I worked with a chief engineer once... quiet guy, 20-something years in the business... who kept a laminated card taped to the inside of the generator room door. It listed exactly what ran on backup power and exactly what didn't. He made every new GM read it on day one. "Because when the lights go out," he told me, "nobody remembers what the generator covers until they're standing in a 95-degree lobby full of guests asking why the air conditioning just died." Most of them were shocked at how short that list was.

That card is what I keep thinking about this week. Duke Energy just got a federal emergency order allowing them to run power plants past their emissions limits to keep up with demand. ERCOT in Texas is forecasting peak demand above 92 gigawatts... a record. Heat index values across a corridor from Texas to the Carolinas are pushing 106 degrees. This is not a forecast problem. This is a right-now problem. And the thing that should keep every GM in the Southern half of the country up tonight is this: your generator almost certainly cannot run your HVAC. It runs your emergency lighting, your fire suppression, your elevators, maybe your PMS server. It does not run the system that accounts for 50-60% of your total electrical load. So when that rolling blackout hits at 3 PM during your check-in rush... you have a building full of people, a lobby that's climbing past 90 degrees, electronic door locks that may or may not have recovered cleanly, and a front desk team that has never drilled for this scenario. That's not an inconvenience. That's a safety liability and a reputation event rolled into one afternoon.

Here's what makes this different from the generic "be prepared for summer" advice you've heard a hundred times. The grid is structurally more fragile than it was five years ago. Population growth, data centers, crypto mining facilities... they've all piled onto infrastructure that was already aging. The 2003 Northeast blackout data is instructive and terrifying: 98% of affected hotels lost air conditioning, 89% lost computers and cooking systems, 88% lost elevators. Eighty-five percent of hotels with generators maintained power to their critical systems. But "critical systems" and "guest comfort systems" are two very different lists, and nobody in that lobby cares about the distinction. They care that it's 100 degrees in their room and the ice machine is dead.

The financial angle here is real and it's hiding in plain sight. Hotels spend an average of $2,196 per available room per year on energy. HVAC is more than half of that. Demand response programs... where your utility pays you to reduce load during peak events... can cut 10-15% off your summer energy costs. Marriott ran a program across 264 properties with projected savings of $9.9 million over five years. Some utilities offer $50 per kilowatt of demand reduction. That's not pocket change for a 200-key property. But enrollment requires advance setup, and if you haven't signed up yet, you're leaving real money on the table while also carrying the full risk of a grid event you have no buffer against.

And then there's the labor piece that nobody wants to talk about until somebody gets hurt. Your valet staff, your pool attendants, your maintenance crew working the loading dock or the roof... OSHA heat illness standards require water, rest, and shade, and enforcement is tightening. One heat-related incident involving a hotel employee this summer in Texas or Florida or Georgia, and you're looking at a workers' comp claim, an OSHA investigation, and a local news story that will do more damage to your employer brand than anything your competitors could cook up. The cost of shade structures and hydration stations and adjusted break schedules is trivial compared to the cost of getting this wrong. This is one of those things where the Invisible P&L is working against you... the expense of prevention never shows up as a line item, but the cost of failure will eat you alive in ways that don't hit the P&L until it's too late to do anything about them.

So the same hotel where a president got shot in 1981 just had another gunman show up with a shotgun, a handgun, and multiple knives during the biggest political dinner of the year. And John Hinckley Jr.... the guy who shot Reagan at that exact property 45 years ago... is now publicly calling the hotel "not secure" and saying they should stop hosting major events. We live in strange times.

Look, I'm a technology guy. My instinct is to evaluate this through the lens of systems, access control, surveillance architecture, threat detection. And there IS a technology story here. But the more I thought about it, the more I realized the technology angle is almost a distraction. The Washington Hilton had the Secret Service running security. Metal detectors. Checkpoints. Credential verification. The most sophisticated physical security apparatus available in the United States. And a 31-year-old guy still got close enough to hit an agent in the vest before being stopped. The system worked (nobody died), but it worked at the last possible moment... the human equivalent of a system catching an error in production instead of in testing. That's not a success story. That's a near-miss report.

Here's what actually matters for hotel operators. The suspect was a registered guest. He had a room. He brought weapons into the building the way any guest brings luggage... through the front door. Every access control system, every surveillance camera, every AI-powered threat detection platform I've evaluated in the last three years has the same fundamental vulnerability: a credentialed person inside the perimeter is trusted by default. Hotels aren't airports. You don't X-ray luggage at check-in. You don't wand guests walking through the lobby. The entire hospitality model is built on the assumption that the person with a room key belongs there. That assumption is the attack surface, and no amount of technology patches a philosophical vulnerability. I talked to a security consultant last year who put it bluntly: "The hotel's product IS access. You can't sell access and restrict access at the same time. That's the whole problem."

The technology that exists today... gunshot detection sensors, AI-driven behavioral analytics, weapons detection portals that look like regular doorframes... works in controlled environments. Convention centers. Stadiums. Places where everyone enters through the same chokepoint and nobody expects to feel at home. Hotels are the opposite. Multiple entrances. Service corridors. Parking garages. Guest room floors accessible by elevator. You'd have to fundamentally redesign the building to create the kind of security envelope that a high-profile event demands, and most properties (including the Washington Hilton, which was built in 1965) weren't designed for that. The suggestion floating around that venues should "buy out the entire hotel" for events like this is the only honest answer I've heard... and it's economically insane for anything short of a presidential appearance.

