Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Sony Insurer Disputes Breach Insurance Claims

A cautionary tale for enterprises that think they have data breach insurance.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
A new court battle reported last week could potentially decide how liability is determined when organizations covered by general liability insurance get hacked and suffer a database breach.

The case at hand pits insurer Zurich American against its client Sony: Zurich has refused to cover the costs of class-action lawsuits stemming from Sony's embarrassing breaches earlier this year, and wants the courts to weigh in with a judgment to clarify the matter.

Sony says it expects the financial fallout from the breaches to add up to more than $178 million this year; the firm is currently fighting 55 class action lawsuits. According to a report from Reuters, Zurich recently stated in court papers that it had received claims from Sony to cover costs related to these lawsuits under a general liability insurance policy written by Zurich.

The insurer says it shouldn't have to pay the claim since the policy is for "bodily injury, property damage, or personal and advertising injury," and none of those apply within the class-action suits.

Given the rising prevalence of data breaches and the increasing storm of litigation companies face from customers furious about their loss of privacy, this case is a must-follow precedence-setter for professionals in IT security and enterprise risk management. Ty Sagalow, an insurance consultant and founder of Innovation Insurance Group, says there are still many within the industry who are under the mistaken assumption that general liability policies will help them out in the event of a data breach.

"There are probably still some risk managers out there that think that their comprehensive general liability policy cover breaches," says Sagalow, who was one of the main experts in charge of first drafting cyberinsurance policies for Zurich when he worked for the company prior to starting his own consulting shop. "These types of cyberevents are not covered in the typical standard forms of insurance."

Sagalow says that as cyber-risks increase in sophistication and pervasiveness, organizations need to think about adding additional coverage that can hold up to court scrutiny when everything hits the fan. But because cyberinsurance is such a new phenomenon, it's a buyer-beware situation.

Read the rest of this article on Dark Reading.

Read our report on how to guard your systems from a SQL attack. Download the report now. (Free registration required.)

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-42247
PUBLISHED: 2022-10-03
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
CVE-2022-41443
PUBLISHED: 2022-10-03
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
CVE-2022-33882
PUBLISHED: 2022-10-03
Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code.
CVE-2022-42306
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.
CVE-2022-42307
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.