Breach insurance might not cover losses at Sony Pictures

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.csoonline.com/article/2859535/business-continuity/breach-insurance-might-not-cover-losses-at-sony-pictures.html

Documents leaked by the group claiming responsibility for the attack on
Sony Pictures show that the company has upwards of $60 million in cyber
insurance coverage after consolidating coverage with Sony Corporation of
America. But will that be enough?

Sony's search for better coverage started in 2013.

After sonypictures.com was breached in 2011, which resulted in 37,000
people having PII exposed, Sony Pictures made a claim of $1.6 million with
Hiscox, their cyber insurance carrier at the time.

Their cyber insurance was under one policy with media liability, and due to
exposures, as well as their $1.6 million claim, Hiscox didn't want to write
a new policy, and thus declined to quote at renewal. So Sony Pictures
turned to an insurance broker, Lockton, who helped secure $20 million in
cyber insurance, with a $10 million self-insured retention.

"After two months and half months of working with our internal people, our
broker and the insurance company underwriters, we received coverage
including coverage for third party content in our care, custody and
control. Insurance that many insurance companies will not write under Cyber
policies," a memo from 2013 explained.

On or just before April 1, 2014, Sony Pictures signed with AIG, acquiring a
new $10 million CyberEdge policy. This policy, effective from April 1,
2014, until April 1, 2015, overlapped with the existing coverage, set to
expire on August 31.

One month later, in May, Sony Pictures turned to a new insurance broker,
Marsh, who reached out to the incumbent insurance providers - Brit
Insurance, Liberty International Underwriters, and Beazley – as well as
other providers in order to secure a new policy to cover for those expiring
in August.

According to the leaked documents, the search for coverage was a drawn-out
process, but Marsh worked diligently, eventually reaching a money-saving
conclusion for the movie studio.

On August 27, in an email to Curtis Crider, the SVP and Corporate
Controller, the VP of Risk Management at Sony Pictures, Janel Clausen,
passed along Marsh's proposal, which was to consolidate, adding Sony
Pictures to Sony Corporation of America's existing policy.

"In brief, we recommend sharing Option 3, the $60 Million aggregate limit
with various sub-limits. The consolidation will give SPE a higher limit, a
lower retention and most importantly a significant premium savings,"
Clausen's email suggested. Crider responded the next day with approval.

The consolidation meant that Sony Pictures and Sony Corporation of America
would share a total policy limit of $60 million ($5 million retention) at
an annual cost of $356,963. The policy includes security and privacy
liability coverage, as well as event management, network interruption,
cyber extortion, and regulatory action.

The problem is, most of the cyber insurance experts that spoke with Salted
Hash, feel that $60 million isn't enough for a company Sony's size, and
they're not alone.

In an interview with Reuters, Jim Lewis, senior fellow at the Center for
Strategic and International Studies, estimates that this incident could
cost Sony upwards of $100 million. Mark Rasch, a former federal cyber
crimes prosecutor, said that costs could run up to $70 million. Either way,
that would leave Sony short $10-35 million after insurance pays out.

According to a Disaster Recovery report created in January 2014, the last
time Sony Pictures did a business impact analysis was in 2008.

Using that data, the Disaster Recovery report notes that a failure of the
Time and Attendance System (TAAS) has a financial impact of $6 million per
day if an outage occurs on any Monday. After that, the eVMI (inventory) has
an impact of $4.7 million per day; a system called SPIRIT has an impact of
$2.7 million, and Timecapture Imageworks is reported to have an impact of
more than $2 million per day if an outage occurs on any Monday or Friday.

Each of the listed systems are considered Tier 1 by Sony Pictures, meaning
they have a recovery time objective of less than 12 hours. In the early
days of the Sony Pictures breach, all of these systems were offline, and
according to employees – they're still offline in some cases.

"Everything is down except some weird sort of webmail," one staffer
explained.

Overall, the situation is still grim at Sony Pictures. Morale is low, and
frustration with the situation is spreading. Some of those who have
confirmed their PII was exposed by this incident are worried about how it
will impact them. TAAS and other internal systems are still down - causing
frustration - and network issues mean that employees are still using
Verizon Mobile Hotspots for corporate access.

The system outages alone could cost Sony Pictures millions of dollars, but
on top of that there are other considerations; employees (past and present)
could sue, and so could those with a stake at the box office who might lose
income due to the leaked movies. There could also be fines associated with
the leaked HR data.

But this is only one incident, and Sony will need to show that it is
resolved before they can start to make claims.

Moreover, once this incident is resolved, if something else should happen
between now and April 1, 2015, Sony's insurance will be tapped out, leaving
them on the hook for all other financial liabilities.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!