Sony Breaches a Reminder for Enterprises to Check Liability Insurance

Recent high-profile cyber-attacks have renewed interest in cyber-insurance as CEOs worry about covering the cost of a data breach if, or when, they get attacked. However, the policies they are buying may not help them in case of a large-scale breach.

Sony is discovering this the hard way as the embattled Japanese entertainment giant struggles to recover from the series of cyber-attacks in April and May on several of its online entertainment services and over 100 million user accounts were compromised. At least 55 putative class action lawsuits from irate consumers about the breach have been filed against the company in the United States.

Sony has estimated it will cost $178 million to deal with the breach this year, which includes implementing new security measures, but doesn't include legal fees or potential compensation awards. Sony said in May it would depend on its insurers to help pay for the breach.

Sony's insurance company, Zurich American Insurance, is balking at the prospect of paying the legal fees and claims "asserted in the class-action lawsuits, miscellaneous claims, or potential future actions instituted by any state attorney general," according to court documents filed July 20 with the Supreme Court of New York. Zurich claimed the commercial general liability insurance policy that Sony bought does not cover damages arising from cyber-incidents.

The policy only covers "bodily injury" and "property damage" caused by occurrences other than the kind of cyber-attacks Sony experienced. It seems insurance company coverage, when it does extend to cyber-coverage, normally only covers the cost of re-creating the data, not the legal liability and other collateral damage involved, Cameron Camp, a malware researcher at ESET, wrote on the company blog.

Cyber-insurance can cover anything from the cost of notifying customers after a data breach to the cost of defending against lawsuits. Many businesses assume a general policy will have them covered, only to find out the hard way after a data breach occurs, Camp said.

Insurance companies in general are conservative about the amount of losses they are willing to cover in case of a data breach, Camp said. Part of the reason may be in the challenge of quantifying damage in this relatively new market.

Unlike fire insurance, where insurers can look at materials used and fire suppression in place, or auto insurance that looks at the driver's driving record and car model history, there is no way to estimate risk in software development, John Pescatore, a Gartner analyst, wrote on his blog. There is "no table of strengths for software, no handbook of materials, no basis for insurance estimators to determine risk," he said.

Cyber insurance policies didn’t provide any “meaningful bounding of the financial exposure from a cyber incident," Pescatore said. In many cases, insurance companies are now offering cyber-liability coverage that specifically covers data breaches that organizations have to buy separately from general liability or data protection policies. However, because there is no good way to understand risk, premiums are high, payouts are limited and the definition of a qualifying "injury" is also very limited.

The current rash of data breaches may actually be providing insurance companies with the kind of data they need to analyze and understand the risks associated with data breaches and cyber-liability insurance, which will help companies better estimate risk in the future, Camp said.
It's important for company executives to check the insurance policy "closely" to find out what burden is needed to prove there has been an “injury,” Camp said, adding "Do your homework when looking for complete coverage, make sure it really covers what your organization expects and needs."

Zurich is also suing Sony's other insurers, including Mitsui Sumitomo Insurance, AIG and ACE, to have the court clarify their responsibilities under the policies they offered Sony.

While it's possible some organizations would have the right insurance policies that would cover these liability-based losses, executives need to remember that insurance won't repair the brand or prevent angry customers from walking out the door, William Kilmer, chief marketing officer of M86 Security, told eWEEK.

"So, insurance may be helpful, but it is not a substitute” for sound security practices that will prevent a massive data breach, Kilmer said.

Pescatore agreed, noting that it's likely that "some simple precautions and process improvements" could have protected Sony customers for less than the $300 million this attacks may wind up costing Sony.