So you bought insurance against a data breach. With all the potential loopholes and variables, is it worth the cost for the coverage required to handle a real-world scenario? That’s a tender subject these days at Sony. In light of their recent breaches, soaring near an estimated $180 million, it seems their insurance provider, Zurich American Insurance Co. has asked the New York State Supreme Court to indemnify it from paying the hefty claims.
Sony’s woes to date have resulted in the filing of over 55 class-action suits related to the breaches. Zurich American says their commercial insurance only covers “bodily injury” and “property damage”, and argue that Sony’s damage can’t be classified as either. It seems insurance company coverage, when it does extend to cyber coverage, normally only covers the cost of re-creating the data, not the legal and other collateral damage involved.
Part of the insurance companies’ pain relates to quantifying damage amounts in a field that’s a relative newcomer to the insurance world. In that case, insurers tend to wade gently into the water, and are far more conservative in their coverage than the cyber business community would prefer. John Pescatore, an analyst with Gartner, said cyber insurance policies didn’t provide any “meaningful bounding of the financial exposure from a cyber incident.”
This means check your policy closely, find out what burden is needed to prove there has been an “injury” relative to the terms of your policy. Many businesses assume a general policy will have them covered, only to find out the hard way after a data breach occurs. In this case, the old Boy Scout motto, “Be Prepared”, might be sage wisdom for companies with a significant presence in the cyber world.
In the future, insurance companies will be forced to analyze and understand the risks more completely in this arena. Toward that effort, the recent flurry of data breaches at various organizations will allow them to backfill their actuarian data and get a better handle on this developing market. In the meantime, do your homework when looking for complete coverage, make sure it really covers what your organization expects and needs.
Author Cameron Camp, ESET