The data breach began in 2014 — two years before Marriott acquired Starwood Hotels and Resorts Worldwide — quietly leaking data for four years until it was found three years ago this week. 
While Marriott is able to recover some of the costs of the breach, the company is still paying more for the Starwood acquisition than the original $13 billion deal. In Q1 2019, data breach-related expenses hit $44 million, “netted against $46 million of insurance recoveries,” according to CFO Kathleen Oberg in an April 2019 earnings call.  
Last year, the company disclosed another data breach, impacting about 5.2 million guests. At the time, Marriott said it would rely on its cyber insurance, which is “commensurate with its size and the nature of its operations.” 
Cyber insurance usually covers the costs resulting from a cyberattack, including:
However, depending on the severity of an incident, Marriott’s insurance coverage may be insufficient “to pay the full market value or replacement cost of any lost investment or in some cases could result in certain losses being totally uninsured,” the company said in its 10-Q. The company did not return a request for comment by publishing time. 
And Marriott isn’t alone. The cost of standalone cyber insurance policies spiked 29% in 2020, according to an S&P Global Market Intelligence analysis. The cyber insurance loss ratios have climbed for three years straight, reaching a loss ratio of 73% in 2020.  
Security and privacy experts have scrutinized Marriott’s data breaches because of the type of data the hotel stores, including individual profiles of an elite class of guests, such as government officials or industry executives. The company has records of guests’ preferences, habits or travel patterns, which a bad actor could compile for secondary attacks. 
Data breaches often ignite a data retention debate: Why hold onto unnecessary data that could become a liability in a breach? 
“If you’re a person who doesn’t know where your data retention policy is for your organization, go read it and find five things in there that you don’t understand or don’t believe,” said Tarah Wheeler, CEO of Red Queen Technologies, while speaking during the virtual Gartner Security & Risk Management Summit earlier this month. Then ask “why” and “where,” she said. 
Data retention policies are the “last mile problem solution” for cyber incidents involving international threat actors who breach and steal data, according to Wheeler. Data retention policies are also the solution when companies are “looking at an issue of insurance, later audit records and demonstrating in a court of law that you abided by due care to claim on a cyber insurance policy,” she said. 
Follow on Twitter
Get the free daily newsletter read by industry experts
The biggest and baddest ransomware groups love an easy vulnerability.
Data disclosures from cloud misconfigurations are often the result of human error — but policies, not users, are to blame.  
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
Want to share a company announcement with your peers?
Get started
The biggest and baddest ransomware groups love an easy vulnerability.
Data disclosures from cloud misconfigurations are often the result of human error — but policies, not users, are to blame.  
The free newsletter covering the top industry headlines

source