Gartner Blog Network

No Insurance Policy Ever Protected a Customer, and Lots of them Don’t Even Limit Business Risk

by John Pescatore  |  July 22, 2011  |  7 Comments

Sony has publicly stated that the direct costs in 2011 in dealing with their failure to protect PlayStation Network customer data will top $170M – and that doesn’t even count what they may end up paying out in settlements and the associated legal costs. Sony, of course, had insurance and expected that would bound how much out of pocket expense Sony would have, vs. how much the insurance carrier, Zurich American, would pay out.

Ooops – according to The Register, Zurich American filed suit against Sony saying:

According to the complaint, Sony tendered the complaints and claims to Zurich and has demanded that the insurer defend it against the claims. It goes on to say ZAIC isn’t obligated to cover the costs because Sony’s insurance policy insures only against legal claims for “bodily injury”, “property damage”, and “personal and advertising injury”.

“ZAIC therefore has no obligation to defend or indemnify the Sony defendants under the ZAIC Excess Policy for the claims asserted in the class action complaints or the miscellaneous claims,” the complaint, filed in the Supreme Court of New York County, stated. It seeks a court ruling that none of the hack attacks qualify for coverage.

Now, Sony may win this law suit (though legal fees to do so will likely eat up quite a bit of the risk bounding the insurance policy offered in the first place) and whoever made the decision as to what type of insurance the PlayStation Network carried looks to have made a big boo-boo, but depending on insurance to bound risks in information security has continued to prove woefully inadequate.

Software engineering is still an oxymoron. There is no table of strengths for software, no handbook of materials, no basis for insurance estimators to determine risk. Fire insurance can look at materials used, fire suppression in place. Auto insurance can look at the track record of the particular car and particular driver to set rates. Not so with software – none of that works.

The first attempts at issuing cybersecurity insurance policies tried to rely on BS7799 and then ISO27001 type audits but the week after the audit everything changed – it is like issuing fire insurance to buildings that go from fire retardant ceiling tiles to gasoline coated ones because of a new consumer fad.

It really falls back to either the payout of the insurance barely exceeding the premium costs because the insurers have no realistic way to monitor risk (and won’t), or falling back on more general liability policies, the most likely approach to go. But even that requires making sure liability policies cover other than traditional forms of “damage,: as Zurich American’s language in their suit points out.

Almost invariably, the costs of avoiding a security incident are less than the costs of dealing with the impact of an incident. A Sony lessons-learned will very likely find some simple precautions and process improvements could have protected those 77 million accounts for less than the $300M+ this incident will end up costing Sony. Paying more attention to the terms of their insurance policies may have helped bound that overall risk somewhat better, but insurance would not have prevented 6 weeks of customer down time and would still likely leave Sony spending more on incident response than it would have spent on incident prevention.

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on No Insurance Policy Ever Protected a Customer, and Lots of them Don’t Even Limit Business Risk

  1. Robert says:

    But the cost to combat all possible incidents is too high (ignore for the moment that it is impossible to protect from all incidents). How do you suggest choosing which ones management puts it’s resources on?

  2. Of course, to make decisions about insurance, you would have to decide to insure everything against everything (horrendously expensive) or only insure certain risky areas – which is what all businesses do. So, businesses have to decide where to put their insurance “resources” by largest expected exposure – the usual risk assessment approach.

    In today’s world, deciding what to spend extra on protecting can be complicated, but you can also start simple: Protect the customer information and protect the major elements of the revenue stream. In many cases, like Sony’s, these are one and the same. In most cases all kinds of other incidents will have business impact, but in very few cases will customer information and the biggest revenue line *not* end up in the top of any risk analysis anyway.

    I have a Gartner research note in internal review called Optimal Approaches for Dealing With Advanced Targeted Threats that lays out the top level methodology around this, should be out in a week or two. Lawrence Orans and I also have one that should come out right after that focused on Denial of Service attack mitigation strategies, as well.

  3. […] record and automobile indication history, there is no approach to guess risk in program development, John Pescatore, a Gartner analyst, wrote on his blog. There is “no list of strengths for software, no text of materials, no […]

  4. […] driving record and car model history, there is no way to estimate risk in software development, John Pescatore, a Gartner analyst, wrote on his blog. There is “no table of strengths for software, no handbook of materials, […]

  5. […] driving record and car model history, there is no way to estimate risk in software development, John Pescatore, a Gartner analyst, wrote on his blog. There is “no table of strengths for software, no handbook of materials, […]

  6. Greg Quinn says:

    John, the reason Cyber Liability policies exist is because of exclusion (p) of the CGL policy: “the CGL does not provide coverage for loss of electronic data as such data is not tangible property and thus not considered property damage. This exclusion buttresses the Coverage A insuring agreement by excluding any damages arising out of the loss of, loss of use of, damage to, corruption of, or inability to access or manipulate electronic data.”

    These policies actually have a rather broad definition of what constitutes an injury, and the premiums are much lower than you would think due to the amount of competition in the marketplace. Not to mention, the risk management services provided with the policy are worth the price of premium alone in the event of a breach. This includes PR assistance, forensic investigations, and credit monitoring services for victims.

    Businesses need to know these policies exist and that they are indeed beneficial but in no way are meant to supplant in house security measures. In fact, many carriers will not write a risk unless proper security measures are in place.

    Maybe if Sony applied for this they would have been told to encrypt their users passwords….

  7. Amazon says:

    Does your site have a contact page? I’m having a tough time locating it but, I’d like to send you an email.
    I’ve got some creative ideas for your blog you might be interested in hearing.

    Either way, great website and I look forward to seeing it improve over time.

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.