What's actually going to change? Insurance requirements will tighten for properties hosting large-scale events. Event contracts will include more specific security obligation language. Some hotel groups will invest in weapons detection systems for ballroom-level events (expect $150K-$400K per installation depending on throughput requirements, plus ongoing maintenance). But the fundamental tension... hospitality means openness, security means restriction... doesn't get resolved by technology. It gets managed by people making judgment calls at 2 AM with incomplete information. Which, honestly, is the same problem every hotel technology is supposedly solving and none of them fully do.

So here's what actually happened. A guy books a room at a major hotel three weeks before one of the highest-profile events in the country. He travels cross-country by train with a shotgun, a pistol, and three knives. He checks in, goes through normal guest entry, and because he's a registered guest... he's already inside the security perimeter when he decides to charge a Secret Service checkpoint with a loaded 12-gauge.

Let me say that again. His room reservation was his access credential.

Look, I think about hotel technology through the lens of what happens at 2 AM when one person is running the building. But this is a different version of the same question: what happens when your property management system, your key card infrastructure, and your access control are all treating "registered guest" as a single trust level... and one of those guests is carrying weapons into a building that's simultaneously hosting the President of the United States? The PMS checked him in. The key system gave him access. The elevator took him to his floor. Every system worked exactly as designed. That's the problem.

The technology gap here isn't exotic. It's structural. Most hotel access systems operate on a binary: guest or not-guest. You have a reservation, you get a key, the key opens doors. There's no middle layer that says "this guest is in the building during a Secret Service-protected event, flag for secondary screening." There's no integration between the PMS and event security protocols that would trigger when a guest checks in the day before a high-profile function. The building's own systems treated him identically to a tourist visiting the Smithsonian. I've consulted with hotel groups on access control and the conversation almost always stops at "does the guest have a valid key?" Nobody asks what else that key might enable.

Here's where this gets real for operators beyond the Washington Hilton. If your property hosts events... conferences, political fundraisers, corporate retreats with executive protection... your current tech stack has this exact blind spot. Your PMS doesn't talk to your event security vendor. Your key card system doesn't have conditional access logic based on building status. Your front desk team has no protocol trigger that connects "high-security event on the second floor" with "guest checking into room 417." These are separate systems built by separate vendors who have never sat in a room together and asked "what happens when a registered guest is the threat?" I talked to a security integrator last year who told me flat out that hotel access control is 15 years behind commercial office buildings. Office towers have had tiered credentialing... different access levels for tenants versus visitors versus delivery... for over a decade. Hotels are still running on "valid key equals full access." That's a 1990s architecture being asked to handle 2026 threat profiles.

The policy response is already predictable. The Secret Service will review protocols. There'll be talk of enhanced screening for registered guests during protected events. Maybe a mandate from the major brands about event security coordination. But the actual fix is a technology problem. It requires PMS systems that can flag event-coincident check-ins, access control that supports conditional credentialing, and integration layers that let security teams see the guest roster in real time against the event calendar. None of that exists as a standard product today. And until someone builds it (or a brand mandates it, which means someone builds it fast and badly), every hotel hosting a high-profile event has the same vulnerability that a guy from California exploited with nothing more sophisticated than a three-week-old reservation.

I managed a property once where a guest died in the room on a Tuesday afternoon. Natural causes. The man had a heart condition his family knew about. Nothing we could have done. And for the next six weeks, every single person on my staff walked past that room differently. Housekeeping didn't want to go in alone. The front desk started quietly steering guests away from that floor when they could. Nobody told them to. They just did it.

That's what nobody talks about when guest deaths make the news. Not the liability. Not the PR crisis. The humans who work in that building every day and carry it with them.

Disney's Contemporary Resort has had multiple deaths over the past several months... some from medical emergencies, some from suicide. The company is now running refurbishment projects on the Main Tower exterior and Bay Lake Tower elevators, scheduled through late May. Disney hasn't drawn a straight line between the deaths and the construction, and they probably never will publicly. But the timing tells you what you need to know. When a $10 billion operating income segment (that's their Parks, Experiences and Products division in fiscal 2025) starts moving infrastructure projects up the priority list, someone in a conference room decided the risk profile changed.

Here's what the headline-chasing coverage misses entirely. Disney has had daily room safety checks since 2017... the "Do Not Disturb" signs became "Room Occupied" signs, and staff enter every room every day. That policy came after Las Vegas. They have a Chief Safety Officer. They have protocols most of us would kill for. And people still died in their hotel. If it can happen at a property with that level of staffing, that level of investment, and that level of operational discipline, it can absolutely happen at your 180-key limited-service on the interstate. The difference is Disney has a corporate communications team and a legal department that deploys in hours. You have... you.

The uncomfortable truth is that building design matters more than most operators want to admit. Open atriums, exterior corridors, accessible rooftops, parking structures... these are features that show up in architectural renderings looking beautiful and show up in risk assessments looking like liability. I've been in enough buildings to know that the conversation about balcony height, corridor sight lines, and roof access usually happens after something terrible, not before. Disney's Contemporary Resort is a modernist tower with an open atrium design that was revolutionary in 1971. In 2026, that same design creates exposure points that a pod hotel or an interior-corridor select-service simply doesn't have. Your building has its own version of this. Every building does. The question is whether you've walked it with fresh eyes lately... not as a GM looking at carpet wear, but as someone asking "where are the vulnerable spots in this structure?"

