NEW YORK/BOSTON (Reuters) - Sony is looking to its insurers to help pay for its massive data breach, an amount that one expert estimates could exceed $2 billion, but others said insurers may balk at ponying up that kind of money.
“We have a variety of types of insurance that cover damages. Certain carriers have been put on notice,” Sony Corp spokesman Dan Race told Reuters.
Race declined to name the insurers or to say whether there was a cap on the size of any payout they would make to Sony.
Sony has been under fire since hackers accessed personal data for more than 100 million of its online video game users. It has said it could not rule out that some 12.3 million credit card numbers had been obtained during the hacking.
Sony noticed unauthorized activity on its network on April 19, and reported it to the U.S. Federal Bureau of Investigation on April 22.
Some experts said Sony faces an uphill battle to get its insurers to pay for its damages from the cyber breach.
They may try to blame Sony for negligence for failing to properly secure its data centers, said Dan Zeiler, a director of security and compliance for American Internet Services, a data center services provider.
Zeiler, who helps manage data centers and server farms for clients in San Diego such as Intuit Inc and Rio Tinto, said he was surprised by the lack of sophistication in the way Sony protected its network.
Sony said on Wednesday that it was adding “automated software monitoring and configuration management” to help defend itself against new attacks. Zeiler said Sony should have already been using that type of service.
“When I hear Sony talking about deploying this kind of software in reaction to the breach, what I wonder is, ‘Why didn’t they have this on their systems before?’ It raises a lot of questions about their practices,” he said.
Sony has shut down its online game services, including its PlayStation Network, which has 77 million users, as well as online games such as “Free Realms,” which has more than 12 million players.
The Japanese electronics company is investigating the data breach and has charged that the Internet vigilante group Anonymous was indirectly responsible for it. Anonymous has denied responsibility for the cyber attack.
Larry Ponemon, chairman and founder of the Ponemon Institute, has estimated that notifying Sony’s customers and cleaning up the breach would cost about $20 per person, or more than $2 billion. Ponemon is a consulting firm that specializes in research on data breaches and security issues.
Ponemon said that was a conservative estimate because some 12.3 million credit card numbers may have been compromised in the hack. And replacing a credit card costs considerably more than $20.
“It’s likely to be more expensive because credit data is involved,” Ponemon said. “We call credit card numbers ‘crown-jewel’ data.”
Insurance experts said the liability on Sony’s policy was likely spread among several insurers.
Cynthia Larose, a privacy attorney at Mintz Levin, said Sony’s policy was likely underwritten by a “top notch” carrier and could cover costs related to crisis management and the investigation surrounding the breach, which includes forensics. The forensics piece could be a major saver for Sony.
“Forensics can get pretty expensive and that’s a big chunk of damages,” she said.
She said cyber liability policies had become much easier for corporations to get and much cheaper than in the past.
It was not clear whether Sony was insured for the full cost of the cleanup, which involved hiring at least three companies to investigate the matter.
“They are not going to be completely unscathed,” said Etti Baranoff, professor of insurance at Virginia Commonwealth University. “No matter what, their insurance rates are going to go up.”
She added that the insurers were likely involved in cleaning up Sony’s network.
Editing by Steve Orlofsky