SONY cyber attacks – a brief history
Between April 16th and April 17th of last year, Sony's Playstation network was hacked. About 10 days later, Sony released a statement admitting the breach may have comprimised up to 70 million customer's personal information:
“Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained….
…While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility ”
The very next day, the first class-action lawsuit was filed. Then, just more than 2 weeks after the first attack, on May 2nd it was hacked again and an additional 25 million customer's information was at risk. And if that wasn't enough, before the Playstation network was back up and running the second time, Sony pictures website was hacked by a group by the name of LulzSec who bragged they compromised more than 1 million user accounts and uncovered an additional 75,000 music codes and 3.5 million coupons.
A few months later, Sony's Insurance company Zurich American Insurance Company (Ziac) filed suit to assert that the coverage Sony purchased from them did not include cyber attacks and they have no obligation to defend Sony or cover damages.
“According to Zurich Insurance, the commercial general liability insurance policy it has with Sony Computer Entertainment America does not cover damages arising from cyber incidents. The policy only covers "bodily injury" and "property damage" caused by occurrences other than the kind of cyber attacks Sony experienced. “
As of today, there have been more than 50 class-action lawsuits against Sony related to the attacks with an estimated cost that ranges from $180 Million (for the first year alone) to upper estimates of just under $2 Billion overall.
Facing this, Sony then tried to take some proactive measures to minimize the risk of future attacks by adding language to their terms of service preventing users from suing the company. This only served to fan the flames with their customers, and users filed a suit against Sony for the “no-suing” clause.
Cyber security and risk management
Sony isn't the only company that's been nearly crippled by hackers. And it won't be the last, either. But the reality is cyber security is a major financial risk for most online businesses. And even some that aren't online. But what did Sony do wrong? And what can other businesses learn from their mistakes.
Why didn't Sony have coverage for cyber attacks? The lawsuit with Zurich will determine the legality of it, but analysts believe Sony will lose this battle. But perhaps more troubling is the fact that a separate cyber insurance policy probably wouldn't have helped all that much anyways. From this computerworld.com article:
Typically, cyber insurance policies don't provide any "meaningful bounding of the financial exposure from a cyber incident," said John Pescatore, an analyst with Gartner. Insurance companies have had a hard time finding a meaningful basis for assessing cyber risk. As a result, premiums are high, payouts are limited and the definition of a qualifying "injury" also is very limited, he said.
That's not to say that nobody should purchase such a policy, it's just that many plans are expensive and don't cover all expenses in the case of a security failure.
Enterprises that are considering cyber insurance policies need to first check what their existing policies do — and do not — cover, he said. They also need to have a current risk assessment done to understand what business process or customer data is at risk.
Understanding the risks is a 2 step process here.
What systems/processes are vulnerable?
How much damage can be done by a breach?
Direct damage (Theft, down-time, etc.)
The “other liability” part is where insurance gets tricky. When it involves lawsuits for other people's “property” “data” or perhaps more commonly: potential loss of property from identity theft related to the breach. And even though some high courts hold up defenses that “future predicted losses” in cases involving personal data theft lack standing for claimants, there is precedent for rewards granted as well.
Not just online businesses
Businesses of all kinds must be weary of the risks of cyberhacking, even those who do most of their business offline. Simply having a business account at a bank with online access can make your company a victim. And banks are eager to draw the line on their own responsibility. In one case, a bank preemptively sued a customer who was a victim of a cyber heist. From the article:
In early November, cyber thieves initiated a series of unauthorized wire transfers totaling $801,495 out of Hillary’s account, and PlainsCapital managed to retrieve roughly $600,000 of that money.
PlainsCapital sued Hillary on Dec. 31, 2009, citing a letter from Hillary that demanded repayment for the rest of the money and alleged that the bank failed to employ commercially reasonable security measures. The lawsuit asks the U.S. District Court for the Eastern District of Texas to certify that PlainsCapital’s security was in fact reasonable, and that it processed the wire transfers in good faith. The documents filed with the court allege that the fraudulent transactions were initiated using the defendant’s valid online banking credentials.
Businesses of all kinds need to take a serious and comprehensive risk management approach to cyber security. As the internet grows and the free flow of information between computers is further advanced, the very real implications of cyber hacking grows and advances along with it.