Product Family


Head of International Property, AXA XL

Hotels tend to be valuable assets housed in prime real estate with carefully and often expensive fixtures and amenities. But there is nothing more valuable to a hotel than its guests – not only their comfort, but their security.

Today the world is a risky place, and risks are developing and morphing constantly. Hotel groups are faced with the challenge of trying to balance seamless operations and pleasing aesthetics with a comprehensive security programme that keeps its valued guests safe from ever evolving threats.

Since September 11, 2001, the world has been increasingly more aware of the vulnerabilities associated with terrorist activity.  Further, the Mumbai hotel attacks in 2008 resulted in hotels around the globe becoming more focused on their obligation to improve their security systems and processes to manage the risk associated with terrorist attacks. They have responded by beefing up physical security in an effort to deter potential attacks and make guests feel safer during their stay. However, what has gone relatively unnoticed by most guests is that hotels have also responded to the significant and increasing risk of cyber terrorism that has emerged.

The Risk Shift from Terrorism to Cyber Terrorism

As an insurer, our Crisis Management team retained expert operational risk management advisers, the Salamanca Group.  Julian Davies, Head of Consulting, Corporate Risk Services at the Salamanca Group says hotels struggle with gaining complete physical and situational awareness in complex political regions. A key challenge is balancing cost with proper security, building for future risks and maintaining high-quality local security. Unfortunately, as Mr. Davies points out, these challenges pertain not only to physical security but also data security, which has complexities that can be exponentially more difficult to contain.    

As the internet has advanced so has the speed at which the world operates and hotels have become fully dependent on storing data online. Even the smallest hotels now have specialist software systems that allow guests to book their hotel reservations from a click of a button on their PC or mobile device, uploading all their personal data onto the hotel’s servers. The result is that hotel IT systems have become repositories for massive amounts of personal data, credit card information, and the identity details of millions of people around the world, making them prime targets for a cyber-attack.  

Cyber-Attacks: What it means for Hotels

Cyber terrorism is a controversial term and its definitions vary. While the general understanding is that cyber terrorism is the use of the internet to stage terrorist attacks or a politically motivated use of computers and information technology to cause severe disruption or widespread fear, there are variations in qualification by motivation, targets, methods, and centrality of the computer(s) used in the act.

The hotel industry’s understanding of cyber risks is still fairly rudimentary, their protective measures and responses to cyber-attacks have not developed as quickly as the tactics used by cyber criminals. For example, at a typical hotel, consultants will establish two or three scenarios for each terrorist threat stream. However, for cyber-attacks, the Salamanca Group say a typical hotel could face 15 threat-based scenarios plus, highlighting the diverse nature of this evolving threat. Common attacks don’t only include politically motivated terrorists, but a wide range of groups including malicious residents, employees, criminals, internet terrorists, hackers, journalists, competitors and hacktivists, among others.

Many hotels would be surprised to know their computers aren’t the only source of exposure to a cyber-attack. What people don’t realise is that vulnerabilities are not just on the machines that hold your data, as any device on that same network can act as the portal for the threat including fax machines or personal laptops.

With this in mind, our cyber underwriter at XL Catlin, Lisa Hansford-Smith advises hotels to address cyber risk management through a cyclical approach, whereby the company constantly surveys what the risks are, how the legal sphere is changing, how data protection methods are evolving, and what new attacks are occurring. They can then feed that data back into their system, allowing them to adapt their policies and procedures as needed.

However, what is clear is that while the hotel industry is doing its best to adapt, it is not adapting quickly enough to deter perpetrators. According to a 2013 report from Trustwave Global Security, 78% of all data breaches occur in hotels, retails stores, bars and restaurants. Most recently in February 2014, during what could be the “largest breach in U.S. retail history”, a hotel franchise suffered attacks on their systems, leaving guests’ credit and debit card information exposed. Attackers were able to remotely install malware onto the individual cash registers and reception computers, making it increasingly difficult to quantify where the exposures were and the subsequent scope of insurance policies.

