Lawsuit Against Sony Highlights Cyber Insurance Shortcomings 99
CWmike writes "A brewing legal dispute between Sony and one of its insurers over data breach liability claims highlights the challenges that companies can sometimes face in getting insurance providers to cover expenses arising from cybersecurity incidents. Zurich American Insurance Co. asked the court last week to absolve it of any responsibility for defending or indemnifying Sony against claims arising from the recent data breaches at the company. The data breaches at Sony's PlayStation Network, Sony Entertainment Online and Sony Pictures resulted in account data on close to 100 million individuals becoming exposed and over 12 million credit and debit cards being compromised. The breaches have so far resulted in at least 55 putative class-action lawsuits being filed against Sony in the U.S and another three lawsuits filed against it in Canada. Sony expects to spend close to $180 million in the next year alone on breach-related costs. But analysts say insurance might not have even been worth it in Sony's case: 'There aren't many success stories where cyber insurance [has played] a significant role in reducing the cost of incidents,' said Gartner analyst John Pescatore. Um, better security as an insurance policy maybe?"
Better security is no insurance (Score:4, Insightful)
Re:Plan B? (Score:5, Insightful)
Shouldn't have to pay (Score:5, Insightful)
At this point, it almost looks as if Sony's security team isn't just incompetent. That's pretty obvious. By this point, I'm almost wondering if some of them weren't/ aren't deliberately sabotaging Sony's security (well, those who actually know enough to do sabotage, which is looking like the minority at this point.) No patches/ firewall on their servers? Not using random numbers in the signature on firmware for the PS3 (thus revealing the master private key. Including that for Bluray.)? This? [slashdot.org] These aren't just huge, gaping flaws. Flaws require effort to exploit. These are just... not security. At all. Its like having theft insurance on a car, then leaving that car unlocked in a bad neighborhood. After removing the locks. Then putting a sign on it that says "plz dont steal." Then wanting the insurance money to cover the car after it gets stolen. Its simply not going to happen, at least if the court is anywhere near competent (or unless there is some weird clause in the contract).
Sony should be forced to pay, and probably have some punitive costs added as well, so that they learn to hire competent security designers. And pay them well. This whole episode is simply mind-boggling. Didn't know a company could be this incompetent and still exist.
Re:Why bother? (Score:4, Insightful)
Little people obtain insurance to deal with the potential for low-probability catastrophes; but if you bring the finance guys into it, insurance is just another financial instrument to be fiddled with in the service of perceived optimization(also, once you bring the finance guys into it, not insuring something starts to look a lot like self-insuring something, at which point the question of whether to buy insurance or not really just comes down to whether to do something in-house or contract it...
Re:same as it ever was (Score:3, Insightful)
Let's see if my car analogy works.
It would be like me leaving my car parked in a public parking lot with the windows slightly down and the keys in it. I let it sit there for months and several concerned individuals drop by to tell me there are undesirable elements in the hood and they have been stealing cars. I ignore these naysayers and go happily on my way until one day the car isn't there anymore. Then I go to my insurance company and ask them to pay me for a new car. They will say I was negligent and therefore they are not liable for my replacement costs.