cyber risk for entertainment - hospitality sector - aon · cyber risk for entertainment -...
TRANSCRIPT
Aon Risk Solutions | Global Sales & Marketing SupportProprietary & Confidential
Cyber Risk for Entertainment - Hospitality Sector
Date: 31st March 2016
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential2
Table of contents
Entertainment Industry & Cyber Risk3
Major Data Breach Incidents4 - 5
NetDiligence Claims Statistics6 - 8
Data Protection Regulations9
Verizon Survey Data Breach Statistics10
Purchase of Cyber Insurance 11
Effectiveness & Adequacy of Insurance12
Payment Card Skimming13
Data Breaches & Lawsuits14
Data Breach Effects on M & A Deals15
Data Sources16
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential3
Entertainment & hospitality sector seems to be prone to cyber risk
Sources:
Entertainment & Hospitality industry includes companies operating in industries such as: hotels, resorts, casinos, spas, motion pictures, amusement & recreation services, radio & television broadcasting stations etc.
Hospitality industry participants especially hotels & resorts seem to be highly prone to cyber threats because of their businessrequirements & regulatory reasons. These establishments collect private information from customers including: passport details, date of birth, SSN, debit/credit card details, occupation etc.
Customers may be at risk at the point of sales (PoS) since the payment happens at that point of time and payment gateways getinvolved as well. Many of the data breaches happen when the customer makes the payment for the services provided or to be provided at a future date.
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential4
Major hospitality companies have suffered data breaches in the last 2 years
Recent Major Data Breach Incidents in Entertainment - Hospitality Sector
Month/Year Company/Organization Affected Country Details of the breach Source
Mar-14 Las Vegas Sands Corp. USA
Las Vegas Sands Corp's Pennsylvania property suffered data breach which
may have compromised guests’ Social Security and drivers license numbers
and bank and credit-card data
Click here to
read more
Apr-14 AOL USACompany reported that series of spam mails may have compromised the
account credentials of about 2% of its user base
Click here to
read more
Nov-14 Sony Pictures Entertainment USACompany reported that many of its internal documents, emails and movies
had been leaked during the month of November 2014
Click here to
read more
Mar-15 Mandarin Oriental Hotel Group Hong Kong
Hotel group reported that many of its hotels in USA & Europe were hit with
data breach incidents which may have compromised credit card data of
customers
Click here to
read more
May-15 Hard Rock Hotel & Casino Las Vegas USA
Hotel announced that data breaches were reported which may have exposed
customers' credit card numbers & CVV security codes regarding transactions
during the period: September 2014 to April 2015
Click here to
read more
Jul-15 FireKeepers Casino Hotel USA
Hotel revealed that credit card & debit card information of about 85,000 were
compromised during the data breach incident which occurred during the
period: September 2014 to April 2015
Click here to
read more
Oct-15 The Trump Hotel Collection USA
Hotel reported that data breaches compromised sensitive customer data
such as: payment card account number, card expiration date, and security
code during the period: May 2014 to June 2015
Click here to
read more
Nov-15 Starwood Hotels & Resorts USA
Company's luxury properties across 54 locations were affected with
malicious software which exposed customer credit-card and debit-card
information during the period of 8 months
Click here to
read more
Nov-15 Hilton Hotels USA
Hotel informed that several data breaches may have affected the sensitive
information of customers who made purchases at the various hotel locations
during the period: November - December, 2014 & April - July, 2015
Click here to
read more
Jan-16 Hyatt Hotels Corporation USA
Hotel reported unauthorized access of customer credit & debit card
information related to transactions during the period: August to December
2015. The data breach may have affected guests across 250 hotels in 50
countries
Click here to
read more
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential5
Major entertainment companies have suffered data breaches in the last 2 - 3 years
Recent Major Data Breach Incidents in Entertainment - Hospitality Sector
Month/Year Company/Organization Affected Country Details of the breach Source
Nov-13 KRTV Montana TV Station USAHackers penetrated the 'Emergency Alert System' & displayed the message:
dead bodies are rising from their gravesClick here
Mar-14 Michigan Radio USAUnauthorized messages were displayed following the hacking of the RDS
systemClick here
Jul-14 Channel 10 IsraelHackers penetrated the satellite channel for few minutes to broadcast
pictures of Gaza woundedClick here
Aug-14 China Cable ChinaHackers broadcasted images of tortured prisoners, anti-government slogans
and footage of the Tiananmen Square protests in 1989Click here
Apr-15 TV5Monde FranceHackers penetrated the system, email & production facilities & accessed
social media accounts & disrupted transmission of 11 channels for 3 hoursClick here
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential6
Hospitality sector accounted for a small portion of total claims reported during the years: 2014 & 15
NetDeligence conducts study of cyber liability claims every year to ascertain the impact of cyber liability by industry, company size etc.
