Lawsuit Against Sony Highlights Cyber Insurance Shortcomings

CWmike writes "A brewing legal dispute between Sony and one of its insurers over data breach liability claims highlights the challenges that companies can sometimes face in getting insurance providers to cover expenses arising from cybersecurity incidents. Zurich American Insurance Co. asked the court last week to absolve it of any responsibility for defending or indemnifying Sony against claims arising from the recent data breaches at the company. The data breaches at Sony's PlayStation Network, Sony Entertainment Online and Sony Pictures resulted in account data on close to 100 million individuals becoming exposed and over 12 million credit and debit cards being compromised. The breaches have so far resulted in at least 55 putative class-action lawsuits being filed against Sony in the U.S and another three lawsuits filed against it in Canada. Sony expects to spend close to $180 million in the next year alone on breach-related costs. But analysts say insurance might not have even been worth it in Sony's case: 'There aren't many success stories where cyber insurance [has played] a significant role in reducing the cost of incidents,' said Gartner analyst John Pescatore. Um, better security as an insurance policy maybe?"

Extortion works too!

That's a nice network you got there. Be a shame if anything happened to it.

Re:Extortion works too!

Don't worry, it's got Windows servers. They already know something's going to happen to it.

Re:Extortion works too!

[hairyfeet]

Uhhh...AC dude? they were running unpatched servers with no firewall with access to the big bad web. You HONESTLY think a 3+ year old out of date unpatched Linux server with NO firewall or IPS would have done ANY better? I don't care what OS you use if you don't follow best practices and let Forest Gump run the network your ass is grass, the only question is when. If they had used a zero day you may have had a legitimate argument but this was script kiddie 101 crap, the kind of crap you see grandmas hit with NOT giant corps who are actually supposed to have admins to...well administer. WTF were their admins doing? Playing Little Big Planet?

As for TFA this is something in America we really really REALLY need to address: The way insurance companies are happy to take the payments, only to weasel out when it comes time to pay the bill. We see this happen every day in America, where a person pays for years, sometimes decades, for their insurance only to find when they actually need it to serve its intended purpose the company throws lawyers who pick through the forms with a fine toothed comb until they find a way to get out of paying.

Its a really nice scam these insurance companies have got going, you pay ever rising fees for a service you can't actually ever use. To use a /. car analogy it would be like you paying 20 years on a mint state Mustang I claim to have in my garage only to have a lawyer tell you that you can't have the car when the last payment arrives because you were 2 hours late on a payment in 1996. In both cases you end up paying for the illusion you have something that you don't.

same as it ever was

So this is just the same thing that happens everyday to regular people, just scaled up to the corporate level. Insurance companies will absolve themselves of all responsibility to pay a claim whenever they possibly can. Why would it be any different when it's a corporation trying to make the claim?

Re:same as it ever was

[ArhcAngel]

Responding to an AC I know but in this case I believe Zurich has a case. Sony's was warned at least three months prior to the incident that led to their outage that their system was at severe risk.

Let's see if my car analogy works.
It would be like me leaving my car parked in a public parking lot with the windows slightly down and the keys in it. I let it sit there for months and several concerned individuals drop by to tell me there are undesirable elements in the hood and they have been stealing cars. I ignore these naysayers and go happily on my way until one day the car isn't there anymore. Then I go to my insurance company and ask them to pay me for a new car. They will say I was negligent and therefore they are not liable for my replacement costs.

Re:same as it ever was

[whoever57]

And, you only had insurance against fire, not theft.

Plan B?

[taiwanjohn]

Maybe they should just throw in the towel and hire LulzSec to handle their online security.

Re:Plan B?

[fuzzyfuzzyfungus]

I think that the Lulz Boat is arguably already a form of of 'Sony Online Entertainment', albeit not of the kind that Sony intends to publish...

Re:Plan B?

[Opportunist]

They already did an audit, actually more than just a single one, what else do you expect from them to do for free?

Re:Plan B?

[HappyPsycho]

Keep auditing, till its safe... :P

Especially if you add the clause "you can use any credit cards you acquire, Sony will pay the bill", that should get them fixing things quickly.

the devil vs the devil

[TheGratefulNet]

hmmm, on one side, an insurance company.

on the other side, sony.

hey, why does it have to be one or the other, though? can't they both lose? please?

(for great justice. and a plate of shrimp, to go.)

Re:the devil vs the devil

[Rolgar]

OT rant: What's wrong with the insurance company? Is it that some insurance companies are inclined to not pay on health?

Realize, different types of insurance are sold by different companies. For instance, Blue Cross and other insurance companies don't cover property damage or sell life insurance policies. With non-health insurance, you probably have a choice, and I don't hear near as many bad comments about them as I hear about health insurance. Why? Probably because you can easily switch insurance providers for property insurance, and you had a choice when you bought your life insurance. Unfortunately, with health, most people are tied, by virtue of employer selected health care plans to a provider that they don't have any say in. I have the feeling if I had the cash that my employer pays Aetna for my insurance coverage, I could go select something else, I could probably get a better deal. I hear health insurance coops are a good alternative, although they have similar restrictions as the for profit organizations.

Re:the devil vs the devil

[Opportunist]

It's one of those "If they both jump off a tower, who hits the ground first?" "Who cares, as long as they both jump!" things, ain't it?

Re:the devil vs the devil

[ginbot462]

>> With non-health insurance, you probably have a choice, and I don't hear near as many bad comments about them as I hear about health insurance.

Tell that to Katrina Victims .. and yes, I know the Flood Policy deal. But, there were people that loss whole houses to WIND ONLY and I am sorry, floods don't blow roofs away. Oh.. there was water in the wind so it doesn't count? WTF?

http://www.centerjd.org/air/pr/KATRINAREPORT.pdf

Re:the devil vs the devil

[TheGratefulNet]

Is it that some insurance companies are inclined to not pay on health?

I lost my job and was on COBRA. that ran out and to keep health insurance, I had to buy 'private insurance'. if you don't, then the 'pre-existing condition exclusions' can really bite you. its a huge risk, in the US, to not have 'continuous insurance'.

anyway, I was a month into my new fairly expensive private no-group plan when I had a dental emergency. fortunately, I did have the dental coverage (thought I). I went to the dentist (on my group plan, so called 'in network') and they tell me that since I'm not on corporate-backed insurance (which I would have been if I was still on COBRA via my last employer) that there are 3mo, 6mo and 9mo waiting periods before you can qualify for coverage for this or that thing. only routine cleanings seem to be included and not part of this 'waiting list' stuff.

go ahead and tell me this isn't evil to the core. its only there to 'ensure' that the insurance company gets a good LONG series of my continuous monthy payments (that I can't even USE, basically; so I'm kind of 'pre-paying' in advance for the right to get emergency coverage!) and then, a year or portion of a year later, THEN I'm allowed to have an emergency and get some coverage for it.

the best I was able to do in this case was to get 'in network' negotiated fee price instead of the full price (it saved me some but still it was all out of pocket and I don't even think this payment counts *toward* my deductable).

if I could stand by and watch insurance execs suffer extreme pain, I'd stand by and watch. and watch. and maybe send for popcorn.

they are evil rotton bastards.

I'm not sure who I dispise more, IC's or sony. like I said, its not either/or, I hate them both, but for obviously different reasons.

Re:the devil vs the devil

[publiclurker]

Or the ones who had wind insurance, but the company refused to cover any water damage, claiming it was caused by the flood and not the fact that the roof blew off.

Re:the devil vs the devil

[swb]

Well, it's the annoying habit insurance companies have collecting on insurance premiums and not paying claims, in all realms, not just health insurance. Health claims are just more pernicious because it deals with life and death.

I've personally had pretty good luck with car insurance, but my claims have almost always been totally one-sided (as in rear-ended or parked) and the fault 100% of the other driver.

Re:the devil vs the devil

[kelemvor4]

OT rant: What's wrong with the insurance company? Is it that some insurance companies are inclined to not pay on health?

Realize, different types of insurance are sold by different companies. For instance, Blue Cross and other insurance companies don't cover property damage or sell life insurance policies. With non-health insurance, you probably have a choice, and I don't hear near as many bad comments about them as I hear about health insurance. Why? Probably because you can easily switch insurance providers for property insurance, and you had a choice when you bought your life insurance. Unfortunately, with health, most people are tied, by virtue of employer selected health care plans to a provider that they don't have any say in. I have the feeling if I had the cash that my employer pays Aetna for my insurance coverage, I could go select something else, I could probably get a better deal. I hear health insurance coops are a good alternative, although they have similar restrictions as the for profit organizations.

I think basically it's because the whole (non health) insurance industry has a reputation for doing whatever they can to screw their customers when a claim is actually filed. Couple that with the fact that in many locations insurance (auto insurance for example) is required by law and you can begin to see why people do not like insurance companies. They take your money from you and then do everything in their power to not pay out when they should.

Re:the devil vs the devil

[rworne]

go ahead and tell me this isn't evil to the core

I can.

Look at this hypothetical situation, and it is hypothetical, I'm not saying it's you:

Someone does not want to pay for insurance because they view it as a waste of money. Then, one day their tooth starts to hurt and it looks like it may need a root canal.

So they call and sign up for dental insurance and with the $96/year plan, they go ahead and get a $1500 (or whatever the cost) procedure done. Then cancel at the earliest convenience and wait until the next problem to sign up again.

Insurance companies won't stay in business very long with that kind of business plan. The waiting period is to make sure healthy people buy in, not people who (for one reason or another) wait until they have a problem then look for coverage.

Do honest people get screwed by this? Yes, they do.

Re:the devil vs the devil

[eulernet]

And they managed to involve the third devil: lawyers !

Re:the devil vs the devil

[TheGratefulNet]

what would be fair: pay for the emergency stuff as long as I'm covered. I AM covered, why deny me?

now, you can ask^Hforce me to repay if I leave 'early'. its like getting corporate relocation on a new job. if you leave that job before X amount of months, you pay back that 'earned benefit' of relo.

why can't this be that way? sure, I'd be 'happy' to keep current for the next 6mos. I will anyway, dammit! why deny me coverage NOW for emergency stuff?

it cold and heartless and evil. its not the only way to play. but its how they choose to play and the fact that they CHOOSE it this way makes them absolutely evil.

Re:the devil vs the devil

I guess that would be valid, but not in cases where you have proof of continuous insurance prior to changing to the new provider due to company going bust/losing job etc.

For the car insurance analogy it would be like always having car insurance, you change to a different provider on renewal and not been able to use the policy in the first 3 months. Which I'm sure we all agree is unfair.

I'm in the UK, so while the NHS is not a shining beacon of a health care service, it is the "care service" part; they try to put you together and you don't have to worry about selling the house to pay for it.

Perhaps a 2 level insurance cover would be better in the US? A basic low tax on everyone for "just good enough" health care, and the individuals can opt to top up to have "premium" cover (with whatever provider you choose). This would include private rooms, cosmetic surgery, ability to jump the queue by going to a private/premium hospital instead of the A&E type ones and so on.

Actually pretty similar to the UK where you can get private health insurance to do all that; unless you have a pre-existing condition then expect to pay a "individually tailored price", which is fair enough, they are a business after all. I just hope the current government does not succeed in getting private business more involved with the NHS, it will end up like the dentistry in the UK, all private and far to expensive for most people. (There are some NHS dentists around but you still have to pay, why us brits have bad teeth! :) )

Cheers

Re:the devil vs the devil

[Dishevel]

Not that I ever want to be on the side of the insurers.
Surely though you can see that you would never want to pass a law stating that there could be no waiting period.

The cost of insurance would skyrocket.

Smart people who are healthy would wait till they need some major work done. Then buy insurance. Keep it long enough to get the work done then drop it.

I know insurance companies can be evil. Just make sure when figuring how things should be to remember that people can be evil as well.

Re:the devil vs the devil

[Rolgar]

Sorry to hear about your situation. I have an opinion on why things are the way they are, and as I specified in my post, not having a choice is part of what is killing us, along with government underpaying on medicare which passes on the cost for medicare covered individuals on to the rest of us, as well as not going after tort reform, which forces doctors to bump their rates up $25 dollars an hour.

