The recent Marriott International settlement over multiple cybersecurity breaches offers crucial insights for association executives.
As stewards of member data and organizational assets, this case presents a compelling wake-up call for our industry.
Consider this.
Marriott’s breaches exposed the personal data of 500 million customers globally – a number that dwarfs most associations’ membership bases, yet underscores a universal truth: size doesn’t matter when it comes to cybersecurity vulnerability.
What’s particularly noteworthy is that one of the major breaches originated in a subsidiary (Starwood Hotels) before Marriott’s acquisition, highlighting the critical importance of cybersecurity due diligence during mergers and partnerships.
The settlement’s relatively modest fine – representing just 1.6% of Marriott’s annual profits – might seem inconsequential for a global giant. However, for associations operating on tighter margins, a similar breach could prove catastrophic.
Beyond immediate financial penalties, the reputational damage and loss of member trust could have long-lasting implications for membership retention and recruitment.
The timeline of events is particularly relevant to association leaders:
Marriott detected a breach in 2018 that occurred in 2014, suggesting a significant gap in their security monitoring capabilities. This delay in detection and subsequent three-month wait before public disclosure raises essential questions about incident response protocols and transparency obligations.
Key Questions Every Association CEO Should Ask:
- Due Diligence
- Have we conducted a comprehensive security audit of all our technology systems, including those from merged organizations or third-party vendors?
- What is our process for evaluating the cybersecurity practices of potential partners or vendors before integration?
- Incident Response
- Do we have a clearly defined incident response plan that includes communication protocols for members and stakeholders?
- How quickly could we detect and respond to a data breach?
- Resource Allocation
- Is our cybersecurity budget proportionate to the potential risks and costs of a breach?
- Are we investing in both technology and staff training to prevent and respond to security threats?
- Insurance and Legal Compliance
- Does our cyber insurance coverage adequately protect us against both immediate and long-term breach consequences?
- Are we fully compliant with current data protection regulations in all jurisdictions where we have members?
- Leadership Responsibility
- Who in our leadership team owns cybersecurity risk management?
- How often does our board review and update our cybersecurity policies and procedures?
The Marriott case serves as a reminder that in today’s digital landscape, cybersecurity isn’t just an IT issue – it’s a leadership responsibility that demands ongoing attention and investment.
For association executives, the question isn’t if a cyber incident will occur, but when – and how prepared we’ll be to handle it.