When it comes to data security, Sony would rather forget the last few months ever happened. Not only was Sony Pictures hacked, but a DDoS attack overwhelmed the company's servers in the days around Christmas, which shut down Sony's PlayStation Store and left millions of its users without a way to play video games online or download new games, according to Computer World.
While Data Breach Insurance can help Sony pay for some of the costs of this cyber attack, it won't cover all its losses – especially the hard-to-quantify losses from lost revenue and damage done to Sony's reputation.
Why are we talking about Sony? Well, it's important for IT consultants to understand how Cyber Liability coverage works. If your clients have Cyber Insurance, they won't be covered for all their cyber attack losses. Understanding which losses aren't covered will help you build a better IT risk management plan.
What Losses Are Covered by Sony's Data Breach Insurance?
A business's Data Breach Insurance typically covers the cost of…
- Contacting customers whose data has been breached.
- Offering identity theft protection.
- Hiring IT experts to find the cause of the cyber attack or breach.
- Hiring PR firms to oversee the company's response to the breach.
Unfortunately, every insurance policy has its limits. After the recent DDoS attack, Sony's reputation was at a low point. Hackers have repeatedly shut down the gaming network, and many gamers are getting fed up with the company's poor performance and looking to jump to a competitor.
How did Sony respond? By giving a bunch of stuff away. Sony offered 10 percent discounts for all purchases of games and movies through its network and extended memberships by five days for all active members and those using a free trial.
From a business perspective, this move was essential. Sony needs to keep its customers happy. But giving away all these freebies certainly costs the business revenue. Unfortunately, this cost isn't covered by a Cyber Liability Insurance policy.
It goes to show just how far-reaching the losses of a cyber attack can be. Often, repairing the company's IT – in this case, restoring network services and upgrading its gaming network – is only a small part of the company's damages. Lost revenue, discounts, and other compensatory responses can cost a business significantly.
What Does This Mean for IT Consultants?
Even if your clients have Data Breach Insurance, diminished revenue and damage done to their reputation won't be covered. In the risk management business, we see this gap in liability as a huge red flag.
It means that IT consultants will be exposed to risk. When a client's insurance doesn't fully cover their losses, they may sue you for damages.
Think of it like a car accident. Say you get in a fender bender. If your insurance didn't cover the damages to someone's car, they have to get that money from somewhere. They could take you to small-claims court or file a lawsuit against you.
The same thing happens in IT, but the stakes are much higher. Clients know that they're exposed to cyber risk and often require their IT contractors to have Errors and Omissions Insurance. This coverage can pay for your legal expenses if clients sue you over data breaches and other professional liabilities.