As the scale and sovereign culprit behind the attack on Sony were revealed, the world awakens to the specter of an uncomfortable new normal emerging in warfare – cyber terrorism.
The attack on Sony Entertainment successfully crippled the company’s value chain and that of their downstream partners. Sony’s $22.3 billion market cap can readily absorb the financial consequences of this attack, which some experts estimate will cost between 1 percent and 2 percent of the firm’s market value. It was not until President Obama’s public rebuke of Sony’s decision to withdraw the film that Sony’s top leadership broke their silence and the film was eventually released.
Yet a dangerous precedent has been set that cannot be easily undone, President Obama was right when he said: “If somebody is able to intimidate folks out of releasing a satirical movie, imagine what they start doing when they see a documentary that they don’t like, or news reports that they don’t like.” Imagine the consequences for firms that produce products and services or for national policies that attract unwanted attention.
Until Sony’s cyber-terror attack, cyber risk remained an insidious drag on the world’s economy, with most losses manifesting themselves in ID theft, denial of service attacks and silent phishing scams. According to Reuters the average cyber liability loss in the U.S. is $5.9 million. Globally cyber-crime costs the world economy between $300 and $575 billion, which is a mere attritional drag or cost of doing business in the information age.
The attack on Sony, on the other hand, raises not only the economic but reputational costs of cyber risk and shows the ease with which a company’s entire business model can be held for ransom. Capitulating on airing the film underscores the extent of the informational extortion Sony faces and the Guardians of Peace (GOP) have indicated that this is a lifelong threat should any trace of The Interview emerge. Now that the film has been released in theaters and online, how this threat manifests itself is yet to be seen.
While many have vilified Sony’s response to this attack as soft, Sony taking its aggressor – a state-sponsor of cyber-terrorism – would be tantamount to private industry taking on Al-Qaeda or ISIS. An appropriate, whole-of-government response is needed to this attack creating a strong cyber deterrent and exacting a proportionate cost on North Korea as well as to deter any future sponsors of these attacks.
At the same time, industry will have to advance the standards of cyber risk management by creating greater transparency, more localized encryption and an early warning system when breaches are detected. Firms fear a public backlash when breaches occur causing them to share little or no information until the crisis escalates beyond control. However, improving transparency through a central clearinghouse of cyber breaches will not only improve system-wide security, it will also help improve the often mispriced cyber insurance market.
When combating an asymmetric foe that benefits from opacity, sunlight, transparency and global coordination are the greatest weapons against simple hacker collectives and state sponsors alike.
As new rules of engagement are being drawn up in corporate war rooms and by policy makers in response to Sony’s attack, the nascent cyber insurance market can provide some peace of mind and financial protection in the face of new threats. Although underwriting appetite for large cyber insurance policies is sure to wane as the full scale of Sony’s case continues to unfold, this class of insurance is a must-have for firms of all sizes operating in the global economy. Large companies like Target, Home Depot and Sony make for headline grabbing targets as they have a sprawling surface area to attack. Nevertheless, they are not the only types of firms vulnerable to cyber risk.
Cyber liability insurance is one of the fastest growing coverage areas, suggesting broad-based demand among firms of all sizes seeking to offset the financial and risk mitigation burden of this complex exposure. In a recent survey of business risk conducted by Allianz, cybercrime, IT failures and espionage are now top 10 business risks occupying the minds of corporate leaders. Legal liability is rapidly following suit, as the legal system grapples with a growing case load alleging poor standards of care around privacy and sensitive customer and employee information. Here too, Sony’s case stands to set a precedent. Given that the culprit is a foreign nation, perhaps applying the Terrorism Risk Insurance Act (TRIA) as a way of shoring up cyber risk underwriting appetite and capping liability will enable further development of this important market.
Disparte is the founder and CEO of Risk Cooperative a specialized strategy, risk and capital management firm located in Washington, DC. He is the resident expert on risk and economic competitiveness at the American Security Project, a member of the influential Consensus for American Security and a founding member of the Business Council for American Security.