The insurable loss from the recent major cyber hack and resulting data breach of one of the Marriott hotel chain’s reservation systems could rise to as much as $600 million, according to AIR Worldwide.
AIR estimates that the insurable loss from the Marriott breach will be between $200 million and $600 million, a particularly wide range that highlights the uncertainty in these cyber risk losses.
AIR said that the loss estimate is based on the assumption that 500 million records of customer data were stolen in the breach, as Marriott reported.
The range reflects the uncertainty about the type of data that was stolen, such as whether credit card details that were encrypted could be unlocked as the encryption key itself may have been stolen as well. There is additional uncertainty, as some of these records may be duplicates, AIR noted.
Property Claim Services (PCS) later designated the event under its PCS Global Cyber product, suggesting it would be sizeable enough to track.
Now, AIR’s first estimate of the insurable losses from this cyber hack show the loss certainly will be sizeable.
“AIR’s new probabilistic security breach model shows that this type of event is not unprecedented, even though an event of this magnitude hasn’t previously happened to a hotel chain,” Scott Stransky, assistant vice president and director of emerging risk modeling commented. “In fact, the largest recorded breach for a U.S.-based hotel chain prior to this event was less than 1/50 the size in terms of the number of records stolen. There are more than 300 simulated events in our model that cause higher losses for U.S.-based hotels.”
AIR notes that the financial impact to Marriott will be partially mitigated by its cyber insurance and other liability insurance coverage the hotel chain is reported to have, but which are not accounted for in this insurable loss estimate.
It’s important to note that this is not an industry loss estimate, rather an estimate of potential insurable losses.
But note, Marriott has a specific cyber insurance tower that provides at least $250 million, up to as much as $350 million, of affirmative cyber insurance cover and right now it appears unlikely the loss will reach much higher than that level, according to our market sources.