The estimated total insurable loss for the recent cyber hack attack and resulting data breach of one of the Marriott hotel chain’s reservation systems will be between $200 million to as much as $600 million, according to AIR.
The risk modeller made its first public estimate under its new cyber modelling service and it’s important to note that it’s an estimate of what could be the loss under a cyber policy, AIR told us.
That said, given it’s widely known that Marriott’s affirmative cyber insurance tower is somewhere between $250 million up to as much as $350 million, it’s currently hard to see how this loss will extend much higher without other lines of insurance business coming into play.
But it does give a range to play with when looking at cyber insurance or reinsurance risks of this kind, as the losses can easily escalate as evidenced with other cyber incidents in the last year or two.
AIR bases its estimate on an assumption that 500 million records of customer data were stolen in the hack and data breach of the Marriott reservation system.
The range reflects the uncertainty over precisely what was taken in the breach and whether credit card records that are supposed to be encrypted could be accessed if the hackers had also stolen the encryption keys, which is seen as a possibility.
“AIR’s new probabilistic security breach model shows that this type of event is not unprecedented, even though an event of this magnitude hasn’t previously happened to a hotel chain,” commented Scott Stransky, assistant vice president and director of emerging risk modeling at AIR Worldwide. “In fact, the largest recorded breach for a U.S.-based hotel chain prior to this event was less than 1/50 the size in terms of the number of records stolen. There are more than 300 simulated events in our model that cause higher losses for U.S.-based hotels.”
Our sources suggest that it’s likely to be nearer to 350 million to 400 million records once the data has had duplicates removed anyway, which is still a significant number though.
AIR notes that the net cost to Marriott of this cyber attack will be offset by its cyber insurance and other liability insurance coverage they are reported to have, which the firm did not account for in its estimate.
The firm said its loss estimate includes: First- and third-party losses directly related to the security breach, including notification costs, forensics, credit monitoring, replacement of credit cards, setting up a call center, and any liability covered under an affirmative cyber policy.
As we explained before though, this does look like the impact to insurance and reinsurance interests will be through the affirmative cyber tower, rather than other lines of business.
It’s a noteworthy cyber incident though as it still could be the largest standalone or affirmative cyber insurance loss in history, with the potential for reinsurance carriers to be impacted as some cyber writers make significant use of coverage.
Market sources continue to suggest that there may be participation from a collateralised reinsurance player on an excess cyber layer that could become exposed to this Marriott hotel chain data breach.
As was shown recently by the Petya / NotPetya malware cyber loss, cyber insurance claims can become much broader industry-wide losses, where business interruption can be claimed under property policies.
The Marriott hack and data breach is just the latest sign that cyber risks are set to be a major exposure for re/insurers and hence the capital markets could become a viable source of protection as this emerging business line continues to grow.