Insights

The Marriott Data Breach

Lessons Learned For Boards

Marriott International recently announced that it was the victim of one of the largest data breaches ever reported.

Based on their disclosures, the private information of up to 500 million Marriott customers was stolen via a sustained compromise of the network that apparently started four years ago. Marriott has now joined the league of largest companies in the world having systems breached and customer information compromised, a peer group that includes Yahoo, Target, Facebook, Equifax, eBay, Sony, and Home Depot, among many others. To put things in context, in the first half of 2018, a staggering 4.5 billion records were compromised worldwide.

If you sit on the board of a company, or are part of the executive management team, this latest hack is yet another reminder that cyber risk needs to be at the top of your agenda. This data breach should lead you to ask some particularly hard questions about your company’s cyber preparedness, and cyber risk appetite. Specifically, you should ask whether your control environment is in alignment with the level of risk you believe you have accepted. You are likely to discover you are not where you thought you were.

Our paper helps organizations to evaluate their cyber exposure and develop response plans and protocols—before it’s too late.

The cost for a data breach involving 50 million records is estimated to be around $350 million dollars.
Ponemon Institute, 2018 Cost of a Data Breach Study
CYBER LESSONS LEARNED: Answers 6 Questions
  • 1IF THEY WANT TO, THEY WILL GET IN

    Adopting active defense efforts, accompanied by maintaining sound network hygiene, will make it increasingly difficult for attackers to gain access and establish undetected persistent presence in your network.

  • 2THE MOTIVATION AND INTEREST OF HACKERS VARY

    It is critical that you think like a hacker when performing an evaluation of the data assets your company holds and how attractive they might be.

  • 3INSURANCE NEED TO ADEQUATELY COVER THE SCALE AND SHAPE OF THE CYBER RISK

    Organizations need to evaluate their cyber risk exposure through a structured data-driven approach in order to identify what type of losses, beyond availability and destruction, across the various scenarios they want to and can be insured against.

  • 4PLAN FOR A CYBER EVENT, THEN DRILL AND TEST

    Corporations should have cyber response plans and protocols in place that consider how management will respond, communicate (internally and externally), recover from and assess the impact of a large scale cyber-attack.

  • 5FOCUS ON CRITICAL BUSINESS PROCESSES

    By following the process steps that your people take to do their work, a significant amount of hidden cyber risk can be identified that cannot be found through other means.

  • 6DON'T TREAT CYBER AS AN AFTERTHOUGHT

    Organizations need to adopt a “security first” principle to ensure that cyber risk considerations are integrated into all tactical and strategic business decisions—whether it is about the implementation of new business processes, the deployment of new customer-facing technology, or the acquisition of new businesses.

Your cyber team needs to be successful 100% of the time. A hacker only needs to be successful once.

YOU ARE NEVER DONE

New technical vulnerabilities are discovered every day, every business process change can create unintended process vulnerabilities, and every new worker in your organization is increasing the cyber risk exposure that needs to be managed.

We expect cyber risk to stay pinned on the agendas of board risk committees. The key is to not let your guard down, actively defend, and continue to challenge the organizations you are responsible for to think way out of the box—the bad guys certainly are.

The Marriott Data Breach: Lessons Learned for Boards


READ OUR REPORT

BEHIND THE REPORT

Our conversation with Paul Mee

Partner and Head of Cyber Risk Management, Financial Services