The December 2014 cyberattack against Sony wasn’t the largest or even the most expensive, but this breach may go down as the most embarrassing on record. And it’s that collateral damage that raises the stakes and places the Sony breach among the most damaging in recent history.
While Sony’s CEO is confident that the financial costs of the breach, estimated at around $100M, will be covered by its cyberinsurance policies, he is glossing over the harmful consequences of the sensitive, private and shameful information the hackers revealed to the world. Sony executives were shown making fun of and even insulting the artists they work with in email communications. Will those actors forgive and forget, or will they refuse to work with Sony in the future? How does Sony quantify that damage? How does a company insure against reputational harm?
And consider the internal harm done to employees whose personal information was stolen or who were privy to the leaked internal emails, including some branded as racist or sexist? Could there be legal implications and costs stemming from the theft of employee data or those discriminatory emails?
How about the impact this breach will have on Sony’s insurance coverage? The company was smart to have cyber liability coverage in place, but Sony is now considered a higher risk and will undoubtedly face significantly higher premiums in the future. No underwriter will accept this risk without major offsets in exclusions to future coverage or much higher rates.
Let’s not overlook that $100M cyberinsurance claim. Sony may be off the hook for the short-term financial costs of this breach, but the policy’s underwriter(s) will now have to pay that bill, so the damage flows downstream. However, the consequences of this breach far surpass the sting of a multimillion dollar payout.
The cyberinsurance market has already begun moving toward more comprehensive risk assessment, and this will tip the scales in favor of required pre-binding risk assessment throughout the industry. This will help underwriters reduce gigantic payouts that directly affect not only their bottom line, but also their ability to offer affordable insurance to other companies.
The fact is, there are countless potential ramifications related to this breach that are difficult to predict and hard to quantify. Sony, for all its bravado, will eventually have to pay the price. But, if there’s a silver lining in this story, it’s that the need to better understand cyberrisk at the outset will encourage greater adoption of holistic risk assessment within the cyberinsurance market – an outcome that will benefit everyone.