Sony’s most recent data breach underscores the difficulties in underwriting and insuring cyber risk. Sony incurred losses that were surprising in both their scope and type. The company already is a defendant in at least four new lawsuits concerning the disclosure of employees’ confidential information. In addition to potential liability, Sony suffered substantial first-party losses that may be difficult to quantify, including forensic costs, reputational injury, and business interruption losses.
According to published reports, Sony may have $60 million in cyber insurance to mitigate these losses. Even if this figure were true and the cyber policies applied to the breach, Sony’s insurance probably would cover only a fraction of its actual damages.
The unprecedented nature of this breach may cause some insurers to reexamine their exposure to cyber risks. Although companies can purchase cybersecurity insurance, these policies are not always affordable. The problem is most acute on the first-party side.
In a November 2012 Cybersecurity Insurance Workshop Readout Report, the Department of Homeland Security noted that, although a sizeable third-party market exists to cover loss of customer or employee data, first-party policies "remain expensive, rare, and largely unattractive." The report identified several factors for this problem including: the lack of actuarial data to model cybersecurity risks and fears that a “cyber hurricane” would overwhelm insurers with large and unpredictable losses. The Sony breach may spur more talk of “cyber hurricanes.”
Insurers have limited their exposure on the third-party side as well. Most cyber liability policies have burning limits, meaning that defense costs erode coverage. This feature allows insurers to cap their exposure at pre-determined levels. At the same time, insurers are expanding cyber-related exclusions in commercial general liability policies and other conventional insurance products, forcing companies to seek coverage for cyber risks in specialty policies.
As insurers obtain actuarial data, they will develop more affordable products for addressing third-party and first-party cyber risks. But the onus for developing this market is not only on insurers. Companies must improve their data security. Increased security should reduce the risk of breach, allow cyber losses to be more easy to predict in size and type, and in the end make cyber risks more insurable.