The hotel chain was hit by a significant cyber hack, affecting 500,000 customers, who had sensitive data stolen, including names, addresses, dates of birth and passport numbers. From IT security, due diligence to cyber insurance, risk managers draw out lessons for the future
In the Eagle’s hit record Hotel California, they sing about a glamorous hotel that guests can never escape from.
It’s a story that might resonate with any of the half a billion people who’ve slept soundly in a Marriott International hotel over the past five years.
The chain confirmed that a significant cyber hack took place that affected 500,000 customers, who had data stolen, including sensitive information such as names, addresses, dates of birth and passport numbers.
Equally as worrying, Marriott – which runs around 6,000 hotels in 127 countries – said that credit card details might have been exposed too.
It’s one of the most severe and high-profile data breaches in recent years, but by no means the only example. Other famous cases include the hack of Ashley Madison – a dating website for extra-marital affairs – and the 2013-14 Yahoo hack which exposed three billion user accounts.
For the hacked organisations, the impact of these breaches can be severe. Not only are there reputational consequences, but GDPR legislation can also mean hefty fines. And Marriott’s share price dropped by 5% as the scale of the breach was confirmed.
But even though surveys suggest that cyber is firmly at the top of risk managers’ minds, these breaches keep happening.
James Pothecary, special risks co-ordinator at risk management service provider, Healix International, says: “The Marriott data breach is an excellent example of how companies are on the back foot when it comes to cyber-security.
“Despite unauthorised users accessing the guest reservation database of its Starwood subsidiary since 2014, the company only became aware of the breach in September last year.
A time lag of four years between incident and detection demonstrates that even major multinational companies lack the sophisticated cyber-security systems required to mitigate the threat posed by hackers
“A time lag of four years between incident and detection demonstrates that even major multinational companies lack the sophisticated cyber-security systems required to mitigate the threat posed by hackers.”
Darron Gibbard, chief technical security offer, EMEA North, at IT security company, Qualys adds: “This points out how difficult it can be to discover when attacks have taken place.
“Security teams have to look for items that are out of the ordinary, for example, a finance account trying to access network security servers or operations files when they would never normally need that data. These indicators of compromise can flag that there is an issue and help track down what is taking place.”
The fact it took so long for the hack to be noticed is all the more surprising given that Marriott only bought Starwood in 2016, two years after the attack had taken place.
Danny Wong, who was director of corporate risks for rival hotel chain InterContinental, says Marriott would have been prudent to look at Starwood’s IT infrastructure “to know whether there are any skeletons or viruses in the closet” before closing the $13bn acquisition.
“When doing due diligence in most transactions, I imagine the parties involved focused on financial cashflows, liabilities and contracts and considered motivation, other intangible factors in the negotiation and ultimate transaction value,” he says.
“This is akin to buying a house and asking for the cheapest or minimum survey required in order to secure a mortgage,” Wong adds.
The expert, who has since founded GOAT Risk Solutions – where he is CEO, says cyber risks are so complex that even major corporates and governments can be exposed.
“We are now in a world where no one promises absolute protection but businesses especially large ones.” Those firms, he says identifying tech companies in particular, value reputation and must be able to demonstrate strong controls.
The public are forgiving if you have done everything you can to prevent, communicate and apologise immediately, and respond sensitively
“The public are forgiving if you have done everything you can to prevent, communicate and apologise immediately, and respond sensitively,” he adds.
But he notes that there must be a shift in attitude. “The media should help make the perpetrators the bad-guys – not the corporates. But the corporates should help themselves by managing through the crisis event.”
Risk managers are on the back foot
One of the main challenges faced by risk managers is that cyber threats come from a number of sources, and the technology is continually evolving. This can make it hard to keep up and to know where to best deploy limited resources.
Marek Stanislawski, deputy global head of cyber and tech PI at Allianz Global Corporate & Specialty explains: “We need to think about this situation as an arms race, similarly to evolutionary race between the predators and prey. There are very talented people working on both sides of the line, the offensive and the defensive.
“However, there is also an asymmetry between those two teams: the attackers have only one objective and are fully focused on it. The defenders need to spread their attention over all of company’s assets. They need to factor in availability, budgetary constraints, new technologies used by the company which can become “weak points” in the network, they have to sieve through hundreds of false positives, etc.”
Experts agree that for risk managers to adequately prevent against cyber attacks, a more proactive approach is required.
Companies need to be far more aware of the cyber risks that sit within their supply chains. Complex, non-linear lines of supply substantially reduce the risk of interruption and the benefits are well documented.
But there are risks too. More suppliers mean more potential avenues for hackers to exploit, not to mention more workers – each of whom presents a greater risk.
The Marriott data breach is not the first and will not be the last… Large corporations are not great at understanding and articulating the true value of the assets they control and who has access to those assets. Major corporations often have very large and complex supply chains leaving them susceptible to abuse. Although this is a problem that is now being recognised, there is still much more to do
Brian Harrison, chief executive of cyber security platform AVORD, says: “The Marriott data breach is not the first and will not be the last… Large corporations are not great at understanding and articulating the true value of the assets they control and who has access to those assets. Major corporations often have very large and complex supply chains leaving them susceptible to abuse. Although this is a problem that is now being recognised, there is still much more to do.”
