Cyber insurers seek opportunities from huge $300m Marriott data breach

Cyber insurers are looking at opportunities from what could be the biggest single cyber incident on record.

The Marriott International data breach saw its hotel guest database stolen - affecting 500 million customers who made reservations, spanning the UK, US and Canada.

Marriott has ramped up its security measures in response and a spokesperson told Insurance Times the ”company carries insurance including cyber insurance, commensurate with its size and the nature of its operations.”

Cyber insurers are expecting the incident to be the most expensive so far on record, with overall claim payouts potentially reaching $300m, according to the Insurance Insider.

But some commentators have suggested the high-profile incident could pick up the pace of cyber insurance uptake.

Impact 

Clive O’Connell, partner and head of insurance and reinsurance at McCarthy Denning said that because cyber cover is “relatively new, with each loss that occurs, people are getting an idea of claims scenarios that insurers are protecting against.”

And as there are “more vagaries in cyber” due to this newness, he explained three reasons why each cyber attack, although devastating, is also informative.

Firstly, he said that it gives a “broader understanding of the nature of claims”, secondly “both clients and insurers are made more aware of the need for it” and lastly it assists the accuracy of “risk ratings” to ascertain whether a risk is worth taking on.

He gave the example of silent cyber, where there is no reference to a protection in the policy, but if an attack occurs cover is given to the loss. 

John Pennick, chair at BIBA Cyber Working Group and divisional director at at Berkeley Insurance Group agreed that an attack of this scale highlights the need to ensure “adequate cuber insurance is in force to respond quickly and effectively to mitigate its potentially disastorous effects.”

”Marriott may yet face a substantial number of third party liability claims from affected parties and regulatory investigations. In the meantime, a great deal of expense will no doubt have already gone towards IT forensic and rectification work, notifying customers and dealing with the ongoing public relations situation.”

He pointed out that not all policies offered the same breadth of cover, as well as ”a policy’s indemnity limit also needs to be adequate to cover all costs, losses and liabilities over the lifespan of the claim.

As cyber risk is now a great concern to most businesses, BIBA is concerned that some policies offering cyber cover are not providing effective protection. To address this, the firm is working on raising cover expectations in the market so that our members can confidently advise and protect their clients.

A spokseperson from the ABI added: “This latest incident further highlights how vital it is for all firms, regardless of their size, to do all they can to protect against the cyber threat and to consider the value of having cyber insurance protection. Whatever the size of any cyber breach, it can have a devastating impact on any business.”

What happened?

On the 8 September this year, the Marriott was alerted by an internal security tool about an “attempt to access the Starwood guest reservation database in the US.

It recently discovered in November through ongoing investigations that an “unauthorised party had copied and encrypted information” and it took steps towards removing it.”

For 327 million of these guest’s, the information included their names, postal addresses, phone numbers, email addresses, passport numbers, data of birth, arrival, departure, reservation data and communication preferences 

And for some it includes credit or debit card information, but card numbers were encrypted.

The company is still in the process of identifying duplicate data.

In response Marriott president and chief executive Arne Sorenson said that he is “devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements” to its network.

The Marriott has also taken measures in supporting guests online and via its call centre as well as sending email notifications to those affected and a webchat watcher has also been provided for free for a year.

Colossal scale

Adam French, consumer rights expert at Which?, said that the data breach is on a “colossal scale” and it will be of great concern to Marriott customers.

He said: “It is vital that Marriott provides clear information on what has happened and helps anyone who has been negatively impacted.”

He urged those affected to change their online passwords, monitor bank accounts and online accounts.

“Anyone worried they could be affected should consider changing their online passwords, monitor bank and other online accounts as well as their credit report to guard against potential identity fraud. Also, be wary of emails regarding the breach, as scammers may try and take advantage of it.”

Apology

In a statement released last Friday, Sorenson, said: “Today Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center.

He said that the firm will continue to work with security experts to improve.

The hotel has also issued an apology, which said: “We deeply regret this incident happened.

“We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests and using lessons learned to be better moving forward.”

Incidents

In August Superdrug was held to ransom by hackers with information on a ledger of 20,000 of its customers. 

Earlier in November the World Economic Forum (WEF) named cyber attack as the “most dangerous risk” for UK businesses. 

And RPC, professional services firm offering legal and consultancy advice said that cyber-related crimes were estimated at 1.7m in the UK during 2017. 

The rate of computer hacking prosecutions has fallen for a second successive year in 2017, reveals insurance law firm RPC.