What I keep coming back to is the staff piece. Florida's reporting threshold requires disclosure only when a guest is hospitalized for 24 hours or more. Disney reported just two incidents in Q1 2026 under that standard. That's a testament to their safety operation. But the deaths that made headlines... suicides, medical emergencies... those don't always trigger that reporting mechanism. Which means your staff is dealing with trauma that never shows up in any report. No incident form captures the housekeeper who found the guest. No metric tracks the front desk agent who had to call 911. If you're not actively checking on your people after a critical incident... and I mean really checking, not just filing the HR paperwork... you're failing the humans who make your hotel run.

I sat across from an asset manager about three years ago who told me, completely straight-faced, that he made more decisions based on REIT stock movements than on his own hotels' monthly P&Ls. I thought he was kidding. He wasn't. "The stock tells me what 500 analysts think is coming," he said. "My P&L tells me what already happened." I still think he was about 60% wrong on that. But the other 40%? That's worth paying attention to.

So here's what's happening with Xenia Hotels & Resorts. Quantitative trading models... the algorithmic stuff that drives a massive chunk of daily volume... are using XHR's price movements as a risk allocation signal for the luxury and upper-upscale hotel segment. Not just as one stock to trade, but as a proxy for where institutional money thinks this tier of hospitality is going. And the signals are mixed in a way that should make operators uncomfortable. The near-term and mid-term sentiment reads weak. The long-term outlook reads positive. Translation: the smart money thinks the next 12-18 months are going to be bumpy, but the asset class is sound if you survive the turbulence. I've seen this movie before. It was called 2019.

Now here's the thing... Xenia's actual numbers are solid. Q4 2025 came in with same-property RevPAR at $176.45, up 4.5% year over year. Occupancy climbed 130 basis points to 66.1%. ADR hit $266.88. Adjusted FFO per share was up 15.4% to $0.45 for the quarter. Full year 2025 net income jumped to $63.1 million from $16.14 million in 2024. They bought back $120.4 million in stock. They're sitting on $640 million in liquidity. The 2026 guidance projects RevPAR growth of 1.5% to 4.5% and nearly 7% FFO growth at the midpoint. These are not distressed numbers. These are the numbers of a company that's executing.

But here's what the press release doesn't mention... and what the quant models are picking up on. Analysts are projecting roughly 30% average annual earnings decline over the next three years. Thirty percent. That's not a typo. Labor costs are climbing. Leisure demand is softening in some of Xenia's key markets. Their weighted-average interest rate is 5.51% on $1.4 billion in debt, which means every rate move by the Fed matters. And institutional investors are split... 136 increased their positions last quarter, but 137 decreased. That's a coin flip, not a consensus. Wellington Management dumped 3.3 million shares while Citadel added a million. When the big money can't agree, the little money should be paying very close attention.

Look... if you're operating in the upper-upscale or luxury space, this matters to you even if you never look at a stock chart. Because what happens to Xenia's cost of capital happens to yours eventually. When REIT stocks get hammered, cap rates move, valuations change, and suddenly your ownership group's refinancing conversation gets a lot less friendly. I knew an owner once who told me he didn't care about the stock market because he ran hotels, not a hedge fund. Six months later his lender was using REIT comps to revalue his property for the loan renewal. He cared after that. The risk models aren't abstract. They're a leading indicator of what your capital stack is going to look like 18 months from now. The operators who survive turbulence are the ones who see it coming and tighten before they have to... not the ones who wait for the P&L to tell them something the market already knew.

Let me tell you what this story is really about. It's not about a scorpion. It's not even about a lawsuit. It's about the thousand small decisions that determine whether a guest finds a venomous arachnid in their bed or doesn't.

A visitor from Los Angeles checked into an off-Strip casino hotel last May and got stung on the arm by an Arizona bark scorpion... the most venomous species in the country. His roommate caught it on video before killing it. The guest says he never got an apology. Now, almost a year later, he's talking to a lawyer. The same attorney, by the way, who represented a guest stung multiple times at a major Strip resort back in 2023. That guest claimed PTSD and filed a lawsuit alleging the hotel was dismissive and unapologetic. See the pattern? It's not just the sting. It's the response after the sting. That's where properties turn a bad night into a six-figure problem.

Here's what nobody's telling you about pest control in desert markets. Every hotel in southern Nevada knows scorpions exist. Every single one. The Mojave Desert didn't sneak up on anybody. Which means the question isn't "could this happen?" The question is "what's your program, how often do you inspect, and what does your team do in the first 90 seconds after a guest reports it?" I worked with a GM years ago in a desert market who had pest control on a biweekly rotation and still found a scorpion in an electrical panel during a routine walk. His response? He sealed every ground-floor penetration point in the building within a week, added monthly inspections for the lower floors, and trained his front desk team on exactly what to say and do if a guest ever reported a critter. Cost him maybe $8,000 total. He never had an incident reach a lawyer. Not once in seven years.