However, those companies are not the same company that's providing this insurance, although I suppose they could have the same parent company. Wishing this company ill will would be like getting mad at Ford because your brother was killed in a defective Toyota.

Re:the devil vs the devil

[codegen]

except the lawyers gain out of this one...

Re:the devil vs the devil

[Oxford_Comma_Lover]

I have the feeling if I had the cash that my employer pays Aetna for my insurance coverage, I could go select something else, I could probably get a better deal.

Wrong, unless you go buy very bad coverage. Most of the time, employer-based health insurance has serious advantages. First, the rates are much lower because there's a bigger risk pool (at least that's the theory--in reality, they are lower because it's a collective plan, which is related, but is also about bargaining power). An individual plan will cost MUCH more unless you have very strong state regulation.

Second, employers can generally deduct the cost of health insurance for employees, where as individuals cannot usually deduct the cost of health insurance. (With one or two exceptions--there is something if you are self-employed that lets you deduct a certain amount, I believe.)

There are also more complicated tax issues around deductions for medical costs generally, but that's a different tomato. Also for medical costs in certain managed care type facilities (complications that are really unfair to everyone else in certain situations involving the lack of imputed interest in certain arrangements, but that are politically unpopular to make remotely fair--effectively ways to make medical expenses deductible beyond those that are deductible for everyone else, because of the way the transaction is structured).

Re:the devil vs the devil

[AmiMoJo]

This is why a mandatory insurance scheme is such a good idea. In the UK we pay national insurance directly from our pay packets as part of the deducted tax. Everyone gets free treatment on the National Health Service, but you are of course free to sign up for private care too.

Why bother?

[SniperJoe]

When I hear about things like this, I think back to why insurance was created, namely to protect you in case of a loss that you cannot afford. Think about what you insure, your home, your liability in a car accident or your life (and income potential therein). It appears that in this case, Sony can afford this failure, they're just trying to use insurance as a cost offset. Given what would seem to me like the relative ease of the insurance company denying coverage ("Were you fully patched and protected in every reasonably manner against breach? Prove it"), why would you bother with insurance in this case? Is there possibly some fiduciary responsibility to shareholders that is the cause?

Re:Why bother?

[sribe]

Is there possibly some fiduciary responsibility to shareholders that is the cause?

Yes. Sony is obligated to check out every avenue to offset this cost.

Re:Why bother?

[fuzzyfuzzyfungus]

I suspect that it is a managerial/cultural matter: "Risk management"(in the finance sense, not the engineering sense) is extremely popular and consists largely of attempting to quantify the costs of various risks and then construct a wide assortment of various financial instruments(insurance contracts among them; but by no means limited to insurance) in order to minimize your risk exposure number.

Little people obtain insurance to deal with the potential for low-probability catastrophes; but if you bring the finance guys into it, insurance is just another financial instrument to be fiddled with in the service of perceived optimization(also, once you bring the finance guys into it, not insuring something starts to look a lot like self-insuring something, at which point the question of whether to buy insurance or not really just comes down to whether to do something in-house or contract it...

Re:Why bother?

[Rolgar]

Do you know when such an event will happen, how often, or how expensive one or more incidents may be? With insurance, you can balance the cost. You pay a set amount, and when it happens, you've already been paying for it over time. So this smooths out the lumps by spreading the cost over many years instead of focusing the cost all in one or two quarters.

For instance, as an individual, with health insurance, I know that at some point, I or someone in my household will end up in the hospital. I can either buy insurance, or I can set aside the same amount of money (assuming I have access to all of the funds used to buy the insurance, which in the U.S. would mean the employer's portion.) Set aside 12 years of premiums, and you might have $100,000 which might be enough to cover all of the expenses you would incur over the 12 years. It might even more than cover it. Maybe everybody is healthy, and you only spend $20,000 over those years. Still, it does make some economic sense to buy the insurance because the potential losses could easily be higher than the $100,000, and even if your costs matched the $100,000, you might have to pony up all of that money in the first three years, or the last three. Buying insurance, you're paying out $8000 a year, plus deductibles in the over the 12 years.

For a business, this makes further sense, because it helps match the expense with when it occurs. Not with the OCCURRENCE of the incident, but with the RISK, which in probably constant over time, at least as far as most people can tell.

Re:Why bother?

[SniperJoe]

Here's where I have a hard time trying to justify the insurance piece. Insurance companies will do anything and everything to get out of paying. In the security world, insuring against a breach just seems to be fraught with an insanely high standard to receive compensation from the insurance company. In this case, I'm imagining a scenario where you have to PROVE to the insurance company that you did all you could to avoid such a breach, including up-to-date patches, social engineering training, penetration tests, etc, etc etc. Most of us here know how difficult security can be, especially for a larger firm.

To continue your health insurance analogy, can you imagine if you asked your health insurance company to reimburse you for something and they ask you to prove the following:

- That you have exercised three times a week for the past 36 months
- That you have eaten a healthy diet, strictly following the food pyramid and abstained from drugs including caffeine, tobacco and all illegal drugs
- That you regularly visit the doctor, dentist and optometrist for checkups

If you failed to be able to show good faith in those criteria, they would refuse to pay for your health care.

The issue that keeps popping up in my mind isn't whether insurance is a good idea. The issue in my mind is why bother with it if you stand little-to-no chance of actually collecting any money from it?

Re:Why bother?

[afidel]

It's mostly because of the shift in market focus to quarterly profits, in the history of Sony and even PSN the costs are fairly trivial but if they all come in two or three quarters instead of the monthly insurance premium it upsets the street.

Re:Why bother?

[Em+Adespoton]

I wonder if Lloyd's will insure people against rejected insurance claims?

Re:Why bother?

I find it interesting that the non-measurable impact to their brand and therefore profits tends to not be argued or even explored. It's almost like it never existed unless it can be perceived on a spreadsheet somewhere in a hard line measurable way... unless it comes down to a copy-write infringement argument.... then any number will do... bigger the better.

How many people will think twice before jointing some sort of PS3 online thing again? And by that argument, given the choice, how many people will opt to buy a future version of an xbox to the future Playstation? How would some sort of cyber crime insurance help them with that?

