One of the biggest identity thefts in history took place between April 17 and 19. Cybercriminals penetrated Sony’s PlayStation Network and Entertainment Network and made away with the personal information of more than 102 million Sony customers - a figure close to the population of Japan. Lost information includes names, addresses, passwords and potentially the credit card information of users, setting off a public-relations disaster for Sony. The attack already has cost Sony several percent of its stock price and has led to calls for its CEO, Howard Stringer, to resign. The final tally for the attack is unknown, but data breaches cost U.S. companies on average $204 per lost consumer record. That means Sony may be liable for an eye-popping $20 billion in damages. Even more remarkable than the price tag is the fact that so few firms have recognized the danger of cyber-attacks. This finally may be beginning to change.
Cyber-attacks are widespread. More than 90 percent of respondents to a joint Computer Security Institute and FBI survey reported experiencing a cyber-attack during the past year, costing on average more than $2 million per organization. Identity theft alone costs consumers more than $5 billion per year, and firms lost another $48 billion. Fraud also is a huge problem, with more than 600,000 complaints and more than $1.8 billion in claims in 2008.
Victims of attacks and breaches in recent years have included AT&T, Bank of America, Citigroup, Wachovia, Starbucks, Nikon, General Electric, DSW Designer Shoe Warehouse, the University of Chicago and the states of Florida and New York, to name a few. A single incident involving the theft of a laptop owned by the Department of Veterans Affairs led to the loss of 26 million Social Security numbers of retired and active-duty military personnel, resulting in a class-action lawsuit claiming more than $26.5 billion in damages.
Yet despite the well-publicized cost, few companies recognize the real danger of cyber-attacks. A recent report released by Carnegie Mellon University’s CyLab interviewed board members at companies with $1 billion to $10 billion in revenues and found that 56 percent considered improving risk management a top priority, but none considered improving computer and data security to be a priority.
One tool to manage liability from cyber-attacks ranging from identity theft to cybercrime and even sophisticated state-sponsored industrial espionage is the use of cyberrisk insurance policies, which are insurance policies that cover losses from cyber-attacks and data breaches. These policies have been available for years, but they aren’t cheap, costing anywhere from $5,000 to $30,000 per year for $1 million in coverage. But there is some evidence that more companies are turning to the insurance market. In fact, one-third of respondents (including 80 percent of companies with $250 million to $500 million in revenues) to a survey conducted by Betterley Risk Consultants, a research and consulting firm, said they have cyber-insurance. Another 25 percent said they plan to buy it in the next 18 months. But the danger is that as cyberrisk insurance spreads, companies simply will pass off the insurance losses associated with cyber-attacks to their customers, resulting in little incentive to improve overall cybersecurity without government action.
The Sony attack may well be the tipping point. As losses mount, investors likely will stop treating cyber-attacks as a corporate nuisance and start treating them as a serious threat to the survival of firms and, at a macro-level, a clear danger to the long-term competitiveness of knowledge economies built on intellectual property.
Scott Shackelford is an assistant professor of business law and ethics at the Indiana University’s business school and author of the forthcoming book “Cyber Peace: Managing Cyber Attacks in International Law, Business, and Relations” (Cambridge University).