Effectively Battling Cyber Terrorism

With the risk of a cyber-attack added to the threat of physical terrorism, hotels now need to take a holistic approach to security in order to mitigate the risk of attacks and their potential impact.

Not dissimilar to a physical terrorist attack, a cyber-attack can cause irreversible damage to a hotel’s reputation and its brand. It’s crucial that hotel operators understand how they are protected and consult their underwriter to help managing risks associated with a potential attack. Mitigating risk means looking beyond the IT department and ensuring each department of the company is in sync and aware of the risks, exposures and processes.

Dan O’Connell, our terrorism underwriter says that hotel operators might not realize that their insurance coverage does not respond to some consequences of an attack. There is no guarantee of avoiding a terrorist attack or avoiding the damage it can cause, but a clear way for a hotel to distinguish itself from its competitors is to take a holistic approach in having a thorough and current understanding of the latest risks as they evolve. Salamanca regularly audit the potential risks and physical damage to understand the best mitigation features to provide the most robust risk management. Almost all hotels purchase terrorism coverage, but not all of them go to the extent of taking additional precautions to implement advanced security and attack response systems that address the evolved threats.   

Hotels with independent managers running the franchise have the additional burden of managing a tight form of control across each of its various branches. To mitigate this risk, many hotels are beginning to turn to third party providers who securely store data across the chain.

In an increasingly competitive economic environment, there are few things more important to a business than its reputation. In the hotel and hospitality industry, customer relationships are crucial when maintaining a good reputation, so ensuring their safety and security is a vital part of the business. When a guest’s security is at risk, either in the physical world or online, all fingers will inevitably point to the hotel and its response systems. The bottom line is a hotel’s protective measures are only as good as the advisers who help them address the risks they face. So getting the right people on board is key to protection.

An edited version of this article was first published in Caterer magazine on January 16.Want to know more? You can reach Ian on:  


To contact the author of this story, please complete the below form

Invalid First Name
Invalid Last Name
Country is required
Invalid email
Invalid Captcha

Global Asset Protection Services, LLC, and its affiliates (“AXA XL Risk Consulting”) provides risk assessment reports and other loss prevention services, as requested. This document shall not be construed as indicating the existence or availability under any policy of coverage for any particular type of loss or damage. AXA XL Risk. We specifically disclaim any warranty or representation that compliance with any advice or recommendation in any publication will make a facility or operation safe or healthful, or put it in compliance with any standard, code, law, rule or regulation. Save where expressly agreed in writing, AXA XL Risk Consulting and its related and affiliated companies disclaim all liability for loss or damage suffered by any party arising out of or in connection with this publication, including indirect or consequential loss or damage, howsoever arising. Any party who chooses to rely in any way on the contents of this document does so at their own risk.

US- and Canada-Issued Insurance Policies

In the US, the AXA XL insurance companies are: AXA Insurance Company, Catlin Insurance Company, Inc., Greenwich Insurance Company, Indian Harbor Insurance Company, XL Insurance America, Inc., XL Specialty Insurance Company and T.H.E. Insurance Company. In Canada, coverages are underwritten by XL Specialty Insurance Company - Canadian Branch and AXA Insurance Company - Canadian branch. Coverages may also be underwritten by Lloyd’s Syndicate #2003. Coverages underwritten by Lloyd’s Syndicate #2003 are placed on behalf of the member of Syndicate #2003 by Catlin Canada Inc. Lloyd’s ratings are independent of AXA XL.
US domiciled insurance policies can be written by the following AXA XL surplus lines insurers: XL Catlin Insurance Company UK Limited, Syndicates managed by Catlin Underwriting Agencies Limited and Indian Harbor Insurance Company. Enquires from US residents should be directed to a local insurance agent or broker permitted to write business in the relevant state.