Zurich lawsuit against Sony highlights cyber insurance shortcomings

Zurich Insurance's argument that it isn't responsible for Sony's data breach losses holds a lesson for others

1 2 Page 2
Page 2 of 2

Even in cases where companies have a cyber liability policy, the policy often covers only the cost of re-creating the lost data, not breach notification costs, legal costs and other expenses related to a breach, Paller said.

Though a growing number of companies have been purchasing cyber insurance policies, it's hard to find instances where an insurance policy has paid for the kinds of losses company incur when hit by a data breach, Paller said.

Large insurance companies in general have been very conservative about the losses they are willing to cover in a cyber policy because of the difficulty they have had in finding reinsurers who are willing to share the risk, Paller said.

Typically, cyber insurance policies don't provide any "meaningful bounding of the financial exposure from a cyber incident," said John Pescatore, an analyst with Gartner. Insurance companies have had a hard time finding a meaningful basis for assessing cyber risk. As a result, premiums are high, payouts are limited and the definition of a qualifying "injury" also is very limited, he said.

Enterprises that are considering cyber insurance policies need to first check what their existing policies do -- and do not -- cover, he said. They also need to have a current risk assessment done to understand what business process or customer data is at risk.

Cyber insurance is not a substitute for lax security, so companies need to address all of their security risks and compliance requirements first, Pescatore said. "[Then] look at the residual risks and see if the costs of cyber insurance can play any role in reducing the predicated cost of an incident," he said.

In Sony's case, it would appear that the company didn't know what their existing insurance covered. "If they had been paying for cybersecurity insurance, that would cover this type of instance, it would have likely had terms [stating that] they had to maintain a due diligence level of protection," he said.

So even if they had coverage, Sony would have likely had a hard time collecting from Zurich, he said.

Even if the policy had covered a large part of the millions that Sony expects to spend, the cost of the premiums and the deductible may have reduced the payoff so much that the cybersecurity insurance would have made little financial sense, he said.

Many companies choose to "self-insure" against data breaches because of the high premiums and deductibles associated with cyber insurance policies, he said.

"Risk managers should consider cyber insurance after they have mitigated the risks to critical business processes," he said.

They then need to evaluate the costs very carefully, Pescatore added. "There aren't many success stories where cyber insurance [has played] a significant role in reducing the cost of incidents," he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at  @jaivijayan, or subscribe to Jaikumar's RSS feed . His email address is jvijayan@computerworld.com.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon