Marriott is still covering — and recovering — expenses from its 2018 data breach

Dive Brief:

Following the disclosure of a data breach in Nov. 2018, Marriott International has spent $16 million related to recovery in the first three quarters of this year, according to a third-quarter filing with the SEC last month. The company was able to receive $11 million from insurance this year and recovered $24 million from its insurance carrier last year.
During Q3 2021, Marriott spent $4 million related primarily to legal costs from the data breach, with nothing recouped by insurance. In Q3 2020, the hotel company received $4 million in insurance recoveries.
Since the incident, and given "the state of the cyber insurance market generally," Marriott has seen an increase in renewal costs for its cyber insurance "over the last several years," the company said in its quarterly filing. "The cost of such insurance could continue to increase for future policy periods."

Dive Insight:

The data breach began in 2014 — two years before Marriott acquired Starwood Hotels and Resorts Worldwide — quietly leaking data for four years until it was found three years ago this week.

While Marriott is able to recover some of the costs of the breach, the company is still paying more for the Starwood acquisition than the original $13 billion deal. In Q1 2019, data breach-related expenses hit $44 million, "netted against $46 million of insurance recoveries," according to CFO Kathleen Oberg in an April 2019 earnings call.

Last year, the company disclosed another data breach, impacting about 5.2 million guests. At the time, Marriott said it would rely on its cyber insurance, which is "commensurate with its size and the nature of its operations."

Cyber insurance usually covers the costs resulting from a cyberattack, including:

Legal expenses
PR expenses
Notification for customers and regulators
Forensic analysis

However, depending on the severity of an incident, Marriott's insurance coverage may be insufficient "to pay the full market value or replacement cost of any lost investment or in some cases could result in certain losses being totally uninsured," the company said in its 10-Q. The company did not return a request for comment by publishing time.

And Marriott isn't alone. The cost of standalone cyber insurance policies spiked 29% in 2020, according to an S&P Global Market Intelligence analysis. The cyber insurance loss ratios have climbed for three years straight, reaching a loss ratio of 73% in 2020.

Security and privacy experts have scrutinized Marriott's data breaches because of the type of data the hotel stores, including individual profiles of an elite class of guests, such as government officials or industry executives. The company has records of guests' preferences, habits or travel patterns, which a bad actor could compile for secondary attacks.

Data breaches often ignite a data retention debate: Why hold onto unnecessary data that could become a liability in a breach?

"If you're a person who doesn't know where your data retention policy is for your organization, go read it and find five things in there that you don't understand or don't believe," said Tarah Wheeler, CEO of Red Queen Technologies, while speaking during the virtual Gartner Security & Risk Management Summit earlier this month. Then ask "why" and "where," she said.

Data retention policies are the "last mile problem solution" for cyber incidents involving international threat actors who breach and steal data, according to Wheeler. Data retention policies are also the solution when companies are "looking at an issue of insurance, later audit records and demonstrating in a court of law that you abided by due care to claim on a cyber insurance policy," she said.