Cyber security and threats for sports and media industry

News of cyber-attacks/data breaches, off late, has become a common phenomenon in the IT industry, financial institutions, healthcare and education sector. The question, however, is how vulnerable is the sports and media industry to cyber-attacks? Do they really need cyber insurance? The answer would be a definite yes!

The number of local threats in Q1 2020 in India was 52,820,874 whereas the number of local threats detected in Q4 2019 was 40,700,057, a 30% increase. According to a study, a stolen movie released online loses 19% of its box-office revenue on average compared to films that are pirated after they are released.

The sports media and entertainment industries are heavily reliant on social media with streaming services, ticket sales, script and content storage, confidential analysis and winning strategies for sports teams all being processed on the internet. 

Cybercriminals seek to exploit this and indulge in fraudulent activities such as impersonation, hacking, dissemination of pirated content, counterfeit goods sale, among others. These activities often lead to big ransom demands, reputation damage, loss of business and huge third-party losses to the industry.

How does cybercrime impact the entertainment industry?

Let us enumerate a few episodes where a cybercrime overthrew a leading entertainment agency. On November 24, 2014, a hacker group which identified itself as "Guardians of Peace" leaked confidential data from Sony Pictures. The data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of then-unreleased Sony films, plans for future Sony films, scripts for certain films, and other information.

Hackers have targeted more than 110 million Netflix Subscribers with an email scam and are said to have succeeded in stealing people's credit card details. In 2017, HBO became a victim of a massive cyber-attack which led to stealing of 1.5 TB of data including episodes of Ballers and Room 104 and a “Game of Thrones” episode script. ABC's unscripted Steve Harvey's Game show “Funderdome” was also released online when the show's producer refused to oblige to the demands of the hackers.

There could be various means used to carry out hacking. Some of the main threats' organisations need to watch out and account for are discussed below. This is just an indicative list as hackers are coming up with innovative ways of hacking on a daily basis. 

They may use all or some of the below at once, most popular being ransomware and security breach: 

- Malware: Malware is a code that is made to stealthily affect a compromised computer system without the consent to use.

- Security breach: A security breach is an incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorised to do so.

- Denial of service attack: A denial-of-service attack overwhelms a system's resources so that it cannot respond to service requests.

- Ransomware: Ransomware blocks access to a victim's data, typically threatening to delete it if a ransom is not paid. 

- Phishing: Phishing happens when an attacker, posing as a trusted individual, tricks the victim to open a text message, email, or instant message.

Why haven't we seen cyber insurance going mainstream yet?

As per IBM Ponemon's 2018 risk report, the average cost of a breach in India now stands at ₹ 11.9 crore. The cost associated with the cyber-attack has been on the higher side and yet, platforms and companies are still wary of the insurance protocols.

Another common loophole in the industry is that most IT Services are outsourced. Data regulations apply to the “collector” of the information, NOT the “processor” of the information hence vendor breach is the legal responsibility of the business who collected it. Most important to note is that, Legal responsibility CANNOT be transferred by contract, making it imperative to cover your bases when it comes to data handling.

It is often heard that small businesses need not invest in Cyber Insurance. EVERY business is a target, but small businesses are particularly vulnerable as they may not have access or budget for very high-end IT security measures. Another common misconception is that only IT companies need Cyber Insurance. Every business that utilises technology in their daily business is vulnerable to cyberattacks. Please understand that all Cyber policies addresses perils ranging from business interruption/extra expense to costs related to restoration of data.

“We already have Anti-virus and Firewall hence we are well protected”. 

No software can prevent all kinds of cyber attacks. Insurance serves to complement a client's IT department's efforts and in times of a worst-case scenario, the extended covers functions as a SWAT Team with a team of experts ready to respond.

Who should opt for Cyber insurance covers?

All entertainment business verticals are equally at risk, especially mass entertainment platforms like sports and media. Particularly vulnerable businesses are sports teams, events and sports organisers, E-sports companies, Animation houses, OTT Platforms/broadcasters, production houses, event management companies, movie distributors and exhibitors, online ticket booking platforms, artist/celebrity management companies among others.

Being secure with a robust cyber insurance policy can help deal more effectively when a data breach or network security failure occurs. This form of liability insurance covers a host of first and third-party costs when a security failure or data breach occurs including:

- Business interruption due to a cyber attack

- Costs arising after a data Breach – notification costs, credit monitoring, crisis management

- Legal liability due to breach of privacy including legal expenses.

- Regulatory fines and penalties

- Cyber extortion and the resultant ransom costs

- Media liability (libel, slander, defamation or infringement allegations)

- Cyber forensics costs

As the sports and media sector grows their digital capabilities and online platform, protecting their members, customers, stakeholders, governing bodies from cybercrime is paramount. Sporting and media companies should invest time to look at where they can strengthen their cyber security and what steps should be taken towards risk mitigation.

This article has been co-authored by Nancy Goyal, Manager, Sports, Leisure & Entertainment and Apurva Gopinath, Chief Manager, Financial Services & Professions Group.