Zurich lawsuit against Sony highlights cyber insurance shortcomings

A brewing legal dispute between Sony and one of its insurers over data breach liability claims highlights the challenges that companies can sometimes face in getting insurance companies to cover expenses arising from cybersecurity incidents.

Zurich American Insurance Company asked the Supreme Court of New York last week to absolve it of any responsibility for defending or indemnifying Sony against claims arising from the recent data breaches at the company.

The data breaches at Sony's PlayStation Network , Sony Entertainment Online and Sony Pictures resulted in account data on close to 100 million individuals becoming exposed and over 12 million credit and debit cards being compromised.

The breaches have so far resulted in at least 55 putative class action lawsuits being filed against Sony in the U.S and another three lawsuits filed against it in Canada. Sony expects to spend close to $180 million in the next one year alone on breach-related costs.

But the company's attempts to get Zurich to defend it against the claims have run into a roadblock.

According to Zurich Insurance, the commercial general liability insurance policy it has with Sony Computer Entertainment America does not cover damages arising from cyber incidents. The policy only covers "bodily injury" and "property damage" caused by occurrences other than the kind of cyber attacks Sony experienced.

The lawsuit is similar to one filed last year by the Colorado Casualty Insurance Co. in another data breach incident. In its lawsuit, Colorado Casualty, like Zurich, argued that it wasn't responsible for reimbursing the University of Utah for $3.3 million in costs related to a 2008 data breach caused by a third-party service provider.

In that case, however, Colorado Casualty offered no reasons for its position, which later resulted in a motion for dismissal by the third-party service provider.

The position that Zurich has taken in its lawsuit is likely to be substantiated by the court, predicted Dana Coates, a cyber-liability insurance specialist with United Agencies, an insurance brokerage company based in California.

"Personal and advertising injury liability coverage, as provided by typical General Liability policies, is specifically intended to cover resulting bodily injury and property damage liability," Coates said. Cyber attacks and data breaches are not defined or considered as bodily injury or property damage, he said in emailed comments.

Quite often, cyber incidents are specifically excluded by some policies to underscore the carrier's intention to not consider such allegations as being covered, Coates said. Sony needed to have specifically purchased cyber-liability coverage for its claims to be considered, Coates said.

Part of the problem is that companies sometimes mistakenly assume that any general insurance coverage they have also offers protection against cyber incidents, said Alan Paller, director of research at the SANS Institute.

Companies, for instance, sometimes assume that the insurance coverage they might have in place to compensate them in case financial or business records get destroyed, also protects them in the event of a cyber breach. In reality, such business records insurance coverage does not extend to data losses stemming from cyber incidents, though they might have in the past, he said.

Now if a company wants business records coverage that includes protection against data breaches, it needs to buy a new cyber insurance policy, Paller said.

Even in cases where companies have a cyber-liability policy, often the policy only covers the money needed to recreate the lost data, not breach notification costs, legal costs and other expenses related to a breach, Paller said.

Though a growing number of companies have been purchasing cyber insurance policies, it is hard to find instances where an insurance policy has paid for the kinds of losses company incur when hit by a data breach, Paller said.

Large insurance companies in general have been very conservative about the losses they are willing to cover in a cyber policy because of the difficulty they have had in finding reinsurers who are willing to share the risk, Paller said.

Typically, cyber insurance policies fail to provide any "meaningful bounding of the financial exposure from a cyber-incident," said John Pescatore, an analyst with Gartner. Insurance companies have had a hard time finding a meaningful basis for assessing cyber risk. As a result, premiums are high, payouts are limited and the definition of a qualifying "injury" also is very limited, he said.

Enterprises that are considering cyber insurance policies need to first check what their existing policies do -- and do not -- cover, he said. They also need to have a current risk assessment done to understand what business process or customer data is at risk.

Cyber insurance is not a substitute for lax security , so companies need to address all of the security risks and compliance requirements first, Pescatore said. "[Then] look at the residual risks and see if the costs of cyber insurance can play any role in reducing the predicated cost of an incident," he said.

In Sony's case it would appear that the company didn't know what their existing insurance covered. "If they had been paying for cybersecurity insurance, that would cover this type of instance, it would have likely had terms that they had to maintain a due diligence level of protection," he said.

So even if they had coverage, Sony would have likely had a hard time collecting from Zurich, he said.

Even if the policy had covered a large part of the millions that Sony expects to spend, the cost of the premiums and the deductible may have reduced the payoff so much that the cybersecurity insurance would have made little financial sense, he said.

Many companies choose to "self-insure" against data breaches because of the high premiums and deductibles associated with cyber insurance, he said.

"Risk managers should consider cyber insurance after they have mitigated the risks to critical business processes," he said.

They then need to evaluate the costs very carefully, Pescatore added. "There aren't many success stories where cyber insurance [has played] a significant role in reducing the cost of incidents.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about business continuity in Computerworld's Business Continuity Topic Center.