Following the major cyber attack and resulting data breach of one of the Marriott hotel chain’s reservation systems, Reinsurance News spoke with the Co-Head of Property Claim Services (PCS), Tom Johansmeyer, about the nature of the event and expected industry loss.
The breach, announced on November 30th, led the insurance and reinsurance industry to expect a sizeable cyber risk loss, with PCS later designating the breach under its PCS Global Cyber product.
AIR estimates that the event could result in an insurable loss of between $200 million and $600 million, a broad range which highlights the uncertainty about the data stolen, as well as the inherent complexity when estimating the potential insurable loss from a large cyber event.
“The global reinsurance market is busy speculating as to what the biggest question is around this cyber loss. Some point to the potential for third-party losses to affect the program. Others suggest that this could be a test of whether GDPR and other fines and penalties could be covered. Those are important concerns, but it’s still too soon.
“For now, I’d focus on whether the consumer notification process will be sufficient. Email notification and push to an online presence is certainly low cost, which would affect the claim. However, the process for registering for monitoring requires a phone call. And with the number of records affected and timeframe involved, there could be issues with whether any of the email addresses used with the hotel chain by customers are now secondary accounts. If they aren’t actively used, one could miss the notification, affecting take-up rates, and thus leading to questions about the effectiveness of the approach,” said Johansmeyer.
Another issue surrounding the Marriott breach concerns the security and reissuance of passports, which, Johansmeyer explains might not be as bad as initially thought.
“Some countries only issue passports for five years. Given how long the breach went on before discovery, many may not be valid any longer. Even for passports issued for ten years, the duration of the breach suggests that a decent number of them expired. Any extra costs or risk associated for the need for reissuance (particularly in the context of third-party) might be mitigated as a result,” said Johansmeyer.
Regarding the potential for third-party impacts to extend the tail risks of this event, Johansmeyer said that while the global reinsurance market is abuzz about the class action litigation that looms, this might not be the case for this affirmative cyber loss.
“Given the number of people affected – even if de-duping brings it down – notification could become more expensive if the current approach isn’t deemed sufficient, or if there’s disproportionately and unexpectedly high monitoring take-up. That could turn it all into a first-party loss and potentially shorten the tail considerably,” said Johansmeyer.
While uncertainty remains, some in the global reinsurance industry have suggested that the Marriott breach might well be a test whether GDPR fines and penalties could be covered, but Johansmeyer said that with this event, it might not be the GDPR learning curve that some had suggested.
“As with the potential for third-party to affect the loss, if first-party is sufficient, then GDPR wouldn’t get the opportunity to factor into this event. Based on the market intelligence we collected to develop our initial industry loss estimate, PCS figures that this will be a loss without the GDPR learning opportunity the sector craves,” said Johansmeyer.
This event certainly has the potential to be the largest standalone or affirmative cyber insurance loss ever, and if there’s any spillover into other policies it might well become another large market-wide cyber loss, which could ultimately impact reinsurance players.