Cybersecurity and digital threats were a hot topic at ALIS Law, a conference for hotel owners and operators, in Los Angeles last month. I had a pleasure of moderating a session on “threats in a digital world” with senior executives from national hotel management and ownership groups. In our session, we discussed what were some of the pressing and most concerning digital threats that kept the hospitality industry up at night. Here are some highlights and take-aways from the session:
- Cybersecurity and hacks from foreign and domestic threats remain a top concern. Many hotels have been engaging in surveillance as one method of cyber protection. It was noted how much the investment in technology to prevent, address, and respond to cybersecurity issues has increased for both owners and operators. While owners may bear the cost on their profit & loss statement, and management companies are putting in policies, owners are adding property specific monitoring. It was discussed that one global hotel company, Hyatt Hotels, recently announced a bug bounty program whereby they will be paying ethical hackers to monitor their systems, including mobile applications, for potential risks and where credible risks or threats are found – the hackers will be compensated – which is a novel approach in the hospitality industry.
- While cybersecurity threats have been a focus, one repeated concern is the threat of harm to a hotel’s reputation due to guests and third parties spreading false information on social media sites, such as LinkedIn, Yelp, and Trip Advisor. To address these concerns, hotel operators talk with their teams daily about the consequences of false information or a bad review and take steps to remove false reviews if possible. Others noted that removing a false review from a site like Trip Advisor can be challenging unless the company is able to prove that the review was posted for criminal reasons or demonstratively false.
- One consequence of a cybersecurity hack beyond the disclosure of guest information is if a hacker was able to secure personal identifiable information of a hotel company’s investors and borrowers. If investors are concerned that a hotel company is not protecting their highly confidential and personal financial information, that would have a significant impact on the reputational harm to the company.
- Some of the best practices that owner and operators have put into place is an incident response plan to respond to a threat. In doing so, a key question is who you need at the table to decide how to move forward (IT / GC / PR / Owner) and what elements do you need to put into place. In addition, implementing policies and procedures on the front end is critical. For example, from an accounting perspective, having controls in place that can protect where the money is going and where it is coming from and ensuring that there are multiple approvals before money is sent out electronically. Finally, training staff on the policies and procedures so that the right people are getting the right information. Managers need to judge and reward staff for compliance with the policies because while a company continue to monitor and audit, training is only effective if compliance is monitored. For example, one company reported conducting more secret shoppers to determine whether someone can drop a flash drive into a front desk computer to tap into the network.
Unfortunately, cybersecurity risks and threats are not going away anytime soon, but with planning and focus on this important issue, hotel owners and operators can get ahead of some of the threats and take control and strong action if a risk materializes.