Marriott data breach could cause record $300mn claim

Cyber insurers are anticipating a claim in the region of $300mn from the Marriott data breach, which would be the largest insured loss to ever hit the standalone cyber market, The Insurance Insider can reveal.

Sources told this publication the cyber tower is led by AIG and brokered by Lockton, but the excess layers are written by multiple markets across the US and Lloyd’s. The hotel group has notified its insurers of the loss. 

If the claim comes in at $300mn, it is thought that Marriott would have exhausted most of its cover, although there is debate whether this claim would result in a total loss.

At this size of claim, the loss will also likely be felt by the reinsurance market.

On Friday, Marriott disclosed that it had been victim to a data breach, in which information on about 500 million guests was lost.

The firm said that on 8 September, Marriott discovered unauthorised access to its Starwood guest reservation database in the US. During the investigation which followed, the hotel group learned that there had been unauthorised access since 2014.

The cyber hackers had copied and encrypted information, and taken steps towards removing it.

For about 327 million of the 500 million guests affected, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood preferred guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

The hotel group warned that, for some lost accounts, the information also included payment card numbers and payment card expiration dates. This information was double-encrypted, but Marriott admitted it could not be certain whether the information needed to decrypt the payment details was also taken by the hackers.

“We deeply regret this incident happened,” said Marriott president and CEO Arne Sorenson. “We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests, and using lessons learned to be better moving forward.”

A basic rule of thumb in tallying up the cost of a cyber attack is that it costs the affected company $1 in notification and other services for each data account lost. However, some economies of scale can be achieved in larger breaches.

If the breach does result in a $300mn claim, it would be the largest insured loss on record for the standalone cyber market, sources said.

Even though there have been large-scale attacks like WannaCry and NotPetya, the relatively low level of cyber penetration has meant losses from these attacks have not been substantial for cyber insurers.

Victims of such attacks have tried to claim for the financial damage on other traditional covers where cyber risk was not specifically excluded.

One of the largest standalone cyber losses to date was the $100mn claim by Southwest Airlines, which suffered a system failure in July 2016. AIG was also the lead insurer for that placement.

Sources in the cyber market said this Marriott loss could result in a tightening of wordings, which have become increasingly loose in recent years as carriers look to build market share and meet client demands.

However, the loss is unlikely to dampen appetite for cyber risk, which is largely profitable for most carriers and seen as a major growth area for the insurance market.

AIG and Lockton declined to comment. Marriott could not immediately be reached for comment.