The bed bug litigation wave that's hit Vegas properties since 2022 should have been the wake-up call. Multiple Strip and off-Strip hotels have faced complaints and lawsuits over pest issues in the last few years. The legal theory is premises liability... the hotel has a duty to provide a safe, habitable environment, and in a region where scorpions are endemic, "we didn't know" isn't a defense. Nevada courts expect you to take reasonable precautions against known dangers. If your pest management vendor comes quarterly and you're in a market where bark scorpions are part of the ecosystem, a plaintiff's attorney is going to have a very good day explaining to a jury why quarterly wasn't enough.

But here's the thing that will cost you more than the settlement. The video. The guest's roommate recorded the scorpion in the room. That footage lives forever. It gets shared. It gets embedded in news stories (it already has). One guest with a phone and a legitimate grievance can do more damage to your online reputation than a year of five-star reviews can repair. And when potential guests Google your property and find scorpion footage... they don't read the part where you upgraded your pest control program afterward. They just book somewhere else.

So here's what actually happened. A US-based short seller called Grizzly Research sent emails to 249 Accor-branded hotels across more than 20 countries. The emails described a booking for girls aged 14-17, described as orphans from Russian-occupied Ukraine, accompanied by an unrelated adult. Of the 56 hotels that responded, 45 said yes. That's an 80.4% acceptance rate. Some of the emails used language that was, let's be direct here, strongly suggestive of child sexual exploitation. And hotels sent back formal booking confirmations.

Let me say that again. Hotels received booking requests that should have triggered every alarm in the building... and the system produced a confirmation number.

Look, I'm not here to litigate whether Grizzly Research has clean hands. They hold a short position in Accor. They profited when the stock dropped 9.8% on March 19th. Their motivations are their motivations. But motivation doesn't invalidate methodology. They sent emails with screaming red flags to hotel front offices, and the overwhelming majority of responses were "sure, here's your reservation." That's not a short seller problem. That's an operational problem. And it's a technology problem. Because somewhere between the inbox and the PMS, a human being read a request involving unaccompanied minors from a war zone with an unrelated adult... and nobody's workflow caught it.

This is where I get genuinely frustrated with our industry's approach to technology. We spend millions on revenue management systems that can detect a $3 rate discrepancy at 2 AM. We deploy AI-powered chatbots that can upsell a room upgrade before the guest finishes typing. We have fraud detection on credit card transactions that flags a $200 anomaly in milliseconds. But a booking request that contains the words "orphan," "14 years old," "unrelated guardian," and a conflict zone origin... that sails through to a confirmation? What does that tell you about what we've decided matters enough to build systems around?

The technology exists to flag this. Natural language processing that could scan inbound reservation emails for trafficking indicators is not science fiction... it's a straightforward classification model. The US Department of Homeland Security has published specific red flag indicators for hotels. The American Hotel & Lodging Association has training materials. The indicators are KNOWN. They're documented. But almost nobody has built them into the booking workflow as automated gates. Instead, we rely on training that happens once during onboarding (if it happens at all), delivered to staff that turns over at 73% annually, at properties where the person reading that email might be alone at the front desk at 11 PM handling six things at once. I consulted with a hotel group last year that had a beautiful human trafficking awareness poster in the break room and zero... literally zero... system-level safeguards in their reservation flow. The poster had been there for three years. Nobody could tell me the last time someone referenced it.

This isn't an Accor problem. This is an industry architecture problem. Accor is the one getting hit because they're the ones a short seller targeted, and because they kept operating 50-plus properties in Russia after the invasion (which is its own conversation). But if Grizzly had sent those same emails to 249 Marriott properties, or 249 Hilton properties, or 249 independents... does anyone actually believe the acceptance rate would be dramatically different? The Dale Test question here is brutal and simple: when the person working the overnight shift receives a suspicious booking request, does your system help them identify it as suspicious? Or does your system treat it like any other email that needs a confirmation number? If it's the second one... and for the vast majority of hotels, it IS the second one... then you don't have a safeguard. You have a hope. Hope is not a system.

A 23-story, 189-key Hilton opened in late 2024 as the crown jewel of a £540 million mixed-use development in Woking, England. Panels started falling off the building in 2021... three years before the hotel even opened. Let that sit for a second. The cladding was failing during construction, and they opened anyway. A temporary fix last spring addressed about 2,000 of the roughly 4,000 exterior panels. Now the permanent solution requires installing over 14,000 revised fixings across the entire facade. Six months of work. Road closures. And the main contractor, Sir Robert McAlpine, is footing the bill under their design-and-build contract.

Here's where this gets interesting for anyone who operates or owns a hotel built in the last decade. The UK has been dealing with building envelope failures since the Grenfell Tower tragedy in 2017, and the regulatory response has been massive... combustible cladding bans on buildings over 18 meters, extended specifically to hotels in December 2022. Remediation costs across the UK run £1,318 to £2,656 per square meter. The government has committed £5.1 billion, but the estimated total bill is £16.6 billion. Those numbers tell you the scope of the problem. And while this specific failure isn't about combustibility (it's about panels physically detaching from the building), the underlying lesson is the same: building envelope failures on newer properties are not theoretical risks. They're happening. Regularly.

