Documents leaked by the group claiming responsibility for the attack on Sony Pictures show that the company has upwards of $60 million in cyber insurance coverage after consolidating coverage with Sony Corporation of America. But will that be enough?
Sony's search for better coverage started in 2013.
After sonypictures.com was breached in 2011, which resulted in 37,000 people having PII exposed, Sony Pictures made a claim of $1.6 million with Hiscox, their cyber insurance carrier at the time.
Their cyber insurance was under one policy with media liability, and due to exposures, as well as their $1.6 million claim, Hiscox didn't want to write a new policy, and thus declined to quote at renewal. So Sony Pictures turned to an insurance broker, Lockton, who helped secure $20 million in cyber insurance, with a $10 million self-insured retention.
"After two months and half months of working with our internal people, our broker and the insurance company underwriters, we received coverage including coverage for third party content in our care, custody and control. Insurance that many insurance companies will not write under Cyber policies," a memo from 2013 explained.
On or just before April 1, 2014, Sony Pictures signed with AIG, acquiring a new $10 million CyberEdge policy. This policy, effective from April 1, 2014, until April 1, 2015, overlapped with the existing coverage, set to expire on August 31.
One month later, in May, Sony Pictures turned to a new insurance broker, Marsh, who reached out to the incumbent insurance providers - Brit Insurance, Liberty International Underwriters, and Beazley – as well as other providers in order to secure a new policy to cover for those expiring in August.
According to the leaked documents, the search for coverage was a drawn-out process, but Marsh worked diligently, eventually reaching a money-saving conclusion for the movie studio.
On August 27, in an email to Curtis Crider, the SVP and Corporate Controller, the VP of Risk Management at Sony Pictures, Janel Clausen, passed along Marsh's proposal, which was to consolidate, adding Sony Pictures to Sony Corporation of America's existing policy.
"In brief, we recommend sharing Option 3, the $60 Million aggregate limit with various sub-limits. The consolidation will give SPE a higher limit, a lower retention and most importantly a significant premium savings," Clausen's email suggested. Crider responded the next day with approval.
The consolidation meant that Sony Pictures and Sony Corporation of America would share a total policy limit of $60 million ($5 million retention) at an annual cost of $356,963. The policy includes security and privacy liability coverage, as well as event management, network interruption, cyber extortion, and regulatory action.
The problem is, most of the cyber insurance experts that spoke with Salted Hash, feel that $60 million isn't enough for a company Sony's size, and they're not alone.
In an interview with Reuters, Jim Lewis, senior fellow at the Center for Strategic and International Studies, estimates that this incident could cost Sony upwards of $100 million. Mark Rasch, a former federal cyber crimes prosecutor, said that costs could run up to $70 million. Either way, that would leave Sony short $10-35 million after insurance pays out.
According to a Disaster Recovery report created in January 2014, the last time Sony Pictures did a business impact analysis was in 2008.
Using that data, the Disaster Recovery report notes that a failure of the Time and Attendance System (TAAS) has a financial impact of $6 million per day if an outage occurs on any Monday. After that, the eVMI (inventory) has an impact of $4.7 million per day; a system called SPIRIT has an impact of $2.7 million, and Timecapture Imageworks is reported to have an impact of more than $2 million per day if an outage occurs on any Monday or Friday.
Each of the listed systems are considered Tier 1 by Sony Pictures, meaning they have a recovery time objective of less than 12 hours. In the early days of the Sony Pictures breach, all of these systems were offline, and according to employees – they're still offline in some cases.
"Everything is down except some weird sort of webmail," one staffer explained.
Overall, the situation is still grim at Sony Pictures. Morale is low, and frustration with the situation is spreading. Some of those who have confirmed their PII was exposed by this incident are worried about how it will impact them. TAAS and other internal systems are still down - causing frustration - and network issues mean that employees are still using Verizon Mobile Hotspots for corporate access.
The system outages alone could cost Sony Pictures millions of dollars, but on top of that there are other considerations; employees (past and present) could sue, and so could those with a stake at the box office who might lose income due to the leaked movies. There could also be fines associated with the leaked HR data.
But this is only one incident, and Sony will need to show that it is resolved before they can start to make claims.
Moreover, once this incident is resolved, if something else should happen between now and April 1, 2015, Sony's insurance will be tapped out, leaving them on the hook for all other financial liabilities.