AIR Estimates Losses for the Marriott Breach Between $200M-$600M

Catastrophe risk modeling firm AIR Worldwide estimates that the direct cyber incident losses for the Marriott breach will be between $200 million and $600 million. AIR’s loss estimates are based on the assumption that 500 million records were stolen, as Marriott has reported. The range of loss estimates reflects the uncertainty about the data that was stolen, e.g., while credit card data was stolen, it was encrypted; however, the encryption key itself may have been stolen as well. There is additional uncertainty, as some of these records may be duplicates. AIR Worldwide is a Verisk business.

Source: Air Worldwide | Published on December 20, 2018

Hacker using laptop. Hacking the Internet.

“AIR’s new probabilistic security breach model shows that this type of event is not unprecedented, even though an event of this magnitude hasn’t previously happened to a hotel chain,” said Scott Stransky, assistant vice president and director of emerging risk modeling, AIR Worldwide. “In fact, the largest recorded breach for a U.S.-based hotel chain prior to this event was less than 1/50 the size in terms of the number of records stolen. There are more than 300 simulated events in our model that cause higher losses for U.S.-based hotels.”

As of December 8, 2018, Marriott has shared the following information on its website: On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred. Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information and took steps toward removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database.

AIR’s loss estimates are based on an analysis performed using its Cyber Model. These estimates are subject to uncertainty and are not based on actual policy or loss data reported by Marriott. The net financial impact to Marriott will be partially mitigated by the cyber insurance and other liability insurance coverage they reportedly have, which are not accounted for in these estimated losses.

AIR’s modeled loss estimates include:
• First- and third-party losses directly related to the security breach, including notification costs, forensics, credit monitoring, replacement of credit cards, setting up a call center, and any liability covered under an affirmative cyber policy

AIR's modeled loss estimates do not include:
• Any fines that may be levied upon Marriott, including potential fines for violation of the GDPR
• D&O and other non-cyber policy related claims, reputational loss, business interruption, decrease of stock price
• The impact of any insurance coverages that Marriott may use to recover their losses

About AIR Worldwide

AIR Worldwide (AIR) provides risk modeling solutions that make individuals, businesses, and society more resilient to extreme events. In 1987, AIR Worldwide founded the catastrophe modeling industry and today models the risk from natural catastrophes, terrorism, pandemics, casualty catastrophes, and cyber incidents. Insurance, reinsurance, financial, corporate, and government clients rely on AIR’s advanced science, software, and consulting services for catastrophe risk management, insurance-linked securities, longevity modeling, site-specific engineering analyses, and agricultural risk management. AIR Worldwide, a Verisk business, is headquartered in Boston, with additional offices in North America, Europe, and Asia. For more information, please visit www.air-worldwide.com.