Lawsuit Against Sony Highlights Cyber Insurance Shortcomings 99
CWmike writes "A brewing legal dispute between Sony and one of its insurers over data breach liability claims highlights the challenges that companies can sometimes face in getting insurance providers to cover expenses arising from cybersecurity incidents. Zurich American Insurance Co. asked the court last week to absolve it of any responsibility for defending or indemnifying Sony against claims arising from the recent data breaches at the company. The data breaches at Sony's PlayStation Network, Sony Entertainment Online and Sony Pictures resulted in account data on close to 100 million individuals becoming exposed and over 12 million credit and debit cards being compromised. The breaches have so far resulted in at least 55 putative class-action lawsuits being filed against Sony in the U.S and another three lawsuits filed against it in Canada. Sony expects to spend close to $180 million in the next year alone on breach-related costs. But analysts say insurance might not have even been worth it in Sony's case: 'There aren't many success stories where cyber insurance [has played] a significant role in reducing the cost of incidents,' said Gartner analyst John Pescatore. Um, better security as an insurance policy maybe?"
Re:Better security is no insurance (Score:4, Informative)
Actually, from what I've read, the insurance company is trying to claim that cybersecurity breaches (or whatever you wanted to call this) wasn't part of the policy. So it's not that Sony was negligent, it's that Sony wasn't insured at all. (According to the insurance company, at least.)
Re:Shouldn't have to pay (Score:2, Informative)
(posting anon so I don't get sued by former employers - mega tech, mega bank, mega networking...)
This sort of crap is why I got out of IT security and secure network protocols as a formerly fun career path. The big companies don't give a flying ^&%# about actual security anymore, the MBA mentality has determined its cheaper to declare it secure and buy an insurance policy. HSM? That's too expensive... Password database, PKI? No, the spec says "encrypted", it doesn't specify anything about key management, just bake a password into the firmware, or make it talk to AD... (sigh)
They didn't buy coverage for that. (Score:5, Informative)
The actual court filing [state.ny.us] by the insurance companies says:
Notwithstanding, the claims set forth in the Class Action Complaints filed against SCEA and the other Sony Defendants, as well as the miscellaneous claims, arising out of the cyber attacks on the PSN and SOE Network and the unauthorized access to and theft of the named plaintiffs and putative class members' personal identification and financial information, do not assert claims for "bodily injury," "property damage" or "personal and advertising injury" so as to entitle SCEA to defense and/or indemnity under the ZAIC Primary Policy.
In other words, Sony didn't buy coverage against a liability of this type. They were covered if the product actually injured someone or damaged their property (shocked someone or caught on fire, for example) but not for an indirect financial loss.
What they needed was an "errors and omissions policy". This covers financial screwups. Banks, accountants, tax advisors, and brokers usually carry such policies, because they handle other people's money. What Sony's people didn't realize is that, by handling so many credit card numbers (and, apparently, improperly holding more credit card info than they should have), they had the exposure of a financial institution.
Any merchant who holds onto credit card info for recurring transactions needs that coverage. Merchants who just pass credit card data to the bank for a single transaction, but don't keep it on file, are less at risk.