Cyber incidents continue to rise and are becoming increasingly prevalent within the hospitality industry. According to a 2022 case study report published by Ponemon and IBM Security, the average total cost of each data breach in the hospitality industry from 2021 to 2022 was $2.94 million. Late last year, an international hotel brand was targeted as part of a ransomware attack, resulting in disruptions to booking and concerns about the safety and privacy of guests’ personally identifiable information (PII).
Like any insurance policy, cyber insurance aims to protect your assets and your ability to continue operating your business. A successful break or ransomware attack can be very impactful to resorts, and it’s guests, resulting in a loss of hundreds of thousands of dollars, and in some cases, millions of dollars to either recover from the event or to reestablish business continuity after the event occurs. Cyber insurance will help pay for those costs and help keep you up and running versus having to absorb those expenses themselves.
Getting Started with Cyber Security Insurance
Before shopping for cyber insurance, it’s essential to have certain cyber protocols, or “cyber hygiene,” in order. Security factors need to be in place for your business operations each day. As a first step, you will want to ensure that your internal policies and controls are in order. Most cyber insurance companies will request proof that these are functioning and in place. To best illustrate security posture, businesses should include policies such as:
- Email filtering for spam and ransomware
- Annual penetration testing (internal and external) and a semi-annual vulnerability scan
They will be looking for basic controls to be in place and for you to prove that you have those controls and that they are functioning. A service provider, like Withum, can evaluate a client’s cyber insurance policy and provide a checklist of items that will likely be requested. Depending on the insurance company you’re working with, they can also provide you with a preliminary list of what they expect for policies over certain amounts. Ensuring that your business has a strong cyber posture, including all of the above considerations, will result in easily getting cyber insurance and receiving the policy level that your business needs.
Lodging Insights & Innovations: The Importance of Cyber Insurance
Ransomware Effects on Cyber Insurance Coverage
Ransomware attacks can cost a dearly, depending on the company and the information that is tied up. Likewise, should the company not pay the ransom and believe that it can recover from its backups, it is often faced with downtime associated with the recovery. That downtime is lost revenue for a business.
In the unfortunate event that a company becomes affected by ransomware, there are three considerations to be mindful of concerning coverage and the protection of the business.
- A cyber policy should cover lost revenue and the costs associated with getting the business operations up and running again. Additionally, the coverage should cover the cost of the ransomware, the demand for ransom, and potentially the cost of recovery should the company decide not to pay the ransom.
- Business management should decide whether to pay the ransom. The details of the existing cyber insurance policy should be reviewed prior to going into the decision-making process so that an informed decision can be made.
- A clearly defined incident response plan should be a priority for all businesses. If a ransomware attack occurs, it is important to be as prepared as possible by knowing what your policy includes and who will be relied upon to provide breach response services. Is there a vendor identified to conduct computer forensics and a forensics expert who can provide advice so that informed decisions can be made?
All businesses should have some form of cyber insurance policy in place to help protect their business in case of a data breach or attack. Although the best way to prevent a cyber incident is with strong preventive security measures and encryption, you need to have good policies and practices in place, test periodically to catch any vulnerabilities, and ensure your staff understands the importance of security. Ensuring that you have adequate cybersecurity insurance can help mitigate the potentially catastrophic effects that a cyberattack may have on business continuity.
Republished with permission from ARDA Developments, copyright April 2023.