Why the Cyber Attacks on Sony May be a Game Changer

Why the Cyber Attacks on Sony May be a Game Changer

By Scott Shackelford
Published in the Washington Times


One of the biggest identity thefts in history took place during three days this past April. Cyber criminals penetrated Sony’s PlayStation and Entertainment Networks and made off with the personal information of more than 102 million Sony customers—a figure close to the population of Japan. Names, addresses, passwords and, possibly, credit card information were stolen.



This disaster has cost Sony 4 percent of its stock price and has led to calls for its CEO to resign. While the final cost is still being tallied, it is known that data breaches cost U.S. companies on average $204 per lost consumer record. That means Sony may be liable for an eye popping $20 billion in damages.



Few firms understand how widespread and dangerous cyber attacks have become. Over 75% of respondents to Symantec survey reported experiencing a cyber attack during the past year. Those attacks cost on average more than $2 million per organization.



Overall, identity theft costs consumers more than $5 billion and firms $48 billion per year according to the Federal Trade Commission. Fraud is also a huge problem, with more than 700,000 complaints and over $1.7 billion in claims in 2009. More than 60% of these cases are from email scams and Internet websites.



Victims of cyber attacks and breaches in cyber security in recent years have included the likes of AT&T, Bank of America, Citigroup, General Electric, Nikon, Starbucks, Wachovia, the University of Chicago, and the States of Florida and New York, to name a few. A single incident involving the theft of a laptop owned by the Veterans Administration led to the loss of 26 million social security numbers of retired and active duty military personnel resulting in a class action lawsuit claiming more than $26.5 billion in damages.



Although the significant damage caused by some of these cyber attacks has been well publicized, few companies have taken action. A recent Carnegie Mellon study involving interviews with board members of companies with revenues between $1 billion and $10 billion found that 56 percent considered improving financial risk management a top priority, but 0 percent considered improving computer and data security to be a priority.



But there is an effective tool to manage liabilities ranging from identity theft to cyber crime and even sophisticated State-sponsored industrial espionage—cyber risk insurance policies. These policies have been available for years. They are expensive—costing anywhere from $5,000 to $30,000 per year for $1 million in coverage—which probably explains why they have not been adopted in a big way.



Even so, more companies are turning to the insurance market. In a survey conducted last fall by Betterley Risk Consultants, 30 percent of respondents indicated they had cyber insurance. Among respondents from companies with $250 million to $500 million in revenue, the number is 80 percent. Another 25 percent said they plan to buy it in the next 18 months.



Cyber risk insurance is a prudent move, but it is not necessarily the most productive business strategy. The costs are passed off to customers. This reduces the incentive to improve cyber security—leaving that challenge more in government hands.



Perhaps the Sony attack will be the tipping point in getting businesses to view cyber attacks not as a corporate nuisance, but a serious threat to the survival of firms and the long-term competitiveness of economies built on intellectual property. In the meantime, one of the world’s most trusted brands has been tarnished and is being punished in the financial marketplace.



Scott Shackelford is an assistant professor of business law and ethics at the Indiana University Kelley School of Business. He is also author of the forthcoming Cyber Peace: Managing Cyber Attacks in International Law, Business, and Relations (Cambridge University Press).