In the world of hospitality, a sound data security program is often perceived to be an unnecessary and costly endeavour – one that complicates operations and the guest experience. This mindset almost always impedes the adoption of reasonable cybersecurity practices. The slow adoption of the Payment Card Industry Data Security Standard is a good example of where the costs associated with compliance are deferred and the risk of non-compliance accepted.
It can be argued – or in this case mandated – that processes and procedures in place today will require updating. There’s little doubt that the way we run hotels today will differ with the adoption and implementation of a set of new rules generated by the U.S. Securities and Exchange Commission (SEC).
The SEC’s new cyberattack reporting rules for publicly traded companies took effect Sept. 5, 2023. With roughly a month to go before the reporting requirements begin, we wonder if the important discussion surrounding identification and communication between owners and operators has taken place.
Management companies responsible for the operations of properties owned by publicly traded portfolios, like public trusts and real estate investment trusts (REITs), now play a pivotal role in ensuring the public has been notified of all cyber anomalies in time for the board to determine if investors must be notified.
The new rules “... require companies to disclose material cyber incidents to the agency. Companies will have four business days to report the incident to the SEC once they determine it is material to the business.”
The flow of communication after an event, from alerting management, then ownership and finally the board, is a process that must be finely tuned.
Operators whose hospitality management agreement (HMA) makes them responsible for technology, including the engagement of third-party service providers, are at risk of not being able to provide timely information to the portfolio company. Under the new guidelines, this could contribute to owners failing to meet reporting requirements. It’s likely that operators will now have to employ a security officer to act as the point of contact for all breach information coming from the property and communicating that information to ownership.
“On average, companies take about 197 days to identify and 69 days to contain a breach according to IBM.”
On the other hand, some operators have agreements with dedicated managed security providers. These are tasked with proactively managing the property’s end-to-end cybersecurity using fully staffed and trained security personnel (SOC). They’re also more likely to protect the properties from compromise and at least identify and notify the operator and ownership group in enough time to meet reporting requirements.
Properties that engage single-source information technology (IT) providers are more likely to miss material events due to a lack of visibility, tools and cybersecurity experience. And that’s why the average time to identify a breach, as noted above, is 197 days.
Ownership groups will now have to task board members with responsibility for the oversight of and communication about cyber events. The key question in all of this is this: What is considered a material event to a given property – or the group at large?
Clearly, hoteliers will need to engage in a lot of preparation, discussions, and implementation of new procedures and controls to meet the SEC’s new guidelines.
This will undoubtedly open greater discussions between all parties, as there will be budgetary and operational impact. Additional contractual language will likely be crafted to hold operators and third-party service providers more accountable for the identification and notification of events.
It’s still a little too early to tell how these new mandates may change the owner/operator relationship. But we’re looking forward to seeing how these new procedures take shape within the unique world of hospitality.