Hotels present a tempting target for cybercriminals, and understandably so. After all, cybercriminals want access to data—personal, organizational and financial—and hotels are nothing short of treasure troves of information.

As the 2019 Insights CyberThreat Report points out, hotel Wi-Fi, credit card reservations and sales, loyalty programs, guest services and interconnections with vendors can all present security threats. The sheer volume of points of attack that can be infiltrated by cybercriminals means that hotel owners and managers to view cyber risk through a very wide lens.

But a shortage of qualified cybersecurity professionals to design and maintain security systems complicates maintaining a robust cyber defense. This shortage is a problem faced by the economy as a whole, and competition is fierce for skilled professionals.

The situation facing hotel owners and managers is difficult, but not impossible. Insurance consultants help design incident response strategies and leading cyberattack simulation tests that involve all key stakeholders. The ultimate goal is to make hotels a more attractive risk to insurers.

Hydra-Headed Threats

The cyber threats targeting hotels come from a variety of sources. The more common sources of cyberattacks include:

It’s a Legal Matter

A breach resulting in compromised data presents serious legal and regulatory challenges as well as the immediate damage to the hotel’s finances and reputation.

All states and several countries have breach notification laws that require the data owner to notify guests who have had their personally identifiable information accessed by unauthorized parties. But the rules vary significantly by jurisdiction, with some requiring as little as 48 hours for notification.

When the attack affects citizens from the EU, a new regulation called the General Data Protection Regulation—or GDPR—comes into play. The statute requires notification within 72 hours for those impacted. Failure to comply with GDPR results in a fine that can be as high as 4% percent of the hotel chain’s annual revenue. Although GDPR has been enforced only to a limited extent, its very existence should cause concern for both hotel owners and operators.

Hotel owners and managers also must comply with the Payment Card Industry Data Security Standard or PCI DSS, an information security requirement for organizations like hotels that transact business via credit cards designed to reduce fraud. Practices range from limiting employee access to credit card data to how information is stored digitally and unique user IDs issued to those who do have more extensive access. 

If a hotel has a security breach and is found to be non-compliant with PCI rules, it may be fined $5,000 to $100,000 a month until the compliance issues are addressed.

Assembling an Incident Response Team

Given the potentially enormous costs involved—both in terms of money and reputation—hotels need a robust defense system against cyber criminals. They should start by implementing an incident response—or IR—plan. An IR plan allows staff to more readily identify, respond to, and recover from a cybersecurity attack.

An IR plan must have the right people in place, playing specified roles to succeed. For hotels, that needs to be collaboration between stakeholders: Chief Information Security Officer to contain the spread of the attack and preserve evidence, general counsel to assess legal obligations, risk manager to coordinate insurance, a spokesperson to lead internal and external communications, operations to lead organizational resilience efforts, the CFO to allocate costs and the CEO who can address key business partners, important clients, shareholders and the media .

An IR plan for the hotel business requires that the team:

  • Increase awareness of cybersecurity issues throughout the enterprise
  • dentify and assign individual breach response roles and responsibilities
  • Build-in business continuity measures
  • Manage vendors to assist in the investigation, evidence preservation, remediation and compliance
  • Have a plan to respond to specific types of cyberattacks
  • Purchase the right cyber insurance

Tabletop exercises are a critical part of the IR plan. At least once a year, members of the IR team should meet to run a tabletop exercise — a best-practice way to test the IR plan through a simulated attack. This collaborative approach helps to evaluate the organization’s cyber-crisis preparedness. Tabletops provide the tools and proficiency needed to respond from both a strategic and technical perspective effectively.

The key to implementing a coordinated effort is to enlist the help of professionals who are well-schooled in these techniques. The organization’s insurance broker can be the perfect ally in this endeavor. A knowledgeable broker can guide in setting up IR plans and helping the team test the plan with simulated cyberattacks. These endeavors will undoubtedly shine a positive light on any company as they enter the cyber insurance market. 

Our Team can help you face cyber risk with confidence.
Learn more

Although the exact details of a successful risk mitigation strategy may depend on individual hotels or chains, six steps should be part of any plan.

  1. As noted above, have an IR team in place that includes all key stakeholders.
  2. Conduct tabletop exercises with the IR team at least once a year to test preparedness
  3. Make sure to implement employee training as part of IR readiness
  4. Stay on top of hiring so that there is no shortage of cybersecurity professionals on your staff.
  5. Invest in the latest technology with data encryption, the most up-to-date anti-virus software and real-time intrusion detection systems.
  6. Tighten up processes by implementing multifactor authentication, conducting system patching regularly creating a formal password protection program and enforcing all privacy policies.


Cybercrime represents a multifaceted threat to the hotel industry. As such, it demands a multifaceted defense strategy. Working with knowledgeable insurance professionals can both bolster a hotel organization’s cyber defenses and make it a more attractive risk to underwriters.