Healthcare industry witnessed the highest number of claims vis - a -vis other industries and accounted for 21% of total in the year 2015. Hospitality & Restaurant industries accounted for about 4% each of the total claims for the year 2015.
Healthcare industry witnessed the highest number of claims vis - a -vis other industries and accounted for 23% of total in the year 2014. Hospitality industry accounted for about 4% of the total claims for the year 2014.
Sources: NetDiligence Cyber Claims Study – 2014 & 2015
Healthcare21%
Financial Services
17%Retail13%
Technology9%
Hospitality4%
Restaurant4%
Others Industries
32%
NetDiligence study - percentage claims by business sectors, 2015
Healthcare23%
Financial Services
22%
Professional Services
10%
Retail10%
Hospitality4%
Others Industries
31%
NetDiligence study - percentage claims by
business sectors, 2014
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential7
Hospitality sector accounted for a significant portion of claims induced by malicious insiders
According to the study by NetDiligence, about 30% of the total respondents (total sample size: 160) attributed claim events to insiders i.e. employees of companies/organizations (for the year 2015).
More than 67% of the total claims attributable to insiders were unintentional. The rest 33% of the claims were caused by employees who purposefully caused claim events i.e. malicious insiders.
Hospitality & restaurant industries together accounted for about 24% of claims caused by malicious insiders during the year 2015. Hospitality industry accounted for 5% of claims induced by unintentional insiders for the year 2014.
Healthcare29%
Financial Services
29%
Hospitality12%
Professional Services
12%
Restaurant12%
Other Industries
6%
NetDiligence study - malicious insider involvement in claims by business sectors, 2015
Healthcare40%
Financial Services
13%
Hospitality13%
Professional Services
20%
Non-Profit7%
Transportation7%
NetDiligence study - malicious insider involvement in claims by business sectors, 2014
Healthcare29%
Financial Services
24% Non-Profit14%
Hospitality5%
Technology10%
Other Industries
18%
NetDiligence study - unintentional involvement of insiders in claims by business sectors, 2014
Sources: NetDiligence Cyber Claims Study – 2014 & 2015
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential8
Hackers & paper records were major causes for data breach related claims during the year 2014
According to the study by NetDiligence, about 20% of the total respondents (total sample size: 111) attributed claim events to 3rd parties during the year 2014.
Hackers caused a little over 1/3rd of claims reported during the year 2014.
Entertainment industry respondents represented a minute portion of claims by business sectors for the year 2014.
Sources: NetDiligence Cyber Claims Study – 2014
Financial Services
32%
Healthcare18% Professional
Services14%
Media9%
Entertainment4%Other
Industries23%
NetDiligence study - third party breaches induced claims by business sectors, 2014
Hacker36%
Paper Records
23% Lost/Stolen Device
4%Improper Data
Collection9%
Rogue Employee
5%
Staff Mistake14%
NetDiligence study - third party breaches induced claims by cause of loss, 2014
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential9
Data protection regulations in entertainment & hospitality industry
In USA, The Federal Trade Commission (FTC) controls and safeguards the interests of consumers. FTC is authorized to conduct enforcement actions against companies in many industries including hospitality, internet hardware, social media, and mobile apps when a compromise of personal information occurred. In August 2015, the Third Circuit Court of Appeals affirmed the FTC’s authority to regulate unfair and deceptive cyber security practices in F.T.C. v. Wyndham Worldwide Corporation. Click here to know more about this article.
