Press "Enter" to skip to content

Marriott’s cyber breach spending reported to the SEC

I want to spend a bit of time on reporting in CIO Dive of Marriott International around the data breach from Nov 2018.

Per a third-quarter filing with the SEC this month, the company has spent $16 million related to recovery in the first three quarters of the year.  During Q3 2021, Marriott spent $4 million related primarily to legal costs from the data breach, with nothing recouped by insurance. In Q3 2020, the hotel company received $4 million in insurance recoveries.   The company also reports an increase in its cyber insurance policy.

In Q1 2019, the company noted data-breach-related expenses had reached $44M. 

Why do we care?

I specifically used Marriott in an editorial this summer to discuss the impact of breaches and noted big companies simply write checks.     It’s apparently very much still true – and notably, the market doesn’t seem upset by it.    I checked their stock – the trends look good to me.

For small companies, the reason to care is that a big company can absorb a whole lot more impact when the damage is viewed by that revenue to ransom ratio.    Ransoms are smaller for smaller companies yet have a much higher R2R ratio.     When doing the analysis of the competitive threat of cybercriminals, speak in those terms.     It’s a risk calculation.