I've seen this pattern play out stateside more times than I'd like. A property opens with fanfare, the punch list supposedly gets cleared, and eighteen months later you've got water intrusion behind the curtain wall or facade panels that weren't rated for the actual wind load at elevation. The contractor points at the architect. The architect points at the specs. The owner's lawyer points at everyone. Meanwhile, the GM is dealing with road closures, scaffolding that makes the entrance look like a construction site, and guests asking if the building is safe. The revenue impact of six months of scaffolding on a 189-key property isn't theoretical... it's real money walking across the street to a competitor that doesn't look like it's under renovation.

What makes the Woking situation instructive is the ownership structure. The local borough council owns the hotel through a holding company. Hilton operates it under a management agreement and collects a fee. The council doesn't receive hotel income directly... it flows through the holding entity, which pays Hilton. So when the cladding fails, the management company keeps collecting its fee (their contract doesn't care about your facade), the contractor absorbs the remediation cost (for now... these things have a way of ending up in court), and the owner... the council, backed by taxpayers... holds the risk on any revenue disruption during six months of construction. That's the alignment gap in three sentences. The entity absorbing the pain isn't the entity that built the building or the entity operating it.

If you own or manage a property built in the last 15 years, especially anything above four stories with a modern rainscreen or curtain wall system, this is your wake-up call. Not to panic. To inspect. Building envelope warranties have specific timelines and specific exclusion language. If you haven't had an independent facade inspection (not from the original contractor... independent), you're trusting the people who built it to tell you whether they built it right. I've been around long enough to know how that usually works out.

I sat in on a development meeting once... maybe ten years ago... where the ownership group was looking at a mixed-use project. Hotel tower, residential condos above, shared podium, shared systems. The architect kept talking about "synergies." The contractor kept talking about "efficiencies." Nobody talked about what happens when two different regulatory frameworks apply to the same building and the rules change after you've already poured the foundation. That conversation is happening right now across the UK, except the stakes are a lot higher than anyone in the room expected.

Here's what's actually going on. The Building Safety Act 2022, born directly from the Grenfell Tower tragedy that killed 72 people, has been rolling out in phases. The hotel industry largely assumed it was a residential problem. Pure-play hotels... standalone buildings, 24/7 staffing, multiple egress routes, commercial fire systems... were carved out of the "Higher-Risk Building" designation. And that's technically true. But "technically true" is the most dangerous phrase in regulatory compliance. Because the moment your hotel sits inside a mixed-use development with residential units above or beside it, the moment you're running serviced apartments or aparthotels (classified as residential), the moment you've got staff accommodation on upper floors that meets the height threshold... you're in. Fully. And the compliance requirements are not trivial. We're talking 43-week average approval timelines from the Building Safety Regulator just for pre-construction gateway clearance. We're talking a 15-year claims window for work done after June 2022 and a 30-year window for work done before. We're talking insurance premiums that one industry advisor described as going "through the roof" (which is an unfortunate choice of words given the context, but accurate).

The number that should keep you up at night: 74% of UK high-rise residential buildings assessed so far have failed to get their Building Assessment Certificate. Seventy-four percent. Now, the explanation from regulators is that most of these are "technical fails"... documentation gaps, missing audit trails, not necessarily structural deficiencies. But I've been through enough code compliance cycles to know that "technical fail" is a distinction that matters to regulators and lawyers, not to lenders and insurers. Your building either has the certificate or it doesn't. And if it doesn't, your insurance costs reflect that reality. One advisor is telling hoteliers to budget 2-5% of turnover specifically for building safety compliance. On a £10M revenue hotel, that's £200K to £500K a year that wasn't in anyone's pro forma two years ago.

The combustible cladding ban tells you everything about where this is heading. Initially it applied to new residential buildings over 18 meters. Then it was extended to new hotels, hostels, and boarding houses at the same height... effective December 2022. Then to existing hotels undergoing external wall refurbishment. The regulatory ratchet only turns one direction. If you're developing, acquiring, or refinancing a hotel in the UK that has any mixed-use component, any serviced apartment inventory, or any building system shared with residential units, your due diligence just got significantly more complex and your capital planning needs to reflect it. Premier Inn has already been voluntarily stripping combustible cladding from properties over 18 meters. They're not doing that because they're generous. They're doing it because they see where the regulatory trajectory ends and they'd rather control the timing and the narrative than have it controlled for them.

Look... this is a UK story today. But if you think the regulatory logic stops at the English Channel, you haven't been paying attention. Every major market eventually follows the same pattern after a tragedy: inquiry, report, legislation, expansion of scope. The Grenfell inquiry recommendations are still being implemented. The government just released a Construction Products Reform white paper in February. The circle is widening, not shrinking. And for anyone operating mixed-use hotel assets in any developed market, the question isn't whether building safety regulation will affect your P&L. It's when, and whether you'll have budgeted for it before the letter arrives.

Let me tell you what happened on March 9th and then let me tell you what it actually means.

A guest at the Signia by Hilton Orlando... that's the big Hilton-branded property on Bonnet Creek, an "Official Walt Disney World Hotel"... had a near-drowning incident at approximately 2:30 in the afternoon. Medical helicopter responded. Patient transported to a hospital. Orange County Sheriff on scene. And then... silence. No statement from the hotel. No statement from Disney. No patient condition update. That's standard protocol when there's no fatality, but the silence doesn't make the liability disappear. It just makes it quieter.

