Moderated by Mark Stephens, the panel of experts comprised Nick Francis (specialising in IT security architecture), Richard Hodson (an experienced broker of cyber insurance), Al Loehnis (a recognised authority on PR to the tech sector) and our own Rob Lands (head of IP and tech and partner in our hotel practice).
Positive about privacy – why you need a CTO (and a plan)
They explored the sequence of events leading up to and following a cyber security incident in the hospitality space. Mark reported that hospitality has the second largest number of cybersecurity breaches after the retail sector. Last year hospitality was the third-most targeted industry after retail and finance – for most hotels, it is a question of "when" rather than "if" a cyber incident will occur.
From a technical point of view, Nick explained how crucial it was to have technical knowledge at a senior level within the organisation to understand what the hotels' systems are and how they work. Better technology can help, but only if backed up by training, good IT-hygiene and discipline within the hotel and its supply chain.
As regards cyber risks, hotel owners' property insurance or business interruption insurance probably won't cover them, although cover is generally available as a standalone policy. Richard cautioned that even if hoteliers check (as they should) to ensure compliance with the policy conditions, it probably won't be sufficient. Cyber incident prevention should be treated like a hotel's fire precautions – with preventive measures, alarms, a risk assessment and regular rigorous tests of the safety equipment.
A "good response" to an incident – supported by good PR – could neutralise the reputational damage of an incident or even enhance reputation. Al echoed Nick's view – that there needs to be technical understanding at board level through a CIO or CTO. Although planning and simulation for incidents cannot cover every angle, that preparation creates the "muscle memory" to respond in the face of uncertainty.
Rob recommended carefully thought-through policies and procedure. Thinking through a strategy for business continuity and recovery will drive engagement of staff and improve their understanding. Not all incidents are notifiable; Rob cautioned to take advice as soon as possible when an incident is discovered, and warned against reflexively notifying or going public when an incident occurs.
The next Early Check-In event is at Howard Kennedy on 19 September 2019 and will explore recent developments in hotels' operating models.