The hospitality industry took some of the biggest economic hits during the devastating COVID-19 pandemic. For nearly two years, worldwide travel was highly restricted and not too many people were seeking lodging or dining out. Even as the world reopens and people return to traveling again, hoteliers are still reeling from the effects the pandemic had on their businesses, staff, and guests.
It seems the only business that didn’t come to a grinding halt during the pandemic was cybercrime. According to RansomwareClock.org, a business is hit by a cyber attack every 11 seconds, and hotels are particularly vulnerable, notes Pasich LLP attorney Peter Halprin, who represents commercial insurance policyholders with a focus on recovery strategies from cyber breaches and cybercrimes. “Hotels have tremendous amounts of private data. They have your credit card information, they might have your passport,” Halprin says. “They’re recording people’s preferences. They have employees, who in turn have employee records and files.”
The vast amount of data that hotels collect makes them a potential target for ransomware and malware attacks, which is why Halprin is urging hoteliers to consider getting a cyber insurance policy. Cyber insurance, he explains, is a financial product that helps businesses deal with the consequences if there is an attack. However, getting a policy is becoming more difficult as more attacks are happening. Before even considering a policy, all businesses must prove they have security measures in place to protect them from a cyber attack. “Because there have been so many ransomware attacks, the underwriting criteria is getting more stringent,” Halprin says. “[Underwriters] will ask, ‘What are the cyber security measures you have in place?’ It’s almost circular. They say you need to be a safe enough risk to have the chance to be protected if something goes wrong. If you’re not safe enough, they’re not going to bother,” he explains. “It does put the onus on businesses. They can’t just slough everything off and say we’ve got a cyber policy, we’ll be fine. They need to be up to standard so they can go get that insurance.”
Before shopping for a cyber policy, Halprin urges hoteliers to invest in cyber hygiene, security, and incident-response planning. It’s best, he explains, if businesses integrate their cyber security efforts with their insurance efforts. Cyber hygiene includes training employees to not open suspicious emails that could actually be links to help hackers get into a hotel’s system. It also includes using multi-factor authentication, which ensures more protection against hackers in case a laptop or smartphone is lost or stolen.
Businesses also need strong internal policies when it comes to accessing information and devices as well as an incident-response plan, Halprin says. “You need to know what steps to take, who to contact, and how to game-plan one of these attacks,” he says. “Then you have to test your plan. You see how your plan went, learn from what you did wrong, and you adapt your plan so that it’s better for next time. Then you test it again.”
Cyber insurance is a new market with many variations in what a policy can do. Essentially, there are two kinds of protection: first party and third party. First-party protection covers direct losses from a cyber-attack such as expenses incurred in a ransomware attack where cyber criminals shut down a business’s computer systems and/or steal private data and demand money to let a business back into their own system. Third-party protection covers a business when others file legal action against them. An example would be after guest credit card information is stolen and sold on the dark web.
Ransomware payments have gone up over time, Halprin says, adding that criminals used to demand $200 to $1,000. Cost of ransom today could be $200,000, in addition to other costs associated with remediation. According to RansomwareClock.org, the average cost of remediation after a ransomware attack is $1.85 million. That figure includes business downtime, lost revenue, and operation costs. The average downtime for a business after a ransomware attack is 21 days. “In light of the pandemic and what this industry has been through, how many hotel owners can say, ‘It’ll be fine for my business to be down for 21 days?’” Halprin asks. “It’s almost impossible to run a business with no revenue for that long.”
He says hoteliers can protect their guests by recognizing the risk of data breaches and prioritizing proactive action. “Sometimes people take the ostrich approach: They bury their heads in the sand and hope for the best, and you just can’t,” Halprin explains. “Even as a small business owner, you have to be attuned to the fact that this is a risk, and you need to be prepared for what happens. I’ve always said it’s best to treat data breaches as an inevitability. I think insurance can be an important part of that larger program, but I would just caution that it’s for when everything else fails. That’s the purpose of insurance.”