Lawsuit Against Sony Highlights Cyber Insurance Shortcomings

CWmike writes "A brewing legal dispute between Sony and one of its insurers over data breach liability claims highlights the challenges that companies can sometimes face in getting insurance providers to cover expenses arising from cybersecurity incidents. Zurich American Insurance Co. asked the court last week to absolve it of any responsibility for defending or indemnifying Sony against claims arising from the recent data breaches at the company. The data breaches at Sony's PlayStation Network, Sony Entertainment Online and Sony Pictures resulted in account data on close to 100 million individuals becoming exposed and over 12 million credit and debit cards being compromised. The breaches have so far resulted in at least 55 putative class-action lawsuits being filed against Sony in the U.S and another three lawsuits filed against it in Canada. Sony expects to spend close to $180 million in the next year alone on breach-related costs. But analysts say insurance might not have even been worth it in Sony's case: 'There aren't many success stories where cyber insurance [has played] a significant role in reducing the cost of incidents,' said Gartner analyst John Pescatore. Um, better security as an insurance policy maybe?"

Better security is no insurance

[timeOday]

The whole point of insurance is to make a variable cost into a fixed cost. Even if better security substantially reduces your average cost over an infinte time horizon, it does not make the associated costs predictable. It's like saying, don't get homeowners insurance in case your house burns down, just remember to turn off the iron when you leave home.

Re:Plan B?

[fuzzyfuzzyfungus]

I think that the Lulz Boat is arguably already a form of of 'Sony Online Entertainment', albeit not of the kind that Sony intends to publish...

Shouldn't have to pay

[Baloroth]

At this point, it almost looks as if Sony's security team isn't just incompetent. That's pretty obvious. By this point, I'm almost wondering if some of them weren't/ aren't deliberately sabotaging Sony's security (well, those who actually know enough to do sabotage, which is looking like the minority at this point.) No patches/ firewall on their servers? Not using random numbers in the signature on firmware for the PS3 (thus revealing the master private key. Including that for Bluray.)? This? These aren't just huge, gaping flaws. Flaws require effort to exploit. These are just... not security. At all. Its like having theft insurance on a car, then leaving that car unlocked in a bad neighborhood. After removing the locks. Then putting a sign on it that says "plz dont steal." Then wanting the insurance money to cover the car after it gets stolen. Its simply not going to happen, at least if the court is anywhere near competent (or unless there is some weird clause in the contract).

Sony should be forced to pay, and probably have some punitive costs added as well, so that they learn to hire competent security designers. And pay them well. This whole episode is simply mind-boggling. Didn't know a company could be this incompetent and still exist.

Re:Why bother?

[fuzzyfuzzyfungus]

I suspect that it is a managerial/cultural matter: "Risk management"(in the finance sense, not the engineering sense) is extremely popular and consists largely of attempting to quantify the costs of various risks and then construct a wide assortment of various financial instruments(insurance contracts among them; but by no means limited to insurance) in order to minimize your risk exposure number.

Little people obtain insurance to deal with the potential for low-probability catastrophes; but if you bring the finance guys into it, insurance is just another financial instrument to be fiddled with in the service of perceived optimization(also, once you bring the finance guys into it, not insuring something starts to look a lot like self-insuring something, at which point the question of whether to buy insurance or not really just comes down to whether to do something in-house or contract it...

Re:same as it ever was

[ArhcAngel]

Responding to an AC I know but in this case I believe Zurich has a case. Sony's was warned at least three months prior to the incident that led to their outage that their system was at severe risk.

Let's see if my car analogy works.
It would be like me leaving my car parked in a public parking lot with the windows slightly down and the keys in it. I let it sit there for months and several concerned individuals drop by to tell me there are undesirable elements in the hood and they have been stealing cars. I ignore these naysayers and go happily on my way until one day the car isn't there anymore. Then I go to my insurance company and ask them to pay me for a new car. They will say I was negligent and therefore they are not liable for my replacement costs.