Better security is no insurance

[timeOday]

The whole point of insurance is to make a variable cost into a fixed cost. Even if better security substantially reduces your average cost over an infinte time horizon, it does not make the associated costs predictable. It's like saying, don't get homeowners insurance in case your house burns down, just remember to turn off the iron when you leave home.

Re:Better security is no insurance

[hedwards]

Yes, but insurers don't typically give you a blank check to replace what you like for whatever happened. There are typically restrictions to what they'll cover and if you're behaving in an irresponsible fashion they aren't necessarily obligated to pay out. More commonly though they'll pay the claim then cancel the coverage.

Insurance fraud is a serious issue which causes all the other insured parties to have to pay more. I'm personally curious if they'll get away with refusing to pay, but given the degree of negligence on Sony's part in all of this I wouldn't be surprised if the courts reduced or eliminated the amount that Sony could receive for these incidents.

Re:Better security is no insurance

[Daniel_Staal]

Actually, from what I've read, the insurance company is trying to claim that cybersecurity breaches (or whatever you wanted to call this) wasn't part of the policy. So it's not that Sony was negligent, it's that Sony wasn't insured at all. (According to the insurance company, at least.)

Re:Better security is no insurance

[Bob+the+Super+Hamste]

Or to put it a different way it is a hedge against potential losses. This is the prudent thing to do as you pointed out it give you a fixed cost all be it at probably a higher total cost. Airlines have been know to do similar things when they purchase futures contracts for fuel, some times it works in their favor some times it doesn't but in either case they know their cost going forward.

Re:Better security is no insurance

[hedwards]

You seem to be correct, Sony was covered for property damage and personal injury, not cybersecurity breeches. So, I'm guessing that this wouldn't be considered property damage or at least only a very small amount of the claim could be considered property damage.

Re:Better security is no insurance

And the point of privately owned insurance companies are getting as much money to their owners as possible.

So in essence you are paying someone to find ways to not pay you in case you needed it. The concept is flawed by design. Yet, the solution is not easy.

Re:Better security is no insurance

[AmiMoJo]

Not being insured is the same thing as being negligent. If you are a large company doing something risky like storing personal data you need to have insurance to cover loss. In fact we should make it a law in the same way that car drivers must have insurance.

Re:Better security is no insurance

[Daniel_Staal]

Only if they can't cover it out of pocket. (Car drivers are a special case: Increasing access to private transportation has massive economic advantages, but an accident can cause hundreds of thousands of dollars worth of damages, more than 90% of the population would be able to pay. By requiring insurance, we keep the cost of insurance down and make sure that someone can pay for damages in case of a massive accident.)

How depressing...

[fuzzyfuzzyfungus]

Not that bad things are happening to Sony, who deserves it; but that even giant bloodsucking multinationals with legions of attack lawyers can't keep insurance companies in line(arguably, if you count CDOs, neither can nation states. Why don't we shoot these people again?). Makes me feel a whole lot better about the inevitable hassles that will arise from my next claim form...

Re:How depressing...

[ColdWetDog]

I'm not sure who you are desiring to shoot, unless it's "Kill them all and let god sort it out". However, this is total standard operating procedure for an insurance company. Faced with a big loss you take some of your already paid for legal staff and obfuscate for a while, hoping to get the whole thing knocked off or, much more likely, come up with a mutually disagreeable solution of some lesser value.

These are not the higher principles you are looking for....

Re:How depressing...

[Bob+the+Super+Hamste]

There is this thing called reinsurance that insurance companies can purchase that lets them hedge the risk from their own policies. This call to be able to dump the Sony claim might be coming from the reinsurance company or companies. To put things in perspective reinsurance companies make your standard insurance companies look like paupers.

Re:How depressing...

[afidel]

Zurich is a large reinsurer as well as a large scale insurer. A former company did a lot of work for them doing forensic accounting on companies claiming business losses after Katrina, Zurich was not the holder of those policies but rather was insuring the basket of policies that were being claimed against.

Re:How depressing...

[interkin3tic]

Why don't we shoot these people again?

Because we can't get good insurance salesperson shooting insurance for some reason...

Shouldn't have to pay

[Baloroth]

At this point, it almost looks as if Sony's security team isn't just incompetent. That's pretty obvious. By this point, I'm almost wondering if some of them weren't/ aren't deliberately sabotaging Sony's security (well, those who actually know enough to do sabotage, which is looking like the minority at this point.) No patches/ firewall on their servers? Not using random numbers in the signature on firmware for the PS3 (thus revealing the master private key. Including that for Bluray.)? This? These aren't just huge, gaping flaws. Flaws require effort to exploit. These are just... not security. At all. Its like having theft insurance on a car, then leaving that car unlocked in a bad neighborhood. After removing the locks. Then putting a sign on it that says "plz dont steal." Then wanting the insurance money to cover the car after it gets stolen. Its simply not going to happen, at least if the court is anywhere near competent (or unless there is some weird clause in the contract).

Sony should be forced to pay, and probably have some punitive costs added as well, so that they learn to hire competent security designers. And pay them well. This whole episode is simply mind-boggling. Didn't know a company could be this incompetent and still exist.

Re:Shouldn't have to pay

(posting anon so I don't get sued by former employers - mega tech, mega bank, mega networking...)

This sort of crap is why I got out of IT security and secure network protocols as a formerly fun career path. The big companies don't give a flying ^&%# about actual security anymore, the MBA mentality has determined its cheaper to declare it secure and buy an insurance policy. HSM? That's too expensive... Password database, PKI? No, the spec says "encrypted", it doesn't specify anything about key management, just bake a password into the firmware, or make it talk to AD... (sigh)

Re:Shouldn't have to pay

[ColdWetDog]

One should not attribute to malfeasance what can adequately explained by stupidity. Although, I have to agree, Sony is really pushing it here.

Re:Shouldn't have to pay

[Opportunist]

Most points have already been made, but allow me to elaborate why I do not necessarily see Sony's security team as incompetent. Chances are, they couldn't do a better job. Or rather, a combination of "they were not allowed to" and "they didn't get what's necessary to do it".

