Slashdot Mirror
Lawsuit Against Sony Highlights Cyber Insurance Shortcomings
CWmike writes "A brewing legal dispute between Sony and one of its insurers over data breach liability claims highlights the challenges that companies can sometimes face in getting insurance providers to cover expenses arising from cybersecurity incidents. Zurich American Insurance Co. asked the court last week to absolve it of any responsibility for defending or indemnifying Sony against claims arising from the recent data breaches at the company. The data breaches at Sony's PlayStation Network, Sony Entertainment Online and Sony Pictures resulted in account data on close to 100 million individuals becoming exposed and over 12 million credit and debit cards being compromised. The breaches have so far resulted in at least 55 putative class-action lawsuits being filed against Sony in the U.S and another three lawsuits filed against it in Canada. Sony expects to spend close to $180 million in the next year alone on breach-related costs. But analysts say insurance might not have even been worth it in Sony's case: 'There aren't many success stories where cyber insurance [has played] a significant role in reducing the cost of incidents,' said Gartner analyst John Pescatore. Um, better security as an insurance policy maybe?"
hmmm, on one side, an insurance company.
on the other side, sony.
hey, why does it have to be one or the other, though? can't they both lose? please?
(for great justice. and a plate of shrimp, to go.)
--
"It is now safe to switch off your computer."
The whole point of insurance is to make a variable cost into a fixed cost. Even if better security substantially reduces your average cost over an infinte time horizon, it does not make the associated costs predictable. It's like saying, don't get homeowners insurance in case your house burns down, just remember to turn off the iron when you leave home.
I think that the Lulz Boat is arguably already a form of of 'Sony Online Entertainment', albeit not of the kind that Sony intends to publish...
At this point, it almost looks as if Sony's security team isn't just incompetent. That's pretty obvious. By this point, I'm almost wondering if some of them weren't/ aren't deliberately sabotaging Sony's security (well, those who actually know enough to do sabotage, which is looking like the minority at this point.) No patches/ firewall on their servers? Not using random numbers in the signature on firmware for the PS3 (thus revealing the master private key. Including that for Bluray.)? This? These aren't just huge, gaping flaws. Flaws require effort to exploit. These are just... not security. At all. Its like having theft insurance on a car, then leaving that car unlocked in a bad neighborhood. After removing the locks. Then putting a sign on it that says "plz dont steal." Then wanting the insurance money to cover the car after it gets stolen. Its simply not going to happen, at least if the court is anywhere near competent (or unless there is some weird clause in the contract).
Sony should be forced to pay, and probably have some punitive costs added as well, so that they learn to hire competent security designers. And pay them well. This whole episode is simply mind-boggling. Didn't know a company could be this incompetent and still exist.
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
I suspect that it is a managerial/cultural matter: "Risk management"(in the finance sense, not the engineering sense) is extremely popular and consists largely of attempting to quantify the costs of various risks and then construct a wide assortment of various financial instruments(insurance contracts among them; but by no means limited to insurance) in order to minimize your risk exposure number.
Little people obtain insurance to deal with the potential for low-probability catastrophes; but if you bring the finance guys into it, insurance is just another financial instrument to be fiddled with in the service of perceived optimization(also, once you bring the finance guys into it, not insuring something starts to look a lot like self-insuring something, at which point the question of whether to buy insurance or not really just comes down to whether to do something in-house or contract it...
The actual court filing by the insurance companies says:
Notwithstanding, the claims set forth in the Class Action Complaints filed against SCEA and the other Sony Defendants, as well as the miscellaneous claims, arising out of the cyber attacks on the PSN and SOE Network and the unauthorized access to and theft of the named plaintiffs and putative class members' personal identification and financial information, do not assert claims for "bodily injury," "property damage" or "personal and advertising injury" so as to entitle SCEA to defense and/or indemnity under the ZAIC Primary Policy.
In other words, Sony didn't buy coverage against a liability of this type. They were covered if the product actually injured someone or damaged their property (shocked someone or caught on fire, for example) but not for an indirect financial loss.
What they needed was an "errors and omissions policy". This covers financial screwups. Banks, accountants, tax advisors, and brokers usually carry such policies, because they handle other people's money. What Sony's people didn't realize is that, by handling so many credit card numbers (and, apparently, improperly holding more credit card info than they should have), they had the exposure of a financial institution.
Any merchant who holds onto credit card info for recurring transactions needs that coverage. Merchants who just pass credit card data to the bank for a single transaction, but don't keep it on file, are less at risk.
Don't worry, it's got Windows servers. They already know something's going to happen to it.