Safe Harbor Privacy Statement is another mandate which is applicable for data transfers from The European Union & Switzerland. Many international establishments which have operations in EU countries & Switzerland must explain (to consumers) as to how personal data is collected & transferred.
In UK, “Information Commissioner’s Office” promotes & safeguards data privacy for individuals. ‘Data Protection Act’ controls how consumers' personal information is used by organizations, businesses or the government. That means this act covers companies operating in many industries including hospitality & entertainment.
According to a ‘The privacy surgeon’ article, Europe offers an interesting perspective to the data availability as per Law. Hotels are mandated to collect information about guests’ details such as: passport number, nationality, home address, telephone number, gender and date of birth. Hotels in Italy and Spain are required by law to report their guests directly to police within 24 hours. These requirements may open up opportunities for cyber criminals to extract sensitive personal data.
Federal Communications Commission (FCC) regulates media & broadcasting industry in USA.
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential10
Entertainment sector industry reported few data security incidents in 2015
Verizon 2015 Data Breach Investigation Report: Security Incidents by Victim Size & IndustryNumber of Security Incidents Confirmed Data Loss
Industry Total Small Large Unknown Total Small Large Unknown
Public 50,315 19 49,596 700 303 6 241 56
Information 1,496 36 34 1,426 95 13 17 65
Financial Services 642 44 177 421 277 33 136 108
Educational 165 18 17 130 65 11 10 44
Healthcare 234 51 38 145 141 31 25 85
Retail 523 99 30 394 164 95 21 48
Utilities 73 1 2 70 10 0 0 10
Entertainment 27 17 0 10 23 16 0 7
Manufacturing 525 18 43 464 235 11 10 214
Transportation 44 2 9 33 22 2 6 14
Unknown 24,504 144 1 24,359 325 141 1 183
Total 79,790 694 50,081 29,015 2,122 573 502 1,047
Sources: Verizon Data Breach Report-2015
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential11
Majority of the respondents from the hotels & hospitality sector reported non-purchase of cyber insurance
According to Aon’s Global Risk Management Survey 2015 report, 35% of the respondents from the ‘Hotels & Hospitality’ sector had already purchased cyber insurance.
However, 55% of respondents had neither purchased cyber insurance and nor had plans to purchase. A minute portion of respondents (10%) had plans of buying cyber insurance.
28%
50% 49% 42% 39% 35% 35% 32%
57%
67% 24%36%
37% 46% 49% 55%43%
42%
6%
26%15% 21% 14% 15% 10%
26%
2%
Aon Global Risk Management Survey 2015, Purchase of Cyber Insurance Coverage by Industry
Plan toPurchase
Not purchased& No Plans toPurchase
InsuranceCurrentlyPurchased
Sources: Aon Global Risk Management Survey 2015
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential12
Majority of the respondents from the hotels & hospitalities sector felt existing cyber policy offered effective & adequate coverage
According to Aon’s Global Risk Management Survey 2015 report, about 57% of respondents from ‘Hotels & Hospitality Sectors’ felt that current cyber coverage provided adequate cover from cyber liability.
Around, 57% of respondents from ‘Hotels & Hospitality Sectors’ felt that current cyber coverage was effective to provide cover from cyber liability
60% 63%
48%
95%
71%64%
76%
57%67%
Aon Global Risk Management Survey 2015, Adequacy of Current Cyber Insurance by Industry
Sources: Aon Global Risk Management Survey 2015
83% 85% 89%100%
73% 76%
57%
87%
Aon Global Risk Management Survey 2015, Effectiveness of Current Cyber Insurance by Industry
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential13
Discovery of Payment Card Skimming usually ranges from few hours to few days
According to ‘Verizon 2015 Data Breach Investigations’ report, in majority of the cases, the discovery of payment card skimmers usually ranges from few hours to few days
A small portion (about 28%) of the data breach cases consumed weeks and months together for discovery.
