Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Hospitality sector steps up risk controls as cyber, other threats rise

Reprints
hospitality

Hotel and restaurant owners, many of whom repurposed their properties during the pandemic, need to prioritize risk management protocols even as some rate increases level off, experts say.

As the hospitality sector moves toward recovery, many property owners still face challenges, such as lower occupancy rates and labor shortages, that can exacerbate losses.

Greater use of technology by hotels and restaurants has also heightened scrutiny of their cybersecurity controls.

Hub International Ltd. predicts that property/casualty rates for both restaurants and lodging establishments will rise as much as 20% this year, because of cyber rate increases.

While some property rate increases will level off and single-digit liability rate increases are possible for standard risks, cyber placements are driving pricing for hospitality risks, said Kimberly Gore, Myrtle Beach, South Carolina-based national practice leader of Hub International’s hospitality specialty practice.

The hospitality industry is “technology dependent” with features like online payment and reservation transactions and digital key access, Ms. Gore said.

If an account has controls in place and is proactive about prevention and monitoring, they are not going to see 20% rate increases, but an account that is “just catching up to the cyber and technology trend is probably going to see over 20%,” she said.

The cost of cyber coverage is high across the board, with 200% to 300% rate increases and deductibles doubling in some instances, said Mark Habersack, executive director of risk management at Resorts World Las Vegas. “The cost of a cyber event in this day and age can run between $7 million and $8 million. If there’s a hot market out there, cyber is it,” he said.

Resorts World Las Vegas is getting a good price on its cyber coverage because the company works with its broker and underwriters to mitigate the risks, he said.

However, third-party companies that Resorts World relies on, including tenants and sponsors, appear to be having trouble getting the cyber coverage they want, he said.

This can affect a company’s exposure if the third-party vendor requests that its cyber coverage only amount to, say, one-third of a contract’s value, Mr. Habersack said.

“We have to reevaluate is there something we can do to help mitigate or reduce that risk. Is this a deal we don’t want to get into or are we willing to roll that dice and assume the risk because we have a confidence level with the ability of the third party,” Mr. Habersack said.

Cyber is the “wild line of coverage,” and businesses are seeing much higher rate increases depending on what upfront security mechanisms they have in place, said Jackie Collins, Houston-based senior vice president, senior director of the real estate hospitality practice, at Arthur J. Gallagher & Co.

“Some of those we’ve seen as low as 10%, while we’ve seen some go up 150%,” Ms. Collins said.

Companies across the board should have multifactor authentication in place and train their employees on how to respond to phishing emails and other scams, Ms. Collins said.

Features like contactless food and beverage ordering in hotels have also become more popular during the pandemic.

When a hotel partners with third-party food vendors, for example, part of the concern is, “when you order food, who’s ordering it? Is it the guest directly, or would they go through the hotel computer system?” Ms. Collins said.

Cyber risks are seeing triple-digit rate increases in most cases, and there is a heavy focus on controls, said Mike Chouinard, vice president, account executive, at Lockton Cos. LLC in Kansas City, Missouri.

“If multifactor authentication is not in place, it’s really hard to get full limits” for cyber extortion coverage, he said.

Working with clients to enhance their cybersecurity posture is a big focus prior to the renewal so that they can maintain coverage, he said.

Adding multifactor authentication is “just a flip of a switch,” but then hotels need to educate their employees, he said. Completing that training within a month or two can help to maintain their limits, Mr. Chouinard said.

In the last two years, every hotel operator, from high-end resorts to roadside motels, has had to go through “transformative changes,” said Matt Zender, senior vice president, workers comp strategy, at AmTrust Financial Services Inc., based in Monterey, California.

The ability to tell their story in a manner the underwriter can easily digest and believe will make a difference, Mr. Zender said.

If a hotel operator had to change its operations by order of a local county to take in residents that don’t fit their business model, they need to explain that and “explain that it’s perhaps been curtailed and the work that they did to make sure the hotel was fully cleaned afterwards so now it’s back to normal operations,” he said.

If it’s not, the operator should explain why. “The better job that they can do to tell that story, the more reasonable they are going to find the return in terms of the response from the underwriter with their rates,” Mr. Zender said.

Whether it’s the hotel or any other industry, presenting the risk properly and making sure the client is able to tell a great story about how they are managing risk is “paramount,” said Mike Vitulli, managing director of risk management services at Risk Strategies Co. Inc. in Boston.

“You’ve got busy underwriters, understaffed insurers who are trying to sort through their pile” of what they should underwrite, Mr. Vitulli said.

“Anything that’s real estate-related that is not a class A office building, whether it’s a hotel or residential,” needs to tell the story of what they are doing differently, he said.

“Do you have any loss experience? do you have good safety procedures? Telling that story is critical to getting the underwriter to want to talk about writing (the account),” Mr. Vitulli said.