advisory firm AETHOS Consulting Group.
A release explained that, through the partnership, both MMA and AETHOS plan to offer hospitality industry-specific resources and solutions, particularly in the areas of executive and employee benefits, as well as safety and risk management.
“This relationship is exciting on several fronts; first and foremost, we always strive to deliver expertise that enhances our value proposition and the client experience. We have found in MMA, a world-class organization that provides extraordinary solutions,” said AETHOS Consulting Group managing director David Mansbach.
Mansbach added that the hospital industry’s decision makers will greatly appreciate MMA’s “transparent and consultative style” when it comes to insurance.
“AETHOS’s top-notch leadership, client-centric culture and excellent reputation is a terrific addition to MMA’s capabilities and resources. I look forward to working with the AETHOS team to fulfil our vision of delivering unrivaled resources and solutions for our clients,” commented MMA northeast region CEO Anthony Gruppo.
InsuranceBusinessAmerica