However, as the saying: ‘Every cloud has a silver lining’, the detection/discovery times are getting better as the majority of incidents may be discovered within few days of the breach.
4.50% 4.50%
27.30%
36.40%
18.20%
9.10%
0.00% 0.00%
Verizon 2015 Data Breach Investigations Report, Time to Discovery within Payment Card Skimmers Pattern for Retail Industry
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential14
Data breaches have led to lawsuits against board of directors, C-suite executives and company
It would be an interesting exercise to ascertain if cyber exposures or data breaches can possibly lead to lawsuits against Directors and officers.
According to an article published on ‘Cyber Risk network’, the boards of Google, Wyndham & Target were sued after data breach incidents and these incidents were followed by removal of C-suite officers. This may be a classic example of data breaches influencing lawsuits against boards and C-suite executives. Although the example given above is from a different industry it maybe assumed that data breaches may lead to lawsuits against C-suite executives & directors in entertainment & hospitality sector.
Its quite unclear if cyber/data liability/security claims be covered under traditional lines of insurance such as: property, general liability etc. However few Court rulings shed some light on decisions where in cyber liabilities were covered under traditional lines of businesses. Although the companies involved in lawsuits belong to industries other than healthcare it would be interesting tounderstand the treatment of liability.
In the lawsuit: “Retail Systems, Inc. v. CNA Insurance Co” the Court of Appeals of Minnesota compared a data storage tape to a motion picture and held that data on a missing computer tape was of permanent value and was integrated completely with the physical property of the tape.
In another interesting case, Sony Corp’s subsidiary: ‘Sony Pictures Entertainment’ reported data breach incidents in the year 2014. Former employees of the company argued that the company was aware that it didn’t had adequate security measures to protect its sensitive data and didn’t act to mitigate this risk. Former employees also argued that data breach incidents had compromised their personal sensitive data.
This is a classic case of data breach leading to more complex issues such as lawsuits against the company. Click here to know more about this story.
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential15
Data breaches and their effect on M & A deals
It would be an interesting exercise to ascertain if cyber exposures or data breaches can possibly have significant impact on planned M & A transactions.
Marriott Hotels, in November 2015 offered to buy Starwood Hotels for a consideration of $12.2 billion. Starwood Hotels announced that its luxury properties across 54 locations were affected with malicious software which exposed customer credit-card and debit-card information during the period of 8 months.
According to a Wall Street Journal article, a spokesman from Marriott acknowledged the awareness about the data breach. This information could surely raise eyebrows and may come across as a surprise as well! This could be a classic case of acquirer believing that benefits of acquisition may be far greater than the data security risks involved with the target company.
According to a CNBC news article, a consortium led by Anbang offered a deal of $13.6 billion to acquire business of Starwood Hotels.
Its thus quite unclear if all data security breaches can have negative impact on proposed M & A deals involving the company which suffered the data breach.
Aon Risk Solutions | Global Sales & Marketing Support
Proprietary & Confidential16
Sources
Sources used for the study:
NetDiligence 2015 Cyber Claims Study
NetDiligence 2014 Cyber Claims Study
Aon Global Risk Management Survey
Casino Data Breach Incident
Businessinsurance - Data Breach Incident
Certesnetworks - Data Breach Link
Computerweekly - Data Breach News
Americanbanker - Data Breach News
Bloomberg News Data Breach Incident
Bloomberg – Sony Lawsuit News
UK Data protection Law
Data Policing in UK
Cyber Risk M & A
Tvnewscheck – France TV Hack News
Gawker.com News - Montana TV system hack
theregister.co.uk News
ibtimes.co.uk News - China Cable hack
FCC