HOUSTON — When it comes to company data breaches, the saying is it's a matter of when, not if.

The average cost of a hospitality data breach in 2023 was $3.36 million, up 14% compared to 2022, said Jessica Eldridge, senior vice president and practice director of cyber for J.S. Held's forensic accounting and insurance services practice, at the Hospitality Law Conference. While hospitality is not as popular a target by hackers as financial companies and hospitals, the hotel industry is increasingly a target.

Hoteliers will need to ask themselves what is at risk and what is a risk, she said. They also need to determine how their risks can be protected sufficiently and whether there are controls that need to be initiated.

The main risk to any company is the financial loss, and that could come through disruption or damage to equipment as well as reputational harm, Eldridge said.

“It's important to really understand what these concepts mean, because it will have an impact if you do file a claim with your insurance company,” she said.

The National Institute of Standards and Technology outlines the things companies should identify to protect against data breaches, Eldridge said. The first is to determine what the company wants to protect, such as its systems, assets, people, data and capabilities. In particular, when companies protect their people, that means protecting their information and the company’s information.

“If you don't understand that, it's really difficult to be able to protect it,” she said.

The next step is to develop and implement the appropriate safeguards to ensure the delivery of critical services, Eldridge said. She questioned how companies are able to know what data to protect if they don’t know what information hackers would likely target.

The education and training of employees is key for prevention because it is the biggest target of hackers trying to access a company’s systems, she said. The use of artificial intelligence has made phishing and social engineering attempts even more complicated. Hackers can call using AI to imitate the voice of top executives to try to get data.

One of the main things that delays an insurance claim is the lack of a prepared incident response plan, she said. These plans need to have the proper protocols in place not just on the technical side but with the right people as well, such as a forensic accountant.

Data breaches can disrupt a business, and that can lead to lost revenue and profits, and many times in insurance claims those are the last aspects to be resolved, she said. People focus on getting systems back up and running, but the chief financial officer needs to be involved as well to help mitigate the financial losses.

If the hacker is demanding a ransom, there are a lot of decisions the company needs to make, including whether to pay the ransom, Eldridge said. That in itself isn’t a simple process, and the company needs to make sure it’s not paying someone on a sanctions or terrorist list, as that would lead to legal penalties.

Paying a ransom isn’t a guarantee that the hacker will fully restore access, she said.

“You don't want to say, ‘I'm relying on a criminal to be honest and provide you with the information that I need in order to get the data back,’” she said. “It's really important to make sure you have the backups in place and, if you do have backups, that they're up to date because I have found that once the cybercriminal gives you the encryption key to get your data back, they do not always provide all the information.”

When hackers are accessing a company’s data, many will try to find information that will help their ransom demand, Eldridge said. That includes finding a company’s data breach insurance policy.

“Don’t be surprised if you have $5 million, $10 million of insurance coverage and that’s exactly what they’re asking for,” she said.

Having insurance for data breaches does not simply mean a company’s revenue or net income will be reimbursed, Eldridge said. It’s a complicated and detailed process.

When making an insurance claim, the company will need specific data or information to substantiate its losses, she said. A lack of data will delay the claim. There are professionals, and even some insurance companies, that can help companies prepare a response plan.

Working with coverage counsel can help with the wording of the insurance policy for sufficient coverage, she said.

“It's really important to understand what coverage you have,” she said. “What you think you were covered for under a liability cyber policy might not be what you're actually covered for.”

Oftentimes a company will want coverage for lost income related to the data breach, Eldridge said. If a company pays a $4.5 million ransom to recover access, but its coverage is for $5 million, it may only be able to receive $500,000 as that’s all that’s left from its coverage.

“Don’t rely on the policy in order to get back what you believe you are covered for,” she said. “Make sure you have the proper procedures, you have the proper backups in place because that’s really going to help you at the end.”

Regarding public relations, there’s an area in insurance policies that address reputational harm, she said. It’s well-defined in these policies, so it may not be enough for a claim that news of the data breach is on social media.

“There’s specific wording within the policy, and every policy is a little different,” she said. “If it’s adverse media, what does that mean? Was it in the news? What defines that? These are little areas that you want to make sure you understand, because at the end of the day, you want to make sure you’re back up and running in a reasonably fast time.”

Insurance polices have specific time periods set for business interruption claims, Eldridge said. They’re usually 120 or 180 days, and that affects how companies are reimbursed. These policies usually say when companies’ systems are down and then end when they’re restored, but there may be provisions for a waiting period for which there wouldn’t be reimbursement.

Insurance companies will want to know the financial details to help them determine reimbursement, she said. They’ll want financial records, dating back a year or two, such as sales records and payroll records.

When calculating a company’s losses, the insurance company will take multiple factors into consideration, such as seasonality and budgets versus actuals, Eldridge said. They will also take saved expenses into account, meaning they’ll see if the disruption has resulted in lower expenses, such as those from layoffs.

“The insurance company is not just going to come in and pay for your lost revenue,” she said. “They’re going to want to see what the changes are in your expense structure.”

Companies should isolate any of their data breach-related costs so they can easily identify them when calculating the loss, she said.

Read more news on Hotel News Now.