Boston: 

Catastrophe risk modeling firm AIR Worldwide estimates that the direct cyber incident losses for the Marriott breach will be between USD 200 million and USD 600 million. AIR's loss estimates are based on the assumption that 500 million records were stolen, as Marriott has reported.

 

The range of loss estimates reflects the uncertainty about the data that was stolen, e.g., while credit card data was stolen, it was encrypted; however, the encryption key itself may have been stolen as well. There is additional uncertainty, as some of these records may be duplicates. AIR Worldwide is a Verisk (Nasdaq:VRSK) business.

 

"AIR's new probabilistic security breach model shows that this type of event is not unprecedented, even though an event of this magnitude hasn't previously happened to a hotel chain," said Scott Stransky, assistant vice president and director of emerging risk modeling, AIR Worldwide.

 

"In fact, the largest recorded breach for a U.S.-based hotel chain prior to this event was less than 1/50 the size in terms of the number of records stolen. There are more than 300 simulated events in our model that cause higher losses for U.S.-based hotels."

 

AIR's loss estimates are based on an analysis performed using its Cyber Model. These estimates are subject to uncertainty and are not based on actual policy or loss data reported by Marriott. The net financial impact to Marriott will be partially mitigated by the cyber insurance and other liability insurance coverage they reportedly have, which are not accounted for in these estimated losses.

 

AIR's modeled loss estimates include:

First- and third-party losses directly related to the security breach, including notification costs, forensics, credit monitoring, replacement of credit cards, setting up a call center, and any liability covered under an affirmative cyber policy

 

AIR's modeled loss estimates do not include:

Any fines that may be levied upon Marriott, including potential fines for violation of the GDPR

D&O and other non-cyber policy related claims, reputational loss, business interruption, decrease of stock price

The impact of any insurance coverages that Marriott may use to recover their losses