Industry Updates
Costly Breach

• David Pilla
• February 2019
• 

Direct cyber incident losses from a data breach reported by the Marriott hotel chain last September are estimated at between $200 million and $600 million, said catastrophe modeler AIR Worldwide. AIR's estimates are based on the assumption that 500 million records were stolen, as Marriott has reported, said AIR in a statement. The modeling firm said the range of loss estimates “reflects the uncertainty about the data that was stolen, e.g., while credit card data was stolen, it was encrypted; however, the encryption key itself may have been stolen as well.” The loss estimate is for economic losses, said AIR spokesman Kevin Long in an email. AIR said its loss estimates are based on an analysis performed using its cyber model. “These estimates are subject to uncertainty and are not based on actual policy or loss data reported by Marriott,” AIR said. “The net financial impact to Marriott will be partially mitigated by the cyber insurance and other liability insurance coverage they reportedly have, which are not accounted for in these estimated losses.” Estimates include first- and third-party losses directly related to the security breach, including notification costs, forensics, credit monitoring, replacement of credit cards, setting up a call center, and any liability covered under an affirmative cyber policy, said AIR. The modeled loss estimates do not include any fines that may be levied on Marriott; D&O and other noncyber policy-related claims, reputational loss, business interruption, decrease of stock price; or the impact of any insurance coverages that Marriott may use to recover their losses, said AIR.