First of all, security is a cost position without revenue. It costs money but doesn't make any. It's a bit like an insurance, you pay for it to reduce the risk of something bad happening. When times are dire and money is short, what's the first thing people do? They cancel their insurances. Companies do the same. And even if money ain't tight, security usually gets some breadcrumbs compared to pretty much any other department. They simply cannot generate a positive cash flow, no matter what they do, so their budget is usually barely enough to keep things afloat, let alone trying to improve them or keep them on the edge, both technically and concerning the information and knowledge of the security staff. More often than not, gathering information, visiting conferences and learning new threats is something you better do in your spare time, you won't get time for that at work.

And the other side is that no company wants security. They want compliance. Not because they want it, but because they need it to be either allowed to do something or because some partner requires it when you want a contract with them. PCI-DSS is a requirement if you want to do credit card transactions, so companies get certified. But you better do what getting that cert requires, and ONLY that. Not an inch further! Nothing else. Just what's enough to barely qualify for the cert. You won't get any money for anything else, even if it would increase your security tenfold for ten cents you will get your ass kicked for spending that dime if it wasn't required for the cert.

The result is what went down at Sony. Because as soon as your company has passed the cert, don't expect to get any money to keep your system up to spec 'til a reaudit is due. In other words, if the attack doesn't happen JUST after the cert has been passed or reissued, don't expect the server to be secure against anything. In a world where your knowledge has a half-life of about three months, an audit per year to retain the cert is a joke.

Not to mention that certs rarely cover everything. The ISO27k framework is from 2005. Can you imagine that it might no longer cover every angle of attack? Despite being worded rather broadly to take into account that technology progresses. So you have definitions like "best practice" and "against current threats" in the requirements.

Now, what is "best practice" and what is a "current threat"? Basically, it's what the auditing company defines. Yes, I pretty much set the "security standard" for the companies I audit. Ain't I afraid that someone might come along and tell me that I missed a spot? Heck no. Who should? Other auditing companies? You are aware that they want to keep their own certs, and that there aren't so many auditing companies about? Now take a wild guess who would audit them. Think they want to piss in my soup?

The whole cert business is a huge circle-jerk. And until that changes, a cert is better kept in the toilets in case the paper runs low.

Re:Shouldn't have to pay

(posting anon so I don't get sued by former employers - mega tech, mega bank, mega networking...)

yeah I'm sure that's the reason...

Re:Shouldn't have to pay

Any sufficiently advanced stupidity is indistinguishable from malfeasance

Re:Shouldn't have to pay

mod parent up, please!

Re:Shouldn't have to pay

[Pharmboy]

I don't buy it. Patching Apache doesn't cost money, is extremely easy to do, is usually quite safe. Adding a firewall can cost as little as zero. Windows and Linux operating systems all come with reasonable firewalls that might not be as robust as a dedicated solution, but are certainly better than nothing, and are trivial to setup. The only cost for those two "fixes" was perhaps a few thousand dollars worth of IT guy time, at most, and likely it would have cost zero, as you simply do it at install time. Firewalls don't need updating.

It just doesn't add up that they would go out of their way to NOT have a firewall when virtually every OS will DEFAULT to having one ON at install. You literally have to ask it to turn it off. Even to turn it off to configure the server and turn on at least a BASIC firewall at their routers just isn't hard.

Re:Shouldn't have to pay

[10101001+10101001]

At this point, it almost looks as if Sony's security team isn't just incompetent. That's pretty obvious. ... Its like having theft insurance on a car, then leaving that car unlocked in a bad neighborhood. After removing the locks. Then putting a sign on it that says "plz dont steal." Then wanting the insurance money to cover the car after it gets stolen. Its simply not going to happen, at least if the court is anywhere near competent (or unless there is some weird clause in the contract).

The issue is, if you go to an insurance company and explain you're going to leave your car unlocked in a bad neighborhood, locks removed, with a sign that says "plz dont steal" and they agree to cover you, then they should pay out. The general issue is likely that there's standard boilerplate legalism in the contract which would negate any sort of verbal agreement of coverage of such a scenario, so you'd have to rely upon a "weird clause in the contract" to receive any sort of coverage. In other words, your little analogy either makes the insurance company sound incompetent on its own right for offering the insurance or instigating willful fraud by promising something they'd expect a court to inherently dismiss. I'd imagine the real scenario isn't like that at all.

Re:Shouldn't have to pay

[vux984]

Patching Apache doesn't cost money, is extremely easy to do, is usually quite safe.

Time is money. Patching takes time.
And "usually quite safe" is not "safe". It means once in a while the time you spend doing it balloons into a lot more time, or even worse system downtime... I've got a server that we don't do OS updates nearly as often as we should because the damned database server on it flakes out, and some of the tools don't work with new versions of Java and flake out if java updates are installed. So its up, its rock stable if we just leave it alone the way it is... so we just leave it alone.

Adding a firewall can cost as little as zero.

Only if you pay your employees / contractors etc zero.

Windows and Linux operating systems all come with reasonable firewalls that might not be as robust as a dedicated solution, but are certainly better than nothing,

I agree. But all it takes is one stupid software package... I installed a network version of some accounting program a few months ago... windows firewall blocked it. It turns out it requires some 30 or 40 exceptions to be manually added to the windows firewall on each workstation.

Turning the firewall on took 3 seconds... making the shitty accounting software work while it was on took nearly 7 hours from problem report to diagnosis to tested and resolved... and the system was down for that period.

I'm willing to bet most people using that software just turn the firewall off. That only takes 3 seconds.

I've run into other software that was similarly a PITA. And that's windows firewall which is pretty laid back... even I get tired of dealing with some of the commercial firewalls that act like A.D.D. Chihuahuas.

Re:Shouldn't have to pay

[Pharmboy]

You already have the employees on the payroll. You can't say it cost more than their salaries if the time they spent setting it up is trivial.

And as for your shitty accounting software, that isn't comparable to a web server. In general, web servers use two port that are well documented, not 40 that are not well documented. Setting up the firewall for database is also very easy. I'm literally talking about a few minutes in Linux, just a few lines for exceptions in iptables.

I get that in some instances it might be difficult, but a web server with some database access is pretty simple. And no IT person worth 2 cents would disable and leave disabled, a firewall system for a multibillion dollar company, unless told to by a boss.