Here's what should bother you. This isn't isolated. In December 2024, a six-year-old drowned at the Crowne Plaza in Lake Buena Vista... another Disney "Good Neighbor" property. That family filed a lawsuit in November 2025 alleging no lifeguard, hazardous pool design, and signage that didn't match reality. In June 2025, a five-year-old autistic boy drowned in a pond at the Westgate Town Center Resort nearby. And Disney's own properties have had a string of guest deaths in the fall of 2025, though those were different circumstances. The pattern isn't "Disney is unsafe." The pattern is that water features at resort-area hotels are killing and nearly killing guests at a rate that should make every operator with a pool take a hard look at what they're actually doing versus what they think they're doing.

I managed a property once where the pool gate latch had been broken for three weeks. Three weeks. Maintenance knew. The GM knew. It was on a list. Nobody fixed it because nobody had drowned yet, and there were 40 other things on the list that felt more urgent. That's how it always works. Pool safety is a "when we get to it" item until the helicopter lands in your parking lot, and then it's the only thing that exists. The Signia is a 1,000-plus key convention hotel with a major brand flag and Disney affiliation. If it can happen there, in the middle of the afternoon, it can happen at your 150-key property at 7 PM on a Tuesday when the front desk agent is the only person in the building.

And here's the part that keeps me up at night as an operator. The "Good Neighbor" designation creates a perception gap that is absolutely going to show up in litigation. The guest books a "Walt Disney World Hotel." They see Disney branding in the marketing. They assume Disney-level safety protocols. But Disney doesn't own it. Disney doesn't operate it. Disney doesn't staff the pool deck. Hilton has brand standards, sure, but the actual safety execution... lifeguards or no lifeguards, pool inspections, emergency response training for front-line staff... that's on the owner and the management company. The guest doesn't know that. The jury won't care. If you're operating a branded property where the brand name implies a level of oversight that doesn't actually exist at the operational level, you're carrying risk that isn't priced into your insurance and isn't reflected in your safety budget.

So what do you do? You do the boring stuff that doesn't make the renovation presentation but keeps you out of a courtroom. You walk your pool deck tomorrow. Not next week. Tomorrow. Check the gates, the latches, the depth markers, the drain covers, the sight lines from wherever your staff is supposed to be monitoring. Check whether your "No Lifeguard On Duty" signage actually complies with your state and local code (in Florida, that's Chapter 514). Check when your last documented safety drill was for a water emergency. If the answer is "I don't know" or "we don't do those"... you just found your Monday morning priority. And document everything. The difference between a defensible position and a catastrophic judgment is almost always paper. Did you train? Can you prove it? Did you inspect? Is it logged? I've seen this play out in depositions. The hotel that has the binder wins. The hotel that says "we take safety seriously" without the binder loses.

Let me tell you what went right first, because it matters. Monday morning, 10:27 AM, third floor of a 357-room airport hotel catches fire. By 11:15 AM... 48 minutes later... the fire is out, every guest is accounted for, every staff member is safe, and the airport next door never stopped running flights. That's an extraordinary outcome. That's the result of someone (probably several someones) doing their job exactly the way they were trained to do it, under conditions where most people forget everything they've ever been told.

Now here's what keeps me up at night. That hotel is an eight-story, 357-key property managed by Interstate Europe, owned by Legal & General, flagged as Hampton by Hilton. Three layers of institutional oversight. Brand standards. Management company protocols. Institutional owner with asset management resources. And it STILL caught fire. That's not a failure... fires happen. Electrical systems age. Equipment malfunctions. The building is less than a decade old and something still went wrong on the third floor badly enough to require a full evacuation and high-pressure ventilation fans to clear the smoke afterward. The cause is still under investigation. But here's the thing about fire... it doesn't check whether you're a 357-key institutional asset or a 90-key independent running thin. It just burns.

I ran a property once where the chief engineer walked me through every floor and showed me the fire suppression system like he was showing me his firstborn. Sprinkler heads, pull stations, extinguisher locations, smoke detector maintenance logs... the man had a binder. A BINDER. And he made every new hire walk the route within their first week. Not watch a video. Walk it. When I asked him why he was so intense about it, he told me about a hotel he'd worked at 15 years earlier where a laundry room fire sent smoke through the HVAC and they lost 40 minutes figuring out where it was coming from because nobody had checked the duct sensors in six months. Nobody got hurt, but he said the sound of guests banging on doors they couldn't see through was something he never got over. That binder wasn't corporate compliance. That was a man who'd been scared once and decided nobody was going to get scared on his watch again.

The UK hospitality sector logged nearly 600 fires in 2023 alone. Six hundred. Electrical faults, kitchen equipment, HVAC issues. And that's just the ones that got reported. The reality for most hotel operators... especially those of you running older buildings, properties with deferred maintenance budgets, buildings where the electrical was last updated during a Clinton administration renovation... is that your fire risk profile is higher than you think. Your brand's fire safety standards are a minimum, not a maximum. Your insurance company's inspection is annual. Your actual risk is daily. When was the last time your team did a live evacuation drill that wasn't announced in advance? When was the last time someone checked every pull station on every floor? When was the last time your night auditor... the one person in the building at 3 AM... actually walked through what they'd do if they smelled smoke?

