The still unfolding cyber attack/terror plot against Sony Pictures is marked by a disturbing chain of events that among other outcomes, takes the insurance world into uncharted territory. In addition to producing important data breach questions for organizations that do not store credit cards or social security numbers, there has never been a Hollywood movie pulled from distribution due to a terrorist threat. A December 18 CNN Money report notes, "It's not clear if Sony's policy would pay anything in this situation."
Emerging details from the investigation suggest that North Korea's government is behind the attack. The motive is widely believed to be revenge. The isolated communist regime was angered by the studio's depiction and ultimate assassination of leader Kim Jong Un, in the now-shelved movie The Interview.
As part of their attack, hackers were able to obtain the social security numbers of 47,000 people, salary information for every Sony employee and the protected health information of some Sony workers. That progressed to the theft and release of intellectual property related to several movies, and internal email communications between senior Sony executives. Despite cancellation of the movie's debut, hackers continue to release this data to the general public in a torturous, methodical fashion.
The decision by the studio last week to pull the film was the result of 9/11-type threats issued by the hackers. These threats targeted movie chains scheduled to screen the work. After the successful scare of theater owners, Sony had few options but to cancel the release. The company also took the unusual step of requesting that the media refrain from covering events as they unfold, indicating that Sony will pursue legal damages resulting from the publication of details. If Sony adopts that course of action, the media might have insurance coverage questions of their own.
The resolution to cancel the film will not be cheap. Per to the same CNN Money report, "Sony spent $44 million making The Interview, according to reports based on those hacked emails. And it spent $35 million in marketing, according to other reports. Indeed, TV commercials were still running as recently as [last] Wednesday after the studio had pulled the plug." Without a product to sell and with the potential for Sony's insurer to deny loss claims, there may be no way of recouping the investment.
This is a precedent setting case that will clearly cost Sony more in financial and reputation losses than most traditional data breaches. The studio will pay the usual expenses related to a hacking including legal bills, IT forensics fees, credit monitoring costs and legal settlements. The theft of intellectual property and business interruption costs remain unknown, but will have a significant impact on Sony's bottom line. Movie chains and other Sony vendors will also be affected, and may also pursue legal action against the company.
The disclosure of embarrassing emails has undoubtedly damaged key business relationships, and the extent to which Sony can repair these remains in question. What began as a corporate security concern quickly progressed to a threat to national security, with senior government officials wondering what other foreign nations may be planning cyber attacks.
Larger questions are also being raised, including what the exact definition of "Cyber War" is, the impact of self-censorship, freedom of the press and how to determine the right amount of cyber security that an organization should maintain.
HUB International will continue to monitor events as they unfold. Keep visiting HUB's Crisis Management Center for the latest news and updates, and find ways to protect and prevent cyber crime in the Learning Center.