Marriott hotels hack designated as PCS Global Cyber loss event

Last weeks announcement of a major cyber hack attack and resulting data breach of one of the Marriott hotel chain’s reservation systems is expected to lead to a significant cyber insurance and possibly reinsurance market loss, leading Property Claim Services (PCS) to designate the event.

Our sister publication Reinsurance News was the first to reveal that the insurance and reinsurance market had been bracing itself for a major cyber loss to emerge at the end of last week, which turned out to be the enormous loss of customer data from this Marriott hotel chain cyber attack.

Marriott announced that the data breach involved its Starwood hotels brand guest reservation database. Its investigation showed that there was unauthorised access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018.

As many as 500 million sets of customer details are potentially involved in this cyber breach, with some banking or credit card details also assumed lost.

While financial details are encrypted in the database, Marriott said that it could not rule out that the security keys required to crack open this data hadn’t been stolen as well in the hacking attack.

The hacker is said to have had access to the Starwood reservations database at Marriott since 2014, with cyber security experts saying it was likely either a phishing attack, someone with inside knowledge of the Marriott technology stack, or some other form of leak of credentials.

PCS said that it is now investigating the cyber hacking attach on Marriott and has designated this event as a Global Cyber industry loss of interest, meaning it will now monitor the cyber loss event and provide reports in due course, including on the resulting industry insured loss.

As a designated PCS Global Cyber event, the firm will now monitor and eventually collect insured claims data for the loss, providing that back to its subscribers and also meaning the market can use the industry loss estimate as an input to any cyber industry loss warrants (ILW’s) or other industry loss triggered risk transfer instruments.

Our sister publication reported that its industry sources suggested Marriott has at least $250 million up to as much as $350 million of affirmative cyber insurance cover, an amount that is expected to get wiped out from the resulting claim for costs associated with recovery from this loss of data.

Just contacting the millions of customers is going to be an expensive business, while any lawsuit costs or other compensation Marriott has to pay could increase the loss and perhaps trigger other forms of business insurance the hotel chain has in place.

There is also some risk of business interruption claims as well, especially if it was found that the reservation system and database in question required work to improve its security, creating any downtime for the Marriott global hotel business.

However, at this stage it does look likely to be more of an affirmative cyber insurance loss, along with some potential for insured claims in other business policies.

It’s too early to say whether reputational damage could be another vector of insurable loss in this case, although it’s worth noting that Marriott’s share price fell by 7% on Friday and if that stays low the company may have cause to claim on further business coverage.

Marriott said that it carries cyber insurance and is working with its insurance carriers to assess coverage levels and the potential for claims.

It’s understood that there could be participation from a collateralised reinsurance player on an excess cyber layer that may be exposed to this Marriott hotel chain data breach, according to one market source of ours.

However, it is most likely to be Lloyd’s markets and major international or U.S. focused cyber insurers such as AIG, AXA XL, Chubb and perhaps Travelers that carry most of the loss that results from this hacking, given their specialisms in cyber covers.

This has the potential to be the largest standalone or affirmative cyber insurance loss in history and if there is any leakage to other policies it could become another large market-wide cyber loss, with the potential for reinsurance carriers to be impacted.

Additional points to note on this loss is that loyalty or reward accounts data may have been accessed and some cyber security experts suggest that this could even have been a reason for the hack, given it is much easier to launder loyalty points than to crack customer card data.

If it were proved that Marriott or Starwoods loyalty points customers have been losing points and it’s linked to this data breach and hack, there could be further costs for the hotel chain to bear, leading to further insurance impacts.

As well there are already class action lawsuits for Marriott to deal with, two from or on behalf of plaintiffs who may have lost their personal data in the hack and breach, as well as one on behalf of shareholders.

One of the plaintiff lawsuits from consumers is claiming as much as $12.5 billion in damages, or $25 for each of the 500 million affected by the data loss.

If any of these lawsuits are successful, it’s clear Marriott’s costs would escalate significantly and likely the loss to insurers with it.

PCS launched its Global Cyber loss aggregation service last year, offering industry loss estimates for individual affirmative international cyber events. The firm recently added coverage for cyber catastrophe events as well, to cover cyber events that impact multiple insureds and the insurance and reinsurance impacts of so-called silent cyber risks.

As was shown recently by the Petya / NotPetya malware cyber loss, cyber insurance claims can become much broader industry-wide losses, where business interruption can be claimed under property policies.