Gibbard, who was previously head of risk at VISA Europe, adds: “The biggest challenge is how big these networks have become – enterprises have millions of devices, all running different software, and all will need updating at some point. Some of these networks and assets will be bought in through mergers or acquisitions, and they have to be joined up together. If that doesn’t take place, you end up with poor visibility of what is taking place.”
Turning the tide against the hackers
Fortunately, there are steps the organisations can take to better protect themselves against cyber hacks.
The first step is to make sure that software updates are properly applied throughout an organisation.
But while this might seem obvious it is far from easy.
Businesses need to ensure that every device is protected, whether that’s company-issued laptops or personal phones that staff use to access work emails.
Cyber-security specialists must try and educate everyone – regardless of position or rank – on the very basic steps that could protect corporate data, such as keeping computers locked when not in use, changing passwords regularly and keeping them private.
Gibbard says: “Most issues can be prevented – the majority of security hacks are successful because a software update has not been applied. So, getting software updates installed quickly can be the best approach to stopping attacks.”
Most issues can be prevented – the majority of security hacks are successful because a software update has not been applied. So, getting software updates installed quickly can be the best approach to stopping attacks
This diligence also needs to be applied throughout the supply chain. And risk managers should make sure that they are working with even their smallest suppliers to test for vulnerabilities.
Harrison who was formerly a risk management professional for Shell, Royal Mail and BNP Paribas says: “Every company should have a documented third-party management process identify all suppliers and their criticality. They should also be holding those suppliers to account and performing regular due diligence checks that include cyber security test and controls.
“To put it into perspective, there is no such thing as a small unauthorised access to your database, or ‘they are only a small supplier’. Stolen data is potentially catastrophic for any company, and corporations are only as secure as their weakest link.”
Gibbard also advises risk managers to focus more attention on the IT side following a merger or acquisition.
He says: “If you can consolidate your security and IT asset management services quickly, you can keep that accurate picture of all the assets in mind. Having a plan to consolidate or integrate IT services over time can help reduce costs as well.”
Another thing companies can do to try and protect themselves, in case the worst should happen, is buy insurance. However, among risk managers, there are some severe misgivings about whether insurers are willing to put their money where their mouth is when it comes to paying cyber claims.
Elaine Heyworth, the incoming head of risk and insurance for communications regulator OfCom, says she is not aware of a single major cyber claim that has been paid by insurers.
And the insurance industry does not help itself. For example, Zurich is refusing to pay a high-profile $100mn cyber claim for snack manufacturer Mondelez, which was hit hard by the NotPetya attack. Mondelez had a policy that contained a cyber endorsement but Zurich is invoking an obscure exclusion that bans payment for acts of war because the attack was allegedly sponsored by the Russian government.
This will be an uphill battle on both fronts. Companies obviously do not want to spend money frivolously, and changing culture on a wider level will always take time. However, by starting now, cyber-security professionals can begin to gain ground on the hackers
“I personally believe insurers are lazy about cyber - and also incompetent,” says Heyworth.
“They don’t know enough to be able to produce a product,” she continues. “And if they could create a product that would actually cover you and pay out for your loss, you couldn’t afford the thing.”
Heyworth says that in her last role, as head of risk and insurance for charity The Royal British Legion, she ran an experiment to test whether appropriate cyber cover was available.
To do that, she brought her head of IT together with an external firm to run a number of disaster scenarios in a bid to understand how The British Legion’s systems would respond to an attack. The other person in the room? Her insurance broker.
“So, we’ve got three people,” says Heyworth: “Your risk manager, your IT person and your broker, sitting there calculating the risk that your business is under, looking at risk management strains to try and protect it, with the broker looking at a cost-effective insurance policy.”
As for the outcome, she says: “There was a list of risk management things that we had to put in place, and my broker said to me, ‘Elaine, I don’t think you need cyber insurance’.”
Instead, Heyworth says, she focused on implementing best practice and educating staff about IT security.
And even if the cyber insurers were to cough up, that only goes part way toward solving the problem, former InterContinental risk boss Wong says. “Transferring responsibility to third parties may help but the reputation damage always stays with the big brands and companies.”
Pushing cyber risk up the management agenda
While all these measures will help mitigate the risks of cyber attack, they involve significant resources, time and planning.
Risk managers need to work with the c-suite to make sure cyber risk remains high on the agenda.
Pothecary of Healix International says: “Investing in cyber-defences is expensive, and requires substantial resources and work-hours to build and maintain. As such, it is extremely tempting for businesses to assume that it ‘can’t happen to them’, purely because they have not yet been impacted. Changing this requires a cultural shift.”
“This will be an uphill battle on both fronts. Companies obviously do not want to spend money frivolously, and changing culture on a wider level will always take time. However, by starting now, cyber-security professionals can begin to gain ground on the hackers.”
Harrison adds: “The eternal conflict between revenue/profits, customer functionality and security controls is something all companies try to balance but the inevitable breaches we see on a daily basis prove that they often get this balance wrong.”
Understanding the financial implications of a hack can be a good way to sharpen the focus at the c-suite and senior management level.
Gibbard concludes: “Assign financial value to IT assets and keep them up to date. When there is a value assigned to security – and therefore a proper valuation of the risk due to attacks – it’s much easier to justify the time and investment in security processes.”