Cyber attacks and the need for adequate protection

Cyber attacks and the need for adequate protection

Miles R. Afsharnik
March 1, 2014

The issue of cyber attacks and employee and customer privacy has been a hot topic in the media since the T.J. Maxx network breach in 2007, to the most recent retail giant Target in December 2013. Unfortunately, these cyber attacks continue unabated and unless the intended target of the attack is a high profile consumer brand, it is typically not advertised.
For instance, in a recent study by NetDiligence®*, analyzing cyber liability insurance claims over a two-year period (2010– 2012), the company found that small cap companies (those identified with a market capitalization of $300 million to -$2 billion) and nano-cap (those with a market capitalization of less than $50 million) experienced the most incidents at 22.9% and 22.1% respectively. The average number of records lost was 2.3 million. Crisis services, which include forensics, notification, and monitoring costs, represented the largest component of costs, averaging $737,473. Defense costs were next at 35.6% of total claim payouts averaging $574,984.

Sony PlayStation Litigation

The high profile cyber-attack against Sony was covered quite extensively by the media. In April 2011, the networks operated by Sony for the benefit of its PlayStation® owners were hacked. More than one hundred million records with nonpublic personal and financial account information were stolen. Sony was hit with numerous class-action lawsuits. After it exhausted the limits of its cyber and network security policies, Sony turned to its general liability insurers for coverage. The commercial general liability (CGL) insurers denied coverage and litigation ensued.
In a recent decision, a New York trial court denied Sony’s request for coverage and found that the claim did not fall within the personal and advertising injury coverage of the CGL policies. Zurich American Ins. Co. v. Sony Corp. of America, case no. 651982/2011 (N.Y. Sup. Ct. February 21, 2014).
Sony had argued that the class-action allegations fell within the personal and advertising injury coverage part because the claims were basically an offense of oral or written publication that violated a person’s right of privacy. The insurers, however, argued that the publication should have been done by the insured and not a third party. The trial court ruled in favor of the insurer and found no coverage for these types of claims under a CGL policy.

Risk Management Implications

The trial court’s decision was focused on New York law and will be appealed to higher courts undoubtedly. CGL insurers are also modifying their policy language to exclude such publication of material that may violate a person’s right of privacy.
The important takeaway from this decision is that the notion that there is universal coverage under a CGL policy for such cyber attacks is misguided. This decision highlights the need for standalone network security and privacy policy with adequate limits to protect the company in case of the ever-increasing cyber attacks.
NetDiligence is a registered trademark of Network Standard Corporation.
PlayStation is a registered trademark of Sony Corporation of America.
professional risk, Cyber risk

You may also like:
This material is provided for informational purposes only based on our understanding of applicable guidance in effect at the time of publication, and should not be construed as being legal advice or as establishing a privileged attorney-client relationship. Customers and other interested parties must consult and rely solely upon their own independent professional advisors regarding their particular situation and the concepts presented here. Although care has been taken in preparing and presenting this material accurately, Wells Fargo Insurance Services disclaims any express or implied warranty as to the accuracy of any material contained herein and any liability with respect to it, and any responsibility to update this material for subsequent developments. To comply with IRS regulations, we are required to notify you that any advice contained in this material that concerns federal tax issues was not intended or written to be used, and cannot be used to avoid tax-related penalties under the Internal Revenue Code, or to promote, market, or recommend to another party any matters addressed herein.​
Products and services are offered through Wells Fargo Insurance Services USA, Inc., a non-bank insurance agency affiliate of Wells Fargo & Company, and are underwritten by unaffiliated insurance companies. Some services require additional fees and may be offered directly through third-party providers. Banking and insurance decisions are made independently and do not influence each other.