The ABI said the latest data breach incident highlighted how vital cyber insurance is for all firms to have in place

Cyber insurers are looking at opportunities from what could be the biggest single cyber breach incident on record.

Catastrophe risk modeller AIR Worldwide has estimated insurance losses from the breach to be somewhere between $200m and 600m, excluding any regulatory fines.

The data breach at hotels chain Marriott International saw its hotel guest database stolen, affecting 500 million customers who made reservations spanning the UK, US and Canada.

Marriott has ramped up its security measures in response and a spokesperson told sister publication Insurance Times the ”company carries insurance including cyber insurance, commensurate with its size and the nature of its operations.”

Cyber insurers are expecting the incident to be the most expensive so far on record, with overall claim payouts potentially reaching $300m, according to the Insurance Insider.

Commentators have suggested the high-profile incident could pick up the pace of cyber insurance uptake.


Clive O’Connell, partner and head of insurance and reinsurance at McCarthy Denning said that because cyber cover is “relatively new, with each loss that occurs people are getting an idea of claims scenarios that insurers are protecting against.”

And as there are “more vagaries in cyber” due to this newness he explained three reasons why each cyber attack, although devastating, is also informative.

Firstly he said that it gives a “broader understanding of the nature of claims”, secondly “both clients and insurers are made more aware of the need for it” and lastly it assists accuracy “risk ratings” to understand whether a risk is worth taking on.

He gave the example of silent cyber where there is no reference to this protection in the policy but if an attack occurs cover is given to a specific loss. 

A spokseperson from the ABI added: “This latest incident further highlights how vital it is for all firms, regardless of their size, to do all they can to protect against the cyber threat and to consider the value of having cyber insurance protection. Whatever the size of any cyber breach, it can have a devastating impact on any business.”

What happened?

On the 8 September this year Marriott was alerted by an internal security tool about an attempt to access the Starwood guest reservation database in the US.

It discovered in November through ongoing investigations that an “unauthorised party had copied and encrypted information and took steps towards removing it.”

For 327 million hotel guests, compromised information included names, postal addresses, phone numbers, email addresses, passport numbers, dates of birth, arrival and departure dates, reservation data and communication preferences.

And for some it also includes credit or debit card information, although card numbers were encrypted.

The company is still in the process of identifying duplicate data.

In response Marriott president and chief executive Arne Sorenson said that he is “devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements” to its network.

 Marriott has taken measures in supporting guests online and via its call centre, as well as sending email notifications to affected customers. A webchat watcher has also been provided for free for a year.

Colossal scale

Adam French, a UK consumer rights expert at Which?, said that the data breach was on a “colossal scale”, of great concern to Marriott customers.

“It is vital that Marriott provides clear information on what has happened and helps anyone who has been negatively impacted,” said French.

He urged those affected to change online passwords, monitor banking and online account actvity.

“Anyone worried they could be affected should consider changing their online passwords, monitor bank and other online accounts as well as their credit report to guard against potential identity fraud. Also, be wary of emails regarding the breach, as scammers may try and take advantage of it,” he added.


The hotel has issued an apology, which said: “We deeply regret this incident happened. We fell short of what our guests deserve and what we expect of ourselves. We are doing everything we can to support our guests and using lessons learned to be better moving forward.”

In a statement released last Friday, Sorenson, said: “Today Marriott is reaffirming our commitment to our guests around the world. We are working hard to ensure our guests have answers to questions about their personal information, with a dedicated website and call center.”

He said that the firm will continue to work with security experts to improve its online protection measures.


In August, UK retailer Superdrug was held to ransom by hackers with information on a ledger of 20,000 of its customers. 

Earlier in November the World Economic Forum (WEF) named cyber attack as the “most dangerous risk” for UK businesses.