Your Money or Your Guests: Using IT Contracts to Protect Against Ransomware
An Austrian hotel was a recent victim of a “ransomware” computer attack that disabled its electronic room key system and locked up its own computers. This demonstrates that hotel owners and managers should be sure IT agreements adequately address the risks of cyberattacks. New agreements should cover the risks, and existing agreements should be reviewed to determine whether they still provide the necessary protection.
In a database breach, criminals break in, steal, and then sell hotel guest credit card numbers. Ransomware is different. With an earlier, but still used, form of ransomware, criminals use attack viruses to break in, but leave the data in place and render it and IT systems inaccessible until the hotel pays “ransom” to get back its own data and systems. With a newly-developed second type of ransomware, the data is both locked up and encrypted. Recovery from this requires “buying” a specific decryption key from the criminals.
With ransomware, the pressure point is a hotel full of guests. The computer system needs to be unlocked quickly so guests receive hotel services in real-time. Third party IT vendors can cause the pressure point because the software and computer systems they run for the hotel often provide the gateway for ransomware attacks. IT contracts that require too little of vendors increase this risk, and the technology risk is accompanied by the risk of regulatory action, monetary liability and class actions. Up-to-date IT agreements impose vendor obligations and provide remedies for the hotels that are commensurate with increased sophistication of ransomware attacks.
The first step hotel owners and managers should take is a review of existing IT agreements to determine if the technology that the vendors are required to use provides sufficient protection. In addition, the existing contract may have been designed for data breaches but not for ransomware. Moreover, the indemnity may exclude coverage for ransomware, and the limitation of liability may provide a cap that is insufficient to cover ransomware damages and expenses. These limitations may not provide the necessary incentive for the vendor to upgrade its technology.
Existing agreements should be renegotiated to close the gaps identified above, and if the incumbent vendor does not have the right technology or skills, then a new vendor and a new agreement may be required. To thwart ransomware attacks, contracts should require vendors to use the requisite IT to
- (1) immediately quarantine ransomware and take the affected computers offline, and then enable a fully functional substitute part of the IT system to go into operation to provide continuity of service;
- (2) use advanced backup systems to ensure that data can be restored almost immediately with little or no disruption in IT operations even if another set of the same data is locked up and encrypted by ransomware; and
- (3) conduct technical audits to verify its contractual compliance periodically during the term.
Ransomware insurance is becoming available, but generally only if the hotel earns a high grade on a cybersecurity test. Accordingly, IT agreements should include contract provisions requiring vendors to meet or exceed the threshold grade necessary for hotels to obtain and maintain insurance coverage. In summary, hotels will only get what they measure in IT agreements, and the contracts should provide the right requirements for offensive and defensive ransomware protection.