There are several lessons to be learned by the attack on Sony Pictures, and businesses and the insurance industry need to take notice.
First, the pace of cyber breaches and attacks is increasing. According to an Obama Administration report, there were almost 61,000 cyber attacks and security breaches on the federal government last year, and this number doesn’t include hits on major corporations, like Target, Home Depot and now Sony.
Second, most insurance policies don’t necessarily address the fast-changing realities of cyber security.
Insurance policies typically contain exclusions on war and terrorism, but cyber-specific policies do not contain uniform wording and therefore require careful scrutiny. The application of war and terrorism exclusions typically depend on several factors:
- The first is the policy language itself.
- The second is the nature and effect of the cyber attack. Is it an act of war, terrorism, “hacktivism,” or something else?
- The third is the nature of the perpetrator. Is it a nation state, a group of like-minded individuals or criminals, or an individual?
- Fourth, what is the purpose and intent of the attack?
And what about the financial impact of an attack?
In Sony’s case, it may still be substantial. The studio briefly withdrew the $40 million film, “The Interview,” in response to a threat of a 9/11-like attack on theatres that screened the film involving North Korea’s leader Kim Jong-un, before finally deciding to go ahead with a limited release. The FBI says it now has proof that North Korea was behind the cyber attack on Sony Pictures.
One can predict that the Sony hacking incident will become a watershed moment in cyber history. The fact that any government, with vast resources at their disposal, can utilize the Internet as a means to deliver a debilitating, multi-million-dollar blow to an industry giant is troubling to say the least.
While Sony grapples with the fallout of the cyber attack, it’s a good idea for everyone else to dust off those property & casualty insurance policies and read the fine print.