Re:Shouldn't have to pay

[Opportunist]

It costs time. And time is maybe the most valuable resource in a company environment. You'll rather see management approve buying something than having you spend time on doing something. Especially if your annual salary is in the 6 digits or at least getting close to it.

And please allow me to dispel the myth that firewalls don't need updating. They do. I wouldn't say that it's a sizable amount of audits that fail due to outdated firewall settings, but it does happen, especially in high security areas where everything usually filed under "recommendation" automatically turns into something for the "failure" pile.

And yes, having a firewall is actually a requirement of most certificates. Unfortunately they don't require a bullet-proof configuration. Having a firewall means jack if its configuration is swiss cheese. Sadly, most certs don't make a difference here. Please separate from the idea that we're dealing with user PCs here that don't have to offer services and hence a vanilla firewall setting of "block all, except traffic initiated here" suffices. You're dealing with servers that are connected to a potentially hostile environment that have to offer various services from webpages to VPN access, with different networks having different access levels on the different services. Configuring a firewall for something like this well can easily take quite a bit of time and require someone who actually knows what he does. Because every second of downtime costs money.

And now imagine you add on top of that fragile mix a new service that requires you to turn your carefully crafted settings inside out because it not only needs its own ports reconfigured but also makes demands on the other services running on the machine. Or, worse, you activate a service on a different machine, potentially in a different network, separated from this one by the internet, and you now not only have to create a secure connection between those two networks but also ensure that nothing else gets through. You might get an idea that this is first of all time consuming to do and second of all very, very error prone if not done correctly.

And since people prefer to err on the safe side, which means availability trumps confidentiality, most firewalls are too leniently configured.

Re:Shouldn't have to pay

[Opportunist]

You sure you already have them on the payroll? Unless you're some REALLY big company, you might not have a guru for every kind of software you want to install, even if you might have someone who knows your chosen firewall appliance inside out, which is also anything but a given. Most are already overwhelmed when trying to configure something like Astaro sensibly.

And while your webpage example works as long as your web server only serves pages and nothing else, it already becomes a very different game as soon as you have other services. Or have to add load balancing 'cause a single machine cannot handle it anymore. Or have to configure it to cooperate with your server farm. In almost every scenario, it means you're going to have to buy manpower. If you're a small company and you'd only have to configure your firewall to allow that single server to get out, you probably lack the proper employee to configure it. If you're big enough to have the employees, you probably also have to take care of a farm big enough to overwhelm your employee's abilities. Of course you can outsource it to a server hosting service, but then you'll pay for anything anyway.

As for your last example, you have no idea how often that's exactly the problem. "Yes, we had to turn it off because (insert whatever stupid software they absolutely NEED to use) couldn't get through the firewall and we couldn't figure out how to make it do that, so the boss said we'll have to disable it 'til we figure out how to do it". Of course, as soon as the system "works", no time gets allotted to fix the firewall setting and hence that firewall stays offline infinitely.

Re:Shouldn't have to pay

[AmiMoJo]

Never attribute to malice what can adequately be explained by incompetence.

A few years back I used to work in IT. This guy who was in charge of a multi-million pound turnover company's servers as a contractor was too scared to patch them. If the update went wrong he might have to take a trip up to London on the weekend to fix it, and being Server 2003 that occasionally did happen. Whenever there was a problem the staff would be on the phone every five minutes screaming at him and threatening lawsuits for lost income. As such they were stuck with an unpatched OS and IE7 to run their users on via RDP.

Whenever there was a security problem he blamed it on the users, and a couple of them lost their jobs over repeated infections. Since they were on an unpatched version of IE7 though even legit sites could be carrying infected banner ads.

Eventually they got fed up and brought another company in who immediately converted all servers to VMs and fully patched them.

Re:Shouldn't have to pay

[Pharmboy]

So you have people who know how to load balance a range of services through multiple systems, but can't configure a firewall?

Re:Shouldn't have to pay

[Opportunist]

Not as odd as it may sound at first. Especially in this time and age where "knowing how to set something up" pretty much translates as "knowing where to push buttons in a given tool".

I'm actually the other way 'round. I can tighten your firewall (provided it's at least somehow related to any firewall technology that I'm familiar with, I try to avoid too proprietary solutions that have nothing in common with generic implementations anymore), but I doubt I could configure a load balancer sensibly. I'm not really an expert in making networks efficient. I'm an expert in making them secure. Sure, I could certainly somehow get the load balancer going, after all I know "a bit" about networking, but I have no experience with the odds and ends and quirks that may arise. I'd expect the same from a networking guru who could configure a load balancer while asleep and do it in a way to put it at peak performance but would configure a firewall, at best, with some mediocre level of security because he doesn't know about the many little bits that turn a mostly secure firewall into a tightly sealed one.

Security is unfortunately not a 99% game. It's not enough to be 99% secure. 99% is simply not secure. 99% performance is pretty decent, though, and I guess investing time and money to squeeze out that last percent is in no relation to simply buying more/faster hardware to improve performance. You can't do the same with security, unfortunately.

Re:Shouldn't have to pay

[Pharmboy]

I sum it up with my boss this way...

When it comes to network security, there are two kinds of people:
1. Paranoids
2. Idiots

Either you are one, or you are the other.

Re:Shouldn't have to pay

[Opportunist]

Oh, I know a lot of people who fit into both groups. Who have no idea, and hence are scared of whatever boogeyman some sales drone paints when he has some security snakeoil to peddle.

Re:Shouldn't have to pay

At this point, it almost looks as if Sony's security team isn't just incompetent. That's pretty obvious. By this point, I'm almost wondering if some of them weren't/ aren't deliberately sabotaging Sony's security (well, those who actually know enough to do sabotage, which is looking like the minority at this point.) No patches/ firewall on their servers? Not using random numbers in the signature on firmware for the PS3 (thus revealing the master private key. Including that for Bluray.)? This? These aren't just huge, gaping flaws. Flaws require effort to exploit. These are just... not security. At all. Its like having theft insurance on a car, then leaving that car unlocked in a bad neighborhood. After removing the locks. Then putting a sign on it that says "plz dont steal." Then wanting the insurance money to cover the car after it gets stolen. Its simply not going to happen, at least if the court is anywhere near competent (or unless there is some weird clause in the contract).