The Stansted team earned their outcome on Monday. Forty-eight minutes, zero injuries, operations restored. That didn't happen by accident. It happened because someone, somewhere, took fire preparedness seriously enough to make it muscle memory. The question for the rest of us is whether we're relying on the same level of preparation or whether we're relying on luck. Luck works right up until the moment it doesn't.

Someone walked into a hotel room near Gatwick Airport, took £8,000 in jewelry, and walked out. That's the headline. Here's what the headline doesn't tell you... this happens constantly, and most of the time nobody writes a BBC story about it. You just get the incident report, the insurance claim, and a guest who will never come back.

I managed an airport-adjacent property years ago. 300-plus keys, international mix of guests, people coming and going at all hours with luggage carts full of everything they own because they're between flights and their entire life is in that room for 12 hours. We had a rash of thefts over one summer... nothing dramatic, nothing that made the news, but enough that I started losing sleep over it. Turned out a contract cleaning crew member had figured out the master key system. Not hacked it. Not bypassed it. Just figured out the pattern because we hadn't changed the authorization codes in seven months. Seven months. That was on me. And the fix cost us about £200 in new key cards and an hour of front desk time. The damage to our reputation with the corporate accounts who heard about it? That cost us a lot more than £200.

Here's what most GMs don't want to think about. The Hotel Proprietors Act of 1956 (yes, 1956... the law is literally older than most of the buildings it covers) caps your strict liability at £50 per item and £100 total per guest. That sounds like a shield until a solicitor proves negligence, and then that cap disappears entirely. Negligence isn't hard to prove when your key audit trail has gaps, your CCTV coverage has blind spots on guest floors, or your master key protocol hasn't been reviewed since the last brand standard inspection. And the Gatwick corridor is a target-rich environment... high-value transient guests, short stays, minimal relationship with staff, and a "I'll never be back anyway" anonymity that makes it attractive to anyone looking to work hotel floors.

What bothers me about stories like this isn't the theft itself. Theft happens. Bad people exist. What bothers me is that the operational controls to prevent most of these incidents are neither expensive nor complicated... they're just boring. Key audit logs reviewed weekly. CCTV on every guest floor (not just the lobby and the parking lot). Master key check-in/check-out logs that actually get checked. In-room safes that work and that front desk actively mentions at check-in. Staff trained to challenge unfamiliar faces on guest floors. None of this is revolutionary. All of it gets deprioritized because it doesn't generate revenue and nobody at the brand level is measuring it until something goes wrong.

The UK has seen a pattern recently... organized crews hitting hotel corridors in London, the Scottish Borders, airport properties, coastal resort towns. This isn't random. These are people who understand hotel operations well enough to exploit the gaps. City of London Police arrested four people in January working hotels in the Square Mile. Two burglars hit 11 rooms at a Devon property last spring. If you're running a property in the UK right now (especially near a major transport hub), this is not a "could happen to us" conversation. It's a "when" conversation. And the answer to "when" is determined almost entirely by how seriously you take the boring, unsexy, revenue-neutral work of physical security.

Let me tell you what keeps me up at night. Not OTA commission creep. Not tariffs on imported FF&E. It's the stuff that blindsides you because you never thought to look for it.

A guy walks into a Manhattan hotel in 2018. Pays $200 for one night. Then he doesn't leave. He finds an obscure New York City housing law that applies to buildings constructed before 1969... this particular hotel was built in 1930... and requests a six-month lease as a single-room occupant. The hotel's legal team apparently didn't show up to the housing court hearing. A judge awarded him "possession" of the room by default. By default. Let that sink in. Because someone didn't put a lawyer in a chair, this guy lived rent-free for five years.

But here's where it gets truly insane. He didn't just squat. He escalated. Forged a deed and uploaded it to a city property records website claiming he owned the entire hotel. Then he tried to collect rent from a commercial tenant in the building. Registered the property under his name for water and sewage payments. Attempted to transfer the hotel's franchise agreement. Tried to borrow against the property. At one point, he offered to "sell" the hotel back to its actual owners for $14 million. This went on from 2019 to 2023 before he was finally evicted. He just pleaded guilty to fraud charges and got six months (time served) plus five years probation. Six months. For a scheme that lasted five years and targeted a property worth hundreds of millions.

I knew a GM once at an older downtown property... pre-war building, beautiful bones, the kind of place with a hundred years of legal quirks baked into the walls. He told me the scariest call he ever got wasn't about a burst pipe or a guest injury. It was from a process server. Someone had filed a lien against the property based on a fabricated contract. Took eight months and $60,000 in legal fees to unwind. Eight months where the ownership group couldn't refinance, couldn't sell, couldn't do anything because the title was clouded. His takeaway? "I check our property records every quarter now. Every quarter. Like I check the fire suppression system." That's the mindset.

Look... most of you aren't running historic Manhattan hotels with pre-1969 housing law exposure. But the principle here is universal. Every property has legal vulnerabilities that nobody thinks about until someone exploits them. Tenant protection laws vary wildly by jurisdiction. Property record systems in most municipalities are shockingly easy to manipulate. And the single biggest failure in this case wasn't the obscure law or the forged deed... it was that nobody showed up to court. That's an operational failure. That's a process failure. That's the kind of thing that happens when legal compliance lives in someone's email inbox instead of on a calendar with alerts and accountability. If you're a GM, you need to know three things right now. One: what housing and tenant protection laws apply to your specific property based on its age, its jurisdiction, and its zoning classification. Call your attorney this week and ask. Two: who is monitoring your property records for unauthorized filings? If the answer is "nobody" or "I assume our management company handles that," you have a problem. Title monitoring services exist. They cost almost nothing compared to the alternative. Three: do you have a written protocol that ensures legal representation at every single court proceeding related to your property, no matter how trivial it appears? Because "trivial" is how a $200 room night turns into a five-year occupation and a forged deed claiming your entire building.

