Will HBO pay up? Will any more Game of Thrones script summaries be released? Does it matter? The damage is done, and it is not impossible that HBO could lose even more than Target did in its now-iconic cybersecurity fail, which cost the bigbox store northward of $300 million in damages following the milestone 2013 breach.
Whatever the bottom line turns out to be for HBO, this latest media cliff hanger has the insurance world on high alert. With many in the industry speculating the HBO compromise could mark a sea change for what is already one of the fastest growing types of business policy: cyber insurance.
When hackers stole 40 million consumer payment card records from Target four years ago, the retailing giant had just purchased one of the earliest forms of cyber insurance. That move helped Target offset the cost of upgrading security, making customers whole and settling scores of lawsuits.
Today most large enterprises, especially big media companies, hold some form of cyber liability coverage. So it's very likely HBO holds a hefty cyber policy secured either through its parent, Time Warner, or on its own, says Inga Goddijn, executive vice president at Risk Based Security, a Richmond, Virginia-based supplier of risk management services.
In Hollywood, as in commerce generally, timing is important. The HBO breach - with its distinctive extortion component -- comes fresh on the heels of two globe-spanning ransomware worms - the WannaCry and Petya attacks, respectively. WannaCry and Petya grabbed headlines last spring and early summer by rapidly locking up servers in hundreds of organizations globally.
"We have already seen an uptick of interest in cyber coverage post-WannaCry and Petya malware events," Goddijn says. "This is yet another high-profile breach that highlights the fact that data has value. Attackers will go after what has value, which in turn can have a real financial impact on the breached organization. Cyber insurance is still the best option for addressing that monetary fallout."
The plot thickens. The damage hackers caused to Target and to the organizations hit by the WannaCry and Petya ransomware campaigns were comparatively easy to address. Not so the loss of HBO's intellectual property.
That's because insurers traditionally have shied away from covering events like theft of trade secrets or damage to intellectual property, says Goddijn. It's simple to determine the cost of issuing a new credit card or replacing a locked-up server. It's problematic - though not impossible--to put a price tag on a secret formula or an unreleased episode of a popular show, she says.
"The actual value of the intellectual property itself is subjective and can change over time," Goddijn observes. "Anytime there is that level of uncertainty around pricing a risk, it's sure to cause hesitation for the underwriters. "
That uncertainty is compounded by the obstacles hindering the insurance industry from fully meeting pent up demand for cyber insurance. While large organizations have snapped up policies there is a steep drop off in adoption among small- and mid-sized business.
Cyber policies continue to be written with very little actuarial information, not because the data isn't available; security systems gush oceans of data on a daily basis. And yet companies and underwriters can't seem to match threat actors' aptitude for leveraging networking complexities in their favor.
Jonathan Niednagel, Vice President New Market Development at Prevalent Inc., a supplier of third-party risk management technologies, puts it this way: "It will take several years of breach data before the underwriters are able to build models that support their pricing structure. For the time being it's 'best guess' pricing."
Hard vs. soft costs
The resulting gaps in coverage are as plain as day. Cyber policies today typically limit coverage to the so-called "hard" costs of a breach: investigative, forensic and recovery expenses; privacy loss notifications; and even extortion payments, says Ray DeMeo, chief operating officer of Virsec, a supplier of web application security systems.
"This can leave significant gaps for the soft costs - damaged reputation, customer goodwill, loss of future business, devalued intellectual property, etc.," DeMeo says. "While some of these risks may be hard to quantify, the potential damage can be much larger than the covered costs."
Could the HBO hack finally push the insurance industry to truly help companies offset cyber risks? Hard to say. The Target and Home Depot hacks pushed the U.S. payment card industry into rolling out chip cards, albeit a decade after Europe and Asia.
But do you remember the devastating breaches of Sony Pictures, Anthem and the U.S. Office of Personnel Management? I could name dozens of other high profile compromises from the past five years. Each one highlighted the urgency to do more to offset the risk of failing to adequately protect valuable data.
Opportunity keeps knocking for the insurance industry to figure this out. How many extortion-fueled hacks and incidents of lost, irreplaceable intellectual property must public and private sector organizations endure in order to do the trick? Hackers, no doubt, are more than happy to do their part. Will the HBO hack be the ultimate wake-up call? Time will tell.