Lawsuit Against Sony Highlights Cyber Insurance Shortcomings

CWmike writes "A brewing legal dispute between Sony and one of its insurers over data breach liability claims highlights the challenges that companies can sometimes face in getting insurance providers to cover expenses arising from cybersecurity incidents. Zurich American Insurance Co. asked the court last week to absolve it of any responsibility for defending or indemnifying Sony against claims arising from the recent data breaches at the company. The data breaches at Sony's PlayStation Network, Sony Entertainment Online and Sony Pictures resulted in account data on close to 100 million individuals becoming exposed and over 12 million credit and debit cards being compromised. The breaches have so far resulted in at least 55 putative class-action lawsuits being filed against Sony in the U.S and another three lawsuits filed against it in Canada. Sony expects to spend close to $180 million in the next year alone on breach-related costs. But analysts say insurance might not have even been worth it in Sony's case: 'There aren't many success stories where cyber insurance [has played] a significant role in reducing the cost of incidents,' said Gartner analyst John Pescatore. Um, better security as an insurance policy maybe?"

Re:Plan B?

[fuzzyfuzzyfungus]

I think that the Lulz Boat is arguably already a form of of 'Sony Online Entertainment', albeit not of the kind that Sony intends to publish...

Shouldn't have to pay

[Baloroth]

At this point, it almost looks as if Sony's security team isn't just incompetent. That's pretty obvious. By this point, I'm almost wondering if some of them weren't/ aren't deliberately sabotaging Sony's security (well, those who actually know enough to do sabotage, which is looking like the minority at this point.) No patches/ firewall on their servers? Not using random numbers in the signature on firmware for the PS3 (thus revealing the master private key. Including that for Bluray.)? This? These aren't just huge, gaping flaws. Flaws require effort to exploit. These are just... not security. At all. Its like having theft insurance on a car, then leaving that car unlocked in a bad neighborhood. After removing the locks. Then putting a sign on it that says "plz dont steal." Then wanting the insurance money to cover the car after it gets stolen. Its simply not going to happen, at least if the court is anywhere near competent (or unless there is some weird clause in the contract).

Sony should be forced to pay, and probably have some punitive costs added as well, so that they learn to hire competent security designers. And pay them well. This whole episode is simply mind-boggling. Didn't know a company could be this incompetent and still exist.