As details continue to emerge from last week’s announcement of a major cyber hack and resulting data breach of one of the Marriott hotel chain’s reservation systems, expectations of a significant cyber insurance and possibly reinsurance market loss has prompted Property Claim Services (PCS) to designate the event.
Reinsurance News was the first to reveal that the market had been bracing itself for a major cyber loss to emerge at the end of last week, which turned out to be the enormous loss of customer data from this Marriott cyber attack.
Marriott has since confirmed that the breach involved its Starwood hotels brand guest reservation database.
Its investigation showed unauthorised access to the database, which contained guest information relating to reservations at Starwood properties, on or before 10 September 2018.
As many as 500 million sets of customer details have potentially been compromised, with some banking or credit card details also assumed lost.
Despite financial details being encrypted in the database, Marriott could not rule out the security keys required to crack open this data had not also been stolen.
The hacker (or hackers) is said to have had access to the Starwood reservations database at Marriott since as early as 2014, with cyber security experts saying it was likely either a phishing attack, someone with inside knowledge of the Marriott technology stack, or some other form of leak of credentials.
PCS said that it is now investigating the attack and has designated it as a Global Cyber industry loss of interest, meaning that it will now monitor and provide reports in due course, including on the resulting industry insured loss.
As a designated PCS Global Cyber event, the firm will now monitor and eventually collect insured claims data for the loss and feed it back to its subscribers. This also means that the market can use the industry loss estimate as an input to any cyber industry loss warrants (ILW’s) or other industry loss triggered risk transfer instruments.
Reinsurance News’ industry sources have suggested that Marriott has at least $250 million, up to as much as $350 million, of affirmative cyber insurance cover, an amount that is expected to get wiped out from the resulting claim for costs associated with recovery from this breach.
The logistics required to merely contact the millions of affected customers will incur massive costs, while any lawsuit costs or other compensation could increase the loss and perhaps trigger other forms of business insurance the hotel chain has in place.
Interestingly, loyalty or reward accounts data may have been accessed and some cyber security experts believe this may have been a motivating factor for the hack, given how much easier it is to launder loyalty points than crack customer card data.
Should this be proven, there could be further costs for the hotel chain to bear, leading to further insurance impacts.
In fact, Marriott already has class action lawsuits to deal with; two from or on behalf of plaintiffs who may have lost their personal data in the hack and breach, as well as one on behalf of shareholders.
One of the plaintiff lawsuits from consumers is claiming as much as $12.5 billion in damages, or $25 for each of the 500 million individuals affected by the data loss.
If any of these lawsuits are successful, Marriott’s costs would escalate significantly and so to would the insured loss.
There is also some risk of business interruption claims, especially if the reservation system and database in question was found to be in need of security improvements, which could create downtime for the Marriott global hotel business.
At this stage however it does look likely to be more of an affirmative cyber insurance loss, along with some potential for insured claims in other business policies.
It’s too early to say whether reputational damage could be another vector of insurable loss in this case, although it’s worth noting that Marriott’s share price fell by 7% on Friday and if that stays low the company may have cause to claim on further business coverage.
Marriott said that it carries cyber insurance and is working with its insurance carriers to assess coverage levels and the potential for claims.
However, it is most likely to be Lloyd’s markets and major international or U.S focused cyber insurers such as AIG, AXA XL, Chubb and perhaps Travelers that carry most of the loss that results from this hacking, given their specialisms in cyber covers.
This has the potential to be the largest standalone or affirmative cyber insurance loss in history and if there is any leakage to other policies it could become another large market-wide cyber loss, with the potential for reinsurance carriers to be impacted.