Sony is only the latest, most visible case in a string of corporate data breaches in recent years. Hackers regularly broke into Home Depot’s systems in 2014. Twitter and Pinterest lost control of users’ login data last spring. A breach at JPMorgan Chase resulted in the theft of 76 million customers’ data. And Target left all of its customers’ credit card info open to Internet burglars during last year’s holiday season. For companies now, the occasional hacker attack is becoming business as usual.
That’s where hacker insurance comes in. A type of specialty insurance that some insurance companies offer alongside their regular offerings, it covers the losses companies incur as a result of a hacker attack. (Typically, general liability policies specifically exclude losses incurred because of Internet breaches.) The insurance industry has seen its popularity grow in recent years under its technical name, cyberliability insurance. Its sales made up around $1 billion in premiums in 2013, a fraction of the $1 trillion U.S. insurance industry. By the end of 2014, sales of hacker insurance premiums may reach $2 billion.
Sony should know the importance of having hacker insurance. In 2011, it faced down 64 class-action lawsuits after a breach of the company’s PlayStation Network resulted in the theft of 200 million customers’ data and 12 million credit card numbers. Sony had purchased cyber insurance, but not enough: It quickly exhausted its limits of liability defending the class action lawsuits. When Sony called upon its other general liability insurers to step in, Zurich American Insurance Co. claimed in New York State Supreme Court that its policy only covered “bodily injury” and “property damage” caused by occurrences. In other words: not cyberattacks. This past April, the court ruled in favor of Zurich.
But even after that, and with all the resources Sony has, it was still unprepared for this latest data breach. When Sony was hacked last month over The Interview, it was also covered by a cyber insurance policy[/url], issued by Marsh, which reportedly only protects the company up to $60 million in damages. The policy came at an annual cost of $356,963, with coverage until April 1, 2015, according to leaked documents.
But a more robust insurance policy could have made the fall a lot softer.
“Sony is a large enough company that they should’ve had some technology deployed that would’ve alarmed on the unusual behavior of transferring 10’s of TB of data including all kinds of proprietary information,” says Andrew Bagrin, CEO of My Digital Shield, a security provider for small businesses.
According to the law firm McGuireWoods, small and medium-sized businesses make the best candidates for cyberliability insurance. They tend to have fewer resources than larger companies do, like beefed-up IT and legal departments.
With hacker insurance, covering a company’s losses is possible up to hundreds of millions of dollars of cyber damage. Companies can typically buy individual policies from insurers like Travelers, AIG, Chubb, ACE Limited and CNA that cover up to $20 million in cyber damage. They can then subsequently stack up several limits of liability into the hundreds of millions of dollars by mixing coverage together. (Sony’s cyber insurer eventually consolidated policies for Sony Pictures and Sony Entertainment of America into its $60 million policy.) The policies and prices of these cyberliability insurance plans are still in flux, since the market is still young. Increasingly more providers are offering their own flavors of hacker insurance, bringing prices down to levels that even small companies can afford.
“Just about every business today needs cyber-insurance,” Bob Hartwig, president of the Insurance Information Institute, told CNBC. “More and more businesses are transacting online and the reality is it’s only going to increase as we move forward.”
The costs to Sony will be huge, by some estimates. According to FiveThirtyEight, the loss in potential box office earnings alone could amount to $100 million. And the costs of replacing servers and generally cleaning up the digital mess from the attackers might add up to twice what it cost to produce The Interview, around $80 million. And that’s not to mention indirect costs from upset actors and disgruntled staff, whose private data is now public knowledge. Bloomberg puts the final tally at $200 million.
The warnings have been coming faster and louder. A global study of U.S.-based companies found that over the course of the past year, the average cost of cyber crime climbed by more than 9% to $12.7 million, up from 11.6 million in the 2013 study. The average time to resolve a cyber attack is also rising: 45 days, up from 32 days in 2013. A 2014 study from the Pew Research Internet Project also concluded that cyber attacks are on the rise. These latest attacks, like Heartbleed, are lessons for companies as they consider preventative measures and plan for worst-case scenarios.
“If an admin at Sony didn’t change all his passwords after Heartbleed, or other mass password theft scares, he is asking for others to impersonate his credentials,” Bagrin says, noting that the exact vulnerabilities exploited in the hack are still under speculation.
It’s nearly impossible to protect a business from every type of hacker threat. Increasingly, getting insured for them is a no-brainer.