Cyber Insurance: PBI's Audit & Strategy for Financial Risk Transfer - Essay Sample

Introduction

Böhme and Schwartz (2010) described cyber insurance as the transference of financial risk attributed to both computer as well as network events to a third party. As such a cyber-insurance strategy for a given firm such as PBI (Padgett-Beale Inc.) can, for example cover data destruction through such instances as breaches, property theft and loss, or liability concerns (EIOPA, 2018). Following an audit led by CBSI (CyberOne Business and Casualty Insurance Ltd), the firm determined that PBI faced data beaches which most of its operational units did not possess precise plans for addressing them, and generally the organization was considered not prepared to respond and/or prevent any major data breach efficiently. As such, the goal of this report is to offer a comprehensive evaluation of data breaches that have previously impacted PBI’s competitor, Starwood Hotels division (Marriott International) in attempting to ensure that PBI’s senior staff including middle managers can acknowledge the issues and problems ascending from legal activities faced by Marriott International (MI) in addressing a similar information breach instance. As such, the PBI requires an appropriate cyber insurance approach, particularly based on the recommendations offered in this report to ensure it implements an efficacious data response plan and policy to mitigate and manage cyber risk as noted by travelers, as well as network security associated costs (2020).

Is your time best spent reading someone else’s essay? Get a 100% original essay FROM A CERTIFIED WRITER!

Order now

Analysis

Starwood Hotels’ Types of Data Breached

The data breach incident that took place at Marriott International typically began in 2014 and discovered in 2018 (Nohe, 2019). Nohe (2019) noted that the data breach impacted approximately 500 million hotel guests and involved personal information of the visitors who had made reservations. The types of data breached during the four year period included Starwood preferred guest account data, passport numbers, email addresses, phone numbers mailing addresses, as well as the individuals’ full names. According to Marriott International (2018), the breached information further included payment card expiration dates and numbers. The harm that resulted from the breached involved a an incurred cost of approximately $3 million in addition to $25,000,000 of insurance profits associated with the information security instance revealed in late 2018 (Nohe, 2019). Moreover,

Steps that Starwood Hotels (SHs) should have taken

One of the steps that SHs should have taken to mitigate the cyber security incident include adopting and implementing a proprietary innovation like the Cyber IDEAL model that simulates the potential and probable financial effect of cyber events within the organization. According to (Bell, 2020) such a model necessitates leadership to adopt a holistic and multidimensional leadership, which is responsible for the entire business> particularly, concerning the board of directors, communication legal, compliance and general operations of the enterprise. In particular, the approach defines an organization’s risks, and determines an efficient cyber risk administrative system. The other step includes SHs should have conducted appropriate due diligence when making corporate acquisitions, along with establishing suitable liability measures to evaluate both the type of individual information acquired and how it could be legally protected (ICO, 2019).

Moreover, SHs should have conducted a careful review of its payment card statements. In this context, the organization should have evaluated and determined debit or credit card charges it did not recognize over the four-year period (Gressin, 2018). SHs should have further placed a placed a fraud alert on its credit files to mitigate the data breach incident. In reference to the contention of Gressin (2018), the fraud alert could have presented a stringent warning to creditors that the organization was probably an identity theft victim, which would have necessitated them to verify for credit using the breached information of the impacted clients of the SHs.

Penalties and Liabilities Evaluated Against Marriott International

The ICO (2019) conducted an extensive investigation concerning SHs’ 2018 reported data breach and issued a notice of fining the organization £99,200,396 for GDPR infringement. In particular, the ICO (2019) report indicated that the proposed fine was attributed to the fact that a range of private information confined in nearly 339 million client records across the world were publicly exposed by the data breach. Among these records, approximately thirty million archives were associated with citizens from thirty one nations across the EE (European Economic) region, along with 7 Million records relating to the UK residents (ICO, 2019). Best Practice Recommendations for PBI

The PBI leadership should strive hard to put additional effort on establishing a working strategic environment, which aligns with the organization’s information security realities and organizational culture.

Additionally, the firm should emphasize employees’ participation in information security awareness and training processes including forums on a quarterly basis to evaluate issues faced by the firm in addition to the contemporary data breach trends.

PBI should implement an information security policy that considers human interactions, in addition to social and personal behaviors with respect to safeguarding computer and information systems that integrate the confidentiality, as well as the presence of information transmitted and stored between end-users and it systems.

The PBI organization should ensure such processes as vendor compliance are followed to the letter. In this context, the organization should exercise due diligence when retaining business associates or third-party providers with whom sensitive data could be compromised.

The PBI should consider implementing current technologies for information protection including the use of firewalls and data encryption technologies like quantum cryptography to mitigate any data breach situation.

Finally, the PBI should champion the advancement of the association between IT (Information Technology) and business managers to motivate the protection of the firm’s technology assets accountable for safeguarding consumer data (Kongnso, 2015).

Conclusion

This paper assessed the data breach incident associated with the Marriott International firm and determined the types of data that could be breached within an organization like PBI including the guests’ account data, passport numbers, email addresses, phone numbers mailing addresses, as well as full names. The report has offered various recommendations for PBI including employees’ participation in information security awareness and training processes, a policy that considers human interactions, in addition to social and personal behaviors, as well as vendor compliance efforts, the use of firewalls and data encryption technologies and fostering an association between IT and business managers.

References

Bell, S. (2020). Cyber risk. Retrieved June 30, 2020, from https://www.marsh.com/bh/en/services/cyber-risk.html

Böhme, R., & Schwartz, G. (2010, June). Modeling Cyber-Insurance: Towards a Unifying Framework. In WEIS.EIOPA. (2018). Understanding Cyber Insurance - A Structured Dialogue with Insurance Companies (ISBN 978-92-9473-046-6 doi:10.2854/33407 EI-01-18-761-EN-N). Retrieved from Publications Office of the European Union website: https://www.eiopa.europa.eu/sites/default/files/publications/reports/eiopa_understanding_cyber_insurance.pdf

Gressin, S. (2018, December 4). The Marriott data breach. Retrieved June 30, 2020, from https://www.consumer.ftc.gov/blog/2018/12/marriott-data-breach

ICO [Information Commissioner's Office]. (2019, July 10). Statement: Intention to fine Marriott International, Inc more than £99 million under GDPR for data breach. Retrieved June 30, 2020, from https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2019/07/statement-intention-to-fine-marriott-international-inc-more-than-99-million-under-gdpr-for-data-breach/

Kongnso, F. J. (2015). Best practices to minimize data security breaches for increased business performance, 1-149. Retrieved from: https://scholarworks.waldenu.edu/dissertations

Marriott International. (2018). Original Notice from November 30, 2018. Retrieved from Marriott International website: http://starwoodstag.wpengine.com/wp-content/uploads/2019/05/us-en_First-Response.pdf

Nohe, P. (2019, May 8). Autopsying the Marriott data breach: This is why insurance matters. Retrieved June 30, 2020, from https://www.thesslstore.com/blog/autopsying-the-marriott-data-breach-this-is-why-insurance-matters/

Travelers. (2020). Cyber liability insurance. Retrieved June 30, 2020, from https://www.travelers.com/cyber-insurance