Sony should be forced to pay, and probably have some punitive costs added as well, so that they learn to hire competent security designers. And pay them well. This whole episode is simply mind-boggling. Didn't know a company could be this incompetent and still exist.

Any merchant who holds onto credit card info for recurring transactions needs that coverage. Merchants who just pass credit card data to the bank for a single transaction, but don't keep it on file, are less at risk! http://www.rawbin.com.np

The summary nailed it!

[sribe]

Um, better security as an insurance policy maybe?

Yes. Every insurance policy you could possibly buy will require you to exercise the normal and accepted level of diligence with regard to security. No policy in the world will cover you if you're negligent, because insurers are sane; they're not going to accept that level of risk. They're only going to take on the risk that you do things reasonably well, and still get breached by some sophisticated and not-reasonably-expected attack.

Re:The summary nailed it!

..because insurers are MONEY SUCKING CORPORATIONS AS WELL.

There, fixed it for you.

Re:The summary nailed it!

[Bob+the+Super+Hamste]

They might write a policy for you but it would be put into the high risk pool. I do wonder if the company did any assessments of Sony's security since if they did and signed off on it then the insurance company is going to have a hard up hill battle. When I got my private life insurance they had a physical exam to verify that what I provided on their form so for an even larger policy I would assume that they would do auditing to at least verify that Sony was in the correct risk category when policy renewal time came.

Re:The summary nailed it!

[idontgno]

I do wonder if the company did any assessments of Sony's security since if they did and signed off on it then the insurance company is going to have a hard up hill battle

Which is probably why you're not reading about "Sony's insurance company rejected the claim", but are instead reading about "Sony's insurance company is suing to be able to reject the claim". I'd speculate that Sony looked good enough on shallow inspection to validate their coverage, but Sony's hidden incompetence and malfeasance makes it a matter of litigation rather than insurance adjustment.

Unjust enrichment?

[Sky+Cry]

So a company is running unpatched servers with no firewall. Even if they do get insurance against cyber incidents, they are guaranteed to get absolutely nothing from this insurance, because they don't have any protection set up. Isn't insurance in this case essentially unjust enrichment for the insurance company?

Re:Unjust enrichment?

[robot256]

Nope. This is exactly how cyber insurance should be: an incentive to keep your networks secure. If you can prove you have them up to industry standards (set by the insurance companies), then you are insured against extraordinary events. There's no point in insuring something that is guaranteed to happen eventually, like the breach of an unsecured network. This is exactly how health insurance works in the U.S., at least the better ones. It's in the insurance company's best interest to keep you healthy, so they incentivize things like regular doctor's visits and not smoking and stuff. It's the only way to get people's heads out of the sand and monetize the risk in the here and now to affect decisions before it's too late.

They didn't buy coverage for that.

[Animats]

The actual court filing by the insurance companies says:

Notwithstanding, the claims set forth in the Class Action Complaints filed against SCEA and the other Sony Defendants, as well as the miscellaneous claims, arising out of the cyber attacks on the PSN and SOE Network and the unauthorized access to and theft of the named plaintiffs and putative class members' personal identification and financial information, do not assert claims for "bodily injury," "property damage" or "personal and advertising injury" so as to entitle SCEA to defense and/or indemnity under the ZAIC Primary Policy.

In other words, Sony didn't buy coverage against a liability of this type. They were covered if the product actually injured someone or damaged their property (shocked someone or caught on fire, for example) but not for an indirect financial loss.

What they needed was an "errors and omissions policy". This covers financial screwups. Banks, accountants, tax advisors, and brokers usually carry such policies, because they handle other people's money. What Sony's people didn't realize is that, by handling so many credit card numbers (and, apparently, improperly holding more credit card info than they should have), they had the exposure of a financial institution.

Any merchant who holds onto credit card info for recurring transactions needs that coverage. Merchants who just pass credit card data to the bank for a single transaction, but don't keep it on file, are less at risk.

Re:They didn't buy coverage for that.

Shows just how complicated insurance is when even Sony doesn't realize they were supposed to buy a different kind of insurance. Maybe we should have an insurance system that doesn't screw people over for having homeowner's insurance when what they really needed was flood insurance.

"Yes I know you had a sewer backup and that you're on high ground, but the sewer backup was caused by flooding so you needed flood insurance. Yes, sir, I understand sir. No sir, I do not believe it's anatomically possible for me to do that."

Re:They didn't buy coverage for that.

[ginbot462]

Lesson: Insurance (the House) always wins.

Re:They didn't buy coverage for that.

[robot256]

"But the flood was caused by Global Climate Change, and flood insurance doesn't cover that. No sir, we don't sell Climate Change Insurance yet. Our actuaries are still calculating the odds of total world destruction."

Re:They didn't buy coverage for that.

No, the lesson is "read the fucking contract." It's the same line SCEA themselves fell back on when they yanked OtherOS.

I love the smell of schadenfreude in the morning.

Re:They didn't buy coverage for that.

[Solandri]

Yeah, it sounds like Sony's policy with Zurich was General Liability Insurance. That type of insurance only pays for injury, property damage, and litigation arising from those two. Sony is really pushing it trying to claim the data breach caused injury or property damage to its customers.

OTOH, if the courts buy Sony's argument and classifies identity theft as injury or property damage, then the world gets a lot more interesting. Paypal loses your credit card and bank account info to hackers? Your bank loses a laptop with all your personal info on it? Sue them for injury or property damage.

Re:They didn't buy coverage for that.

No, what they need is a Cyber Risks Policy, which they actually have.

"Sony does in fact have a cyber insurance policy, which covers losses related to the breach. But it is likely that the company was hoping to lean on Zurich to cover the expected high costs related to defending itself against the slew of class-action lawsuits."

http://www.zimbio.com/SC+Magazine/articles/3Uy-tu7oydf/Zurich+seeking+immunity+covering+Sony+over

Sony has a General Liability policy placed with Zurich, which has a clause that contains "certain exclusions" related to "class-action complaints and miscellaneous claims," so Zurich is seeking to protect themselves from having to indemnify Sony for expenses related to the the class-action lawsuits.

Re:They didn't buy coverage for that.

