The hack attack which forced Sony Pictures Entertainment to shut down its systems Monday highlights the growing importance of cyber insurance that includes system business interruption cover, says one claims specialist.
According to Sony, hackers reportedly stolen reams of internal data and defaced staff computers, forcing the company to ask staff to disconnect their computers and personal devices from the Sony network and shut down virtual private networks, advising the situation could take anywhere from one day to three weeks to remedy.
“While it’s unclear as to whether the hackers have actually stolen anything and whether they do indeed have trade secrets to release to the public,” says the director of CFC Underwriting Graeme Newman, “the bigger issue is how long it will take Sony to resolve the issue and get its systems and its people back up and working again. For pretty much any company today regardless of size or industry, being without its tech systems for even a few hours would be damaging.”
The Federal Bureau of Investigation warned U.S. businesses that hackers have used malicious software to launch a destructive cyberattack in the United States, following a devastating breach last week at Sony Pictures Entertainment.
Cybersecurity experts said the malicious software described in the alert appeared to describe the one that affected Sony, which would mark first major destructive cyber attack waged against a company on U.S. soil. Such attacks have been launched in Asia and the Middle East, but none have been reported in the United States. The FBI report did not say how many companies had been victims of destructive attacks.
“I believe the coordinated cyberattack with destructive payloads against a corporation in the U.S. represents a watershed event,” says Tom Kellermann, chief cybersecurity officer with security software maker Trend Micro Inc. “Geopolitics now serve as harbingers for destructive cyberattacks.”
Newman points out that being without tech systems for up to three weeks could be devastating.
“This latest attack on Sony highlights not only the importance of having cyber insurance cover to turn to, but ensuring that the policy a business has is fit for purpose,” he says.
Standard commercial insurance
policies simply don’t cover business interruption as a result of a technology or cyber related issues, while many of the specialist cyber insurance policies available in the market remain entrenched in their focus on privacy breaches and data loss.
“In reality, businesses are more likely to suffer from a technology issue that takes their system out of action costing thousands if not millions,” says Newman. “Ensuring that system business interruption is included in a cyber insurance policy is essential as a business’s exposure to non-physical perils is now as big, if not bigger, than the more traditional physical risks.”
If it can happen to a business the size and sophistication of Sony then it could happen to anyone, Newman points out.
“The insurance industry has a responsibility to respond and ensure that the cover provided is fit for purpose and represents a true reflection of the emerging risks they face,” he says.