Cyber is now a household term. We’ve all been impacted by cyber events – whether our personal social media accounts get hacked, employers get shut down by ransomware or service providers lose control of your credit card information.
Different parties can be impacted differently by a hack:
- The hack of an individual can lead to identity theft and fraud for that person
- The hack of a business can trigger a shutdown of operations and lost revenues
- A breach of private client data can lead to expenses and lawsuits
Businesses in various industries may also experience cyber risk in different ways. For example, tech companies are a high-value target for hackers. If a hacker can penetrate a tech provider, they can access multiple downstream clients and users in one fell swoop.
In fact, the tech sector accounted for nearly a quarter (23%) of ransomware attacks in 2021, more than any other vertical.1
In the past six months, Bitsight saw a growth in common vulnerabilities and exposures.
“Common vulnerabilities and exposures are growing in all categories based purely on the increasing amount of technology used in business. All technology has vulnerabilities in it, and the types of vulnerabilities are endless; they exist in code, poor configuration, design, people, and processes,” said Aaron Aanenson, a senior director at Bitsight. “There should be processes in place to identify these vulnerabilities and have a plan to address them, and this should be a focus area for the underwriting process, especially for tech companies.”
The types of tech companies that get targeted can range widely. They can include:
- Managed Service Providers (MSPs)
- Managed Security Service Providers (MSSPs)
- Software as a Service (SaaS) Providers
- Cloud Firms
- Communications Companies
- Software Designers
- Resellers
- Publishers
- Developers of Hardware with Embedded Software
Cyber and Professional Liability Insurance for Technology Companies
As with other industries, cyber risks have escalated many tech companies’ network liabilities. But more unique to the tech industry, these risks have also heightened their professional liability exposures.
It’s why having the right services portfolio and cyber risk coverage, such as tech errors and omissions (E&O) insurance, is more crucial than ever in helping to prevent, respond to and recover from an incident.
Cyber and Tech Risk Exposures
Rolando Torres, chief operating officer at Abacode, said cyber risks are beginning to shift to a shared risk model as companies shift their work to the cloud, SaaS systems and using third-party service providers.
“Even though companies benefit from inheriting security controls from mature cloud and SaaS platform providers, they also share the risk of compromise from an incident impacting those technologies and service providers that have access to their systems,” he explained.
A business’ cyber and tech risk exposure can come from:
Network Liability: From tech companies to law firms, to schools and government institutions, entities across every industry are experiencing cyberattacks and data breaches. Their own networks are being locked up, data is getting exfiltrated, ransoms are getting paid, business operations are getting interrupted and data restoration is needed.
Professional / Product Liability: A tech company’s hacking risk also materially heightens their professional liability exposure and could lead to potentially vast downstream impact. Tech companies are often the springboard to supply chain attacks and systemic vulnerabilities for all other companies. Any industry hack can lead to disruption of their products or services, but they may be able to recoup those costs by filing a claim against the tech company responsible for the vulnerability.
Any software or communication company’s hack magnifies the potential for passing cyber vulnerabilities to downstream users via the following avenues:
- Use of open-source software: Think of the Log4J incident in 2021 where a commonly used open source was loaded with malware.2 Around 90% of software developers use open-source software into their own product. In some cases, a programmer may reuse code that they previously used at their last employer.3
- Remote patching: Remote patch management allows admins to install patches and updates on applications, software or devices operating on or connected to a network from anywhere in the world. SolarWinds was a good example of malware spreading to clients via remote patching.4
- Remote access: MSPs, MSSPs and other companies with remote access to their clients can be compromised. This means their credentials and access can be used to target and compromise their clients.
- Storage of client usernames and passwords: The hacks of Okta and LastPass, both password managers, led to downstream client hacks via use of their clients' stolen login information.5
- Remote management and monitoring tools: These kinds of tools, such as Kaseya, get compromised and used to access and further compromise clientele.
- A promise of uptime: Companies upon which clients are depending to operate their own business. such as communications companies or other service providers, also have a greater professional liability risk. Since their own network liability is heightened, a service provider’s dependency exposure rises as well.
Precautionary Steps Technology Companies Can Take for Protection
There are some specific precautions a technology vendor can take to help minimize the risk of passing downstream vulnerabilities to users of their products and services.
For businesses delivering software, they can implement an internal information security management program based on a security standard, such as NIST Cybersecurity Framework; or ISO 27001, NIST 800-53, CIS Top 20, which aims to protect an organization’s own networks and their software development lifecycle (SDLC).
It can also be a good idea to follow NIST’s SP 800-218: Secure Software Development Framework (SSDF) – Recommendations for Mitigating the Risk of Software Vulnerabilities.
Notably, businesses should employ DevSecOps – the practice of integrating security into the software development lifecycle. This includes limiting the use of open-source code and:6
- Performing a software composition analysis and tracking the sources of code being deployed within a work product to locate and address known vulnerabilities more easily.
- Regular code reviews through a peer code review, an internal code review team that’s not part of the development team, or a third-party code review. These reviews can include a static scan that validates security coding practice during development or a dynamic scan to validate vulnerabilities that occur when the software is running.
- Security testing, or penetration testing of a product. This can be done with an in-house team or through a third party.
- Having an incident response plan where a business anticipates that a software product is going to get hacked and having a plan to respond to it quickly to reduce the impact.
- Having a rollback plan to close vulnerabilities and limit impact.
- Monitoring product and beyond. Some software companies monitor the dark web for early chatter about exploits in their code so they can try to get “left of breach” and close doors before they become widely known.
For businesses that remotely connect to clients, leverage a zero-trust approach that includes a separation of concern between the:
- Support laptops
- Technical environment
- Environment of their clients
Real World Examples
Read about actual examples where E&O insurance helped technology companies:
- An IT company was providing various services to law firms. When the IT company was breached, the hackers used the IT companies’ administrative access to access their clients’ email files. The hackers then sent fraudulent emails to the law firms pretending to be a new client and requesting release of various funds being held by the firm in escrow. As a result, the law firm issued payments of more than $3 million to fraudulent bank accounts and the money was permanently lost. While the initial breach response cost the IT company less than $50,000, the law firm is now suing the IT company for $3 million, claiming that the initial intrusion caused the loss at issue.
- Our insured provides various IT services to hundreds of clients, which include hosting, network security, firewalls and various email assistance. When the insured was breached, their computer system was inoperable for almost a week. This resulted in all the clients going offline and their data being compromised. As a result, our insured lost hundreds of thousands of dollars in revenue due to this business interruption. They are also still trying to resolve more than 40 claims made by their clients due to their own inability to operate while the insured’s system was down.
How The Hartford Can Help Tech Companies
We offer professional, media and cyber risk solutions through our FailSafe® product suite, which helps before, during and after cyberattacks. It offers stronger protection than other policies you may find. Some of our holistic offerings include:
The Hartford Ransomware Mitigation Suite, which proactively reduces risks through best practices, resources and employee training. After signing up, insureds can access cyber risk support provided through our partners, such as:
- "Meet Your Breach Coach"
- Identifying your organization's cyber vulnerabilities through a network scan provided by Bitsight
- Engaging an IT expert firm to help remediate vulnerabilities, an optional service provided by Abacode
- Optional security awareness training
CyberChoice First Responders, a panel of third-party service providers with deep breach response experience.