The guy got six months. The hotel got five years of headaches, massive legal bills, a room generating zero revenue, and its name in every headline as the property that got conned by a single guest with a $200 reservation. The math on prevention versus response here isn't even close.

Somewhere in a Wynn Resorts HR office right now, somebody is having the worst week of their career. 800,000 employee records... names, Social Security numbers, salaries, start dates, phone numbers... sitting on a dark web server with a Monday deadline and a $1.5 million price tag. The hackers call themselves ShinyHunters. They claim they've been inside Wynn's systems since September 2025. Five months. That's five months of someone rummaging through your filing cabinets while you're standing right there.

I've seen this movie before. Not at Wynn's scale, but the script is identical every single time. A property I worked with years ago got hit through a vendor portal that nobody had bothered to update in 18 months. The breach wasn't sophisticated. It was embarrassing. A former employee's credentials were still active. That's it. No genius hacking. Just a door nobody remembered to lock. The cleanup cost more than the property's entire annual IT budget, and the reputational damage lasted two full booking cycles. And that was a 300-key property, not a publicly traded resort company. The math scales, but the fundamentals don't change.

Here's what nobody's connecting: this is the fourth major Las Vegas casino operator breached since 2023. Caesars paid $15 million in ransom. MGM ate $100 million in losses and had systems down for nine days. Boyd Gaming got hit in September 2025 and still hasn't disclosed the cost. Now Wynn. The pattern isn't that these companies have bad security teams (they don't... they spend millions on cybersecurity). The pattern is that every single breach traces back to human factors. Social engineering. Stolen credentials. An employee who clicked something or told someone something they shouldn't have. ShinyHunters reportedly got into Wynn through an Oracle PeopleSoft vulnerability using an employee's credentials. Not a zero-day exploit. Not some movie-style hack. Someone's login and a software system that wasn't patched. That's it. And if that can happen at a company with Wynn's resources, it can absolutely happen at your 200-key select-service with one IT guy who also manages the AV equipment.

Let me be direct about what this means for your operation. Your guests are watching. No guest data was reportedly stolen in the Wynn breach this time, but guests don't parse those details. They see "hotel company hacked" and they think about the credit card they used at check-in. They think about the loyalty profile with their home address. The cumulative effect of these headlines is real... it erodes trust in the entire industry, not just the company that got hit. And here's the operational reality that keeps me up at night: most hotel-level cybersecurity is a joke. I'm not being dramatic. The average property has a PMS running on a server that hasn't been patched in months, a guest WiFi network that's one misconfiguration away from touching the operational network, shared passwords for vendor portals, and front desk staff who've never had a single hour of cybersecurity training. Your brand might have a security standard buried in the operations manual somewhere. When's the last time anyone looked at it?

The fix isn't a seven-figure security platform. The fix starts with your next team meeting. Train your people. Not once a year during onboarding... monthly. Five minutes. "Don't give your password to anyone who calls claiming to be IT support. Don't click links in emails you weren't expecting. If something feels wrong, call your GM." Turn on multi-factor authentication on every system that supports it (most do... most properties just haven't bothered). Segment your network so the guest WiFi can't touch your PMS or your payroll system. Audit who has access to what and kill every credential that belongs to someone who doesn't work there anymore. And for the love of everything, patch your software. That PeopleSoft vulnerability at Wynn? It had a fix available. Somebody just didn't apply it. Your owners are going to ask about this. The answer isn't "we're fine." The answer is "here's exactly what we've done, here's what we're doing next week, and here's what it costs." Because the cost of prevention is a rounding error compared to the cost of being the next headline.

Here's the thing nobody's telling you: when protesters start camping outside your CEO's house, you've crossed into a different risk category entirely. The anti-ICE campaign against hotels just escalated from lobby demonstrations to personal targeting of executives. That's a massive operational shift.

I've seen this movie before with other industries. Environmental activists did this to oil executives in the 2000s. Labor organizers targeted retail CEOs' homes during wage campaigns. Now it's hotels and immigration enforcement. The playbook is predictable — but the implications for your operations aren't.

Let me be direct about what changed. Corporate reputational risk used to mean bad press and maybe some boycott threats. Now it means your leadership team gets personally harassed at home. Their families become part of the story. That changes how boards think about government contracts. It changes how CEOs calculate risk-reward on detention center business.

If you're running a select-service property that takes overflow ICE housing contracts, you need to understand this isn't just about your local market anymore. The campaign has gone national and personal. Your management company's executives could be next. Your ownership group needs to factor in this new level of activist pressure when they're looking at those contracts — because the revenue might not be worth the personal cost to leadership.

The brands are going to start making different calculations here. When Hampton Inn or Fairfield executives are getting doxxed and harassed at their kids' schools, corporate is going to push back on franchisees taking these contracts. Count on it.