5 min read Cybersecurity

When Insurance Won't Save Your Reputation: A Letter to Hotel Leaders

After securing 450 hotels, I've learned that when ransomware hits, everyone discovers the same brutal truth: insurance covers the ransom, not the reputation you spent decades building.

DW

Hotel Care IT

Former Multi-Property IT Director & EMEA Security Leader, Marriott International

Last month, I sat across from a GM who'd gone through every hotelier's nightmare. His property, a flagship convention hotel, had been dark for six days. Not a power outage. Not a renovation. RANSOMWARE.

"The insurance covered the ransom," he told me, staring at his coffee.

"But it didn't cover the association that moved their annual conference to our competitor. Twenty years of relationship-building, gone."

He paused. "It didn't cover my name being whispered at every industry event."

The Reality We Don't Discuss at Brand Meetings

The hospitality industry suffered devastating attacks in 2024-2025. MGM Resorts lost $100 million when their systems went down. Guests couldn't use digital room keys, couldn't make restaurant reservations, couldn't even charge their phones in their rooms. InterContinental Hotels Group watched hackers destroy their backup data "for fun" after failing to deploy ransomware. Study Hotels had their payroll, guest data, and financial records held hostage.

Every one of these properties had insurance. Every one had an IT Support Team managing their technology. Every one thought they were protected.

What they discovered is what you need to know: In our industry, a data breach isn't just an IT problem. It's a death sentence for the relationships that define our success.

Why Your Property Is More Vulnerable Than You Think

I've spent years implementing business continuity plans across Europe, the Middle East, and Africa, including during the Euro 2024 and Paris Olympics when the whole world was watching. Here's what keeps me awake at night about our industry:

  • We're always open. Banks can shut down for maintenance. We serve guests 24/7/365. Criminals know we'll pay ransoms quickly because we can't afford to be closed.
  • We're trust businesses masquerading as real estate. When corporate travel managers learn you've exposed their executives' travel patterns, they don't send a complaint. They send a termination notice. When wedding planners discover you lost their clients' room blocks, they don't ask for compensation. They never book with you again.
  • We're interconnected beyond comprehension. Your PMS talks to door locks, restaurant systems, loyalty programs, revenue management, channel managers, payment processors. One breach cascades through everything. The criminals know this. Do you?

The Questions That Reveal Truth

In my experience training hundreds of hotel teams to operate without systems, I've learned that five simple questions expose whether a property will survive or surrender:

To your IT Support Team:

1. "Show me the list of critical systems being backed up, where you're backing them up, and how often."

Most GMs discover their "comprehensive backup" misses the door lock system, the spa booking platform, or the restaurant POS. The backup exists, but it's useless when you need it most.

2. "If our systems were compromised right now, how long until we're checking in guests normally?"

Watch their face. If they say "2-4 hours," ask: "When did you last test a full restoration?" The silence tells you everything.

To your operations team:

3. "Pull up our complete arrivals list for tomorrow, but you can't use the PMS."

Can they do it in under five minutes? If not, imagine 200 guests in your lobby while your team scrambles for information that no longer exists.

4. "Where do you keep the printed downtime procedures, manual check-in forms, and credit card authorization slips?"

If the answer involves any computer, cloud drive, or system, you're not prepared. When ransomware hits, you can't Google your emergency procedures.

5. "Show me how we'd process a walk-in Diamond member if all systems were down."

The best properties can do this smoothly. Most can't even find a registration card.

What "Prepared" Actually Looks Like

I've built disaster recovery programs for properties hosting world leaders and Olympic athletes. The difference between hotels that survive and those that surrender isn't technology; it's muscle memory.

Properties that thrive despite ransomware share three characteristics:

1. They drill like their reputation depends on it

"We're too busy to practice" is exactly when you should test. I've made hotels run full manual operations during sold-out convention weeks. The teams that complained the loudest thanked me the most when real attacks hit their competitors. Disasters don't schedule appointments around your occupancy.

2. They keep paper where it matters

Tomorrow's arrivals. VIP preferences. Authorization forms. Emergency contacts. Downtime procedures. All printed, all updated, all locked in the GM's office. Old-fashioned? Ask the GM who checked in 400 guests while his competitors turned them away.

3. They own their recovery destiny

The 3-2-1-1-0 backup rule isn't just IT jargon. It's survival:

  • • 3 copies of your data
  • • 2 different types of storage
  • • 1 completely offline
  • • 1 unchangeable (immutable) backup
  • • 0 errors when you test recovery

Most importantly: Someone on property knows how to use it without calling the IT Support Team.

The Moment of Truth

Every GM, owner, and management company executive faces a choice. You can continue believing that insurance and your IT Support Team will save you. You can hope that criminals will target your competitor instead. You can assume your brand's reputation will protect you from guest anger.

Or you can accept what I've learned from protecting 450 properties: When the screens go dark, you'll discover that insurance pays for the ransom, not for:

  • • The corporate contracts that never return
  • • The management company that finds a new operator
  • • The owner who marks your portfolio as damaged goods
  • • The TripAdvisor reviews that haunt you for years
  • • The industry reputation that took decades to build

A Personal Note

I've secured hotels during high profile events including the Paris Olympics 2024, Euro 2024, Abu Dhabi Grand Prix 2024 and many more I can't write about on here, protected properties during international incidents, and trained teams who now sleep soundly knowing they can operate with or without technology. But I've also held the hands of colleagues who lost everything, not to the criminals, but to the aftermath.

The difference between them and the survivors? The survivors asked uncomfortable questions before disaster struck, not after.

You've invested decades building your reputation. You've earned every star in your rating, every loyalty member in your database, every corporate account that trusts you with their people.

Don't let a criminal with a laptop destroy what you've spent a lifetime creating.

The best time to prepare was yesterday.

The second best time is today.

Protect Your Reputation Before It's Too Late

Get a free 30-minute cybersecurity readiness assessment. I'll evaluate your property's preparedness and show you exactly what needs to be fixed before disaster strikes.

Schedule Free Security Assessment

Daniel secured 450+ hotels across Europe, Middle East & Africa as Marriott's Multi-Property IT Director and Continental Security Leader, securing high-stakes events like Euro 2024 and Paris Olympics. Beyond opening 7 hotels from scratch, he specializes in the dual challenge every GM faces: maintaining enterprise-level security while eliminating IT waste. His systematic approach consistently delivers 15-35% cost reductions without compromising protection, proving you don't have to choose between security and savings.

Share this article

Share on LinkedIn Share on X

Related Hotel IT Security Articles

View All Hotel IT Articles