Sony hack serves as wake-up call, boosts interest in cyber security protocolReprints
The cyber attack on Sony Corp. has been a wake-up call for many senior managers nationwide who were not already motivated by earlier hacking events.
They are reacting by making inquiries about their firm's cyber protection arrangements and seeking either to buy or increase insurance coverage, experts say. Meanwhile, insurers are expected to introduce stricter cyber underwriting standards before insuring a business.
President Barack Obama, who has blamed the Sony Pictures Entertainment Inc. hack on North Korea, introduced a cyber security legislative proposal to Congress last week that, among other provisions, calls for better cyber security information sharing between the private sector and government, as well as collaboration and information sharing within the private sector.
Also last week, New York Attorney General Eric T. Schneiderman said he would propose state legislation that would require “new and unprecedented safeguards” for consumers' personal data.
The Sony attack, blamed on North Korea in reaction to the movie “The Interview,” which mocked its leader, Kim Jong Un, began in November and has led to the theft of more than 100 terabytes of data, including emails, studio executives' salaries and the personal information of more than 47,000 studio employees.
Firms are viewing the Sony outbreak more seriously in the context of earlier cyber attacks, including those affecting The Home Depot Inc. and Target Corp., experts say.
“Risk managers were well aware of the major cyber threats prior to Sony,” said Kevin Kalinich, Chicago-based global practice leader of cyber risk insurance at Aon Risk Solutions. “The Home Depot and Target breaches already had woken up the risk manager, but for some reason the huge prior breaches had not woken up the management to the extent” that Sony has.
Now, senior management is getting more involved, asking questions about what their firms are doing about cyber security. “We see a more enterprise-level response now from entities to ask if we can help them in connection with that enterprise kind of risk management for cyber,” he said.
There also has been increased interest in cyber insurance as a result of this latest incident, experts say. While “there was already somewhat of a snowball going downhill in terms of the uptake for cyber insurance, the hill got steeper, and the snowball's getting bigger — fast,” said John F. Mullen, a partner with law firm Lewis Brisbois Bisgaard & Smith L.L.P. in Philadelphia.
“People are going to be asking themselves a lot of questions, trying to figure out where things have fallen between the cracks from a security standpoint, as well as from a coverage standpoint,” said Nicholas Economidis, Philadelphia-based underwriter of professional liability and specialty lines at Beazley P.L.C.
Whereas previously companies had considered whether to invest in information technology security or insurance, “what Sony did was wake up companies to realize it's not a mutually exclusive question, it's not an either/or situation,” Mr. Kalinich said. “Companies can invest in investment security as well as supplement that with financial impact protection through insurance.”
The attack has also led to companies' recognition that the data to be protected can extend far beyond employees' Social Security numbers or other personal data, experts say.
“We're really going to have to expand our view” of what information is considered “assets” at this point, said Todd M. Rowe, a partner with law firm Tressler L.L.P. in Chicago.
The embarrassment caused by the data released in the Sony case has raised questions as to how data is classified, stored and protected, said Adam Cottini, New York-based managing director of insurance and risk management in North America with Arthur J. Gallagher & Co., adding that embarrassment would not have occurred had those emails been encrypted .
More companies “now understand that everyone is in the information business,” said Richard Plansky, executive managing director at cyber security firm K2 Intelligence L.L.C. in New York.
Another factor is executives' recognition that the impulse behind the Sony cyber attack was maliciousness, not financial gain.
This “is a different type of cyber attack than what we've traditionally seen over the years,” said Jay Shelton, Chicago-based vice president of risk management services at Assurance Agency Ltd. “That's hard to proactively manage.”
Even if firms have nothing to do with North Korea, “there's always somebody who might want to come after you” from a political, public relations or other nontraditional angle, Mr. Economides said.
“The concern right now with a lot of clients, especially in the retail sector, is can they even get the level of insurance they need” and, if the coverage towers are available, are they sufficient to cover probable exposure, said Mark Greisiger, president of Gladwyne, Pennsylvania-based NetDiligence.
Meanwhile, “underwriting is getting more scrutiny,” said Mr. Kalinich, though he said the more experienced insurers in the market are already on top of this risk.
Mr. Kalinich added, however, that he thinks underwriting requirements will be tightened, with insurers paying more attention to issues such as mandatory encryption and requiring more upfront assessments. With the soft market, “a lot of players were rushing into the business, but I think they were just overlooking traditional loss controls, and I think there's going to be a movement back to that now,” he said.
Mr. Kalinich also said some insurers are moving beyond the standard war risk exclusion toward putting exclusions in cyber policies that specifically address government-sponsored attacks.
But “I think you'd really have a tough time proving that under a coverage declamation scenario,” as a similar threat is involved whether the hacker is state-sponsored or not, Mr. Greisiger said.