Insurance is a contract for specific performance based upon specific types of losses; If the type of loss is not listed on the contract, the insurance doesn't have to pay.

That's like asking Dell to provide, free-of-charge, a newer, upgraded wifi card, because the one included on the system you just bought from them, does not work with the Windows 7 (retail version) that you just upgraded to on the system. You don't have the drivers for the existing card to work with 7, but if they'd only give you the upgraded card that you did not buy, then it would work.

-it ain't gonna happen.

Re:They didn't buy coverage for that.

[AmiMoJo]

What I can't understand is why Visa and Mastercard are not suing Sony. It costs them money to deal with fraud. I guess Sony is too big a customer to piss off.

competent security designers where lay offed and

[Joe_Dragon]

competent security designers where lay offed and they where not given the tools / funds to do there job.

RTFA - They didn't have cyber-liability coverage.

How does this illustrate the shortcoming of cyber-liability insurance?? The whole point of the article is that they *didn't* have it, only general liability.

"According to Zurich Insurance, the commercial general liability insurance policy it has with Sony Computer Entertainment America does not cover damages arising from cyber incidents. The policy only covers "bodily injury" and "property damage" caused by occurrences other than the kind of cyberattacks Sony experienced."

As much as I hate insurance companies

[Bob+the+Super+Hamste]

As much as I hate insurance companies I don't think that Zurich American Insurance Co. is as bad as some and is probably reasonable in trying to avoid paying in this case. From my understanding Sony didn't do due diligence in securing their network or even follow what would have been reasonable precautions that a rational actor would take. It is interesting that the insurance company is going to court which probably means they feel they have a strong case since usually they will just deny the claim.

There is no way they are as bad as my parents insurance company who told them their house didn't have hail damage even though my untrained eye could see broken shingles and dented siding. Their insurance company claimed that even though every house for about 2 miles in every direction had substantial hail damage theirs didn't because "hail is funny like that". Unfortunately my parents didn't take the to court because it really was an open and shut case. This is the same company that I fought and won when my car was totaled because they didn't want to pay the fair market value.

Re:competent security designers where lay offed an

[XanC]

Meanwhile, /.'s command of the English language deteriorates to new lows.

Re:The insurance business plan

[TheGratefulNet]

don't confuse insurance with the word assure or even ensure.

insure simply means to play legal gambling on statistical odds... ...and then they get to keep your money and you get to die.

Re:competent security designers where lay offed an

[idontgno]

Slashdot fail English? That's unpossible!

Automotive policy

[phorm]

Indeed, many automotive policies do not cover you in cases such as:
a) You have been drinking/driving and get into an accident
b) Your car is stolen when you leave the keys in the ignition (or leave it running, etc)

Depends on what's in Sony's policy, but I wouldn't be surprised if they had an anti-negligence clause.

"no firewall, out of date servers"

[abigsmurf]

Hasn't this already been confirmed as complete bullshit? I seem to remember you could get a google cache of the server information at the time which pretty much refuted all of the 'evidence' that Sony was running an insanely out of date server config? Why does this crap keep getting posted?

Re:"no firewall, out of date servers"

[Todd+Knarr]

I don't know about a Google cache, but you could check the Apache release notes against the version of Apache running at the time. I did. And while the version was quite a few patchlevels old and there were quite a few bugs fixed in the more recent revisions, most of those bugs were for either denial-of-service vulnerabilities (attackers could use them to crash, lock up or overload the server but couldn't gain access to data through them) or vulnerabilities specific to Apache running on Windows (SOE was using Unix-based servers so those wouldn't apply). The ones that were left were exploitable only in certain non-standard configurations, ones SOE was unlikely to be using. While there definitely was a hole somewhere, it doesn't look like SOE was recklessly running a known-vulnerable server. Rather, they were doing the sensible thing and not messing with a working production system until there was a version released that addressed a problem that applied to them.

If I had to guess, I'd say it's more likely the attackers got in through malware infecting the standard Windows PCs used inside the company, and leveraged that to gain access to the servers from the inside.

Was it worth it Sony?

[erroneus]

I know Sony is making a $Billion every second of every minute of every hour of every day, but that nearly $180M sounds like a lot of money to me. Is Sony still coming out ahead after all of this? Seems like it's possible -- there was a story here recently talking about PS3 overtaking the Xbox360... (though my guess is the Xbox360 market is saturated and in order to get something new, they finally got a PS3 too)

Whatever the case, I see the attacks on Sony not as a mere attack and security breech, but massive consumer backlash against Sony. I may not have had anything to do with the attacks, but I was certainly enjoying the news stories and headlines and I feel that Sony deserves every bit of it and more... more especially if those arrogant bastards don't change the way they behave.

I have a feeling that once the courts and everything is done with the issue, a new batch of attacks will occur.

Welcome

[sjames]

Welcome Sony, to the world the little guys live in. The one where you need insurance insurance for when your insurer finds a way to weasel out of a perfectly legitimate claim even though they faithfully cashed your check every month since forever.

Of course, since the only place you could get insurance insurance from is one of the weasels that looked even less reliable than where you bought your insurance from, good luck with that.

almost everyone else was also hacked

Sony's hack is barely a drop in the massive hacking spree that followed.

Re:competent security designers where lay offed an

[hairyfeet]

This. This is why I got out of corporate, because it got to the point one was given impossible problems with NO budget and more often than not if you managed to pull it off they would just fire half the guys and expect YOU to take up the slack.

I'd say the problem is what I call "failing upwards" in that they get rewarded for fucking IT because you "Saved X on the company budget" by firing everyone that knew WTF they were doing, or cutting their budget to the bone, and then when the shit hits the bladed cooling device they have moved up either through promotion or using their "track record" to get a job at another corp thus they NEVER get the blame.

Having competent IT staff costs money that the PHBs never want to spend, so they end up firing everyone with a brain (if they ever hired them in the first place) or giving each guy the workload of 5 until they all burn out or jump ship, but gutting IT looks good on the quarterly earnings so nobody gives a fuck until the shit blows up in your face but by then the geniuses that thought gutting IT was a swell idea have taken their bonuses and moved on. It is a real problem with corps here and I frankly don't see it getting any better despite LULSec spanking so many companies.