Sony has publicly stated that the direct costs in 2011 in dealing with their failure to protect PlayStation Network customer data will top $170M – and that doesn’t even count what they may end up paying out in settlements and the associated legal costs. Sony, of course, had insurance and expected that would bound how much out of pocket expense Sony would have, vs. how much the insurance carrier, Zurich American, would pay out.
Ooops – according to The Register, Zurich American filed suit against Sony saying:
According to the complaint, Sony tendered the complaints and claims to Zurich and has demanded that the insurer defend it against the claims. It goes on to say ZAIC isn’t obligated to cover the costs because Sony’s insurance policy insures only against legal claims for “bodily injury”, “property damage”, and “personal and advertising injury”.
“ZAIC therefore has no obligation to defend or indemnify the Sony defendants under the ZAIC Excess Policy for the claims asserted in the class action complaints or the miscellaneous claims,” the complaint, filed in the Supreme Court of New York County, stated. It seeks a court ruling that none of the hack attacks qualify for coverage.
Now, Sony may win this law suit (though legal fees to do so will likely eat up quite a bit of the risk bounding the insurance policy offered in the first place) and whoever made the decision as to what type of insurance the PlayStation Network carried looks to have made a big boo-boo, but depending on insurance to bound risks in information security has continued to prove woefully inadequate.
Software engineering is still an oxymoron. There is no table of strengths for software, no handbook of materials, no basis for insurance estimators to determine risk. Fire insurance can look at materials used, fire suppression in place. Auto insurance can look at the track record of the particular car and particular driver to set rates. Not so with software – none of that works.
The first attempts at issuing cybersecurity insurance policies tried to rely on BS7799 and then ISO27001 type audits but the week after the audit everything changed – it is like issuing fire insurance to buildings that go from fire retardant ceiling tiles to gasoline coated ones because of a new consumer fad.
It really falls back to either the payout of the insurance barely exceeding the premium costs because the insurers have no realistic way to monitor risk (and won’t), or falling back on more general liability policies, the most likely approach to go. But even that requires making sure liability policies cover other than traditional forms of “damage,: as Zurich American’s language in their suit points out.
Almost invariably, the costs of avoiding a security incident are less than the costs of dealing with the impact of an incident. A Sony lessons-learned will very likely find some simple precautions and process improvements could have protected those 77 million accounts for less than the $300M+ this incident will end up costing Sony. Paying more attention to the terms of their insurance policies may have helped bound that overall risk somewhat better, but insurance would not have prevented 6 weeks of customer down time and would still likely leave Sony spending more on incident response than it would have spent on incident prevention.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.