The Importance of Tech E&O as Cyber Risks and Ransomware Increase

The Importance of Tech E&O as Cyber Risks and Ransomware Increase

Cyber risks and ransomware are increasing, which means having the right insurance coverage is essential.
Cyber is now a household term. We’ve all been impacted by cyber events – whether our personal social media accounts get hacked, employers get shut down by ransomware or service providers lose control of your credit card information. 
 
Different parties can be impacted differently by a hack:
 
  • The hack of an individual can lead to identity theft and fraud for that person
  • The hack of a business can trigger a shutdown of operations and lost revenues
  • A breach of private client data can lead to expenses and lawsuits
Businesses in various industries may also experience cyber risk in different ways. For example, tech companies are a high-value target for hackers. If a hacker can penetrate a tech provider, they can access multiple downstream clients and users in one fell swoop.
 
In fact, the tech sector accounted for nearly a quarter (23%) of ransomware attacks in 2021, more than any other vertical.1
 
In the past six months, Bitsight saw a growth in common vulnerabilities and exposures.
 
“Common vulnerabilities and exposures are growing in all categories based purely on the increasing amount of technology used in business. All technology has vulnerabilities in it, and the types of vulnerabilities are endless; they exist in code, poor configuration, design, people, and processes,” said Aaron Aanenson, a senior director at Bitsight. “There should be processes in place to identify these vulnerabilities and have a plan to address them, and this should be a focus area for the underwriting process, especially for tech companies.”
 
The types of tech companies that get targeted can range widely. They can include:
 
  • Managed Service Providers (MSPs)
  • Managed Security Service Providers (MSSPs)
  • Software as a Service (SaaS) Providers
  • Cloud Firms
  • Communications Companies
  • Software Designers
  • Resellers
  • Publishers
  • Developers of Hardware with Embedded Software

Cyber and Professional Liability Insurance for Technology Companies

As with other industries, cyber risks have escalated many tech companies’ network liabilities. But more unique to the tech industry, these risks have also heightened their professional liability exposures.
 
It’s why having the right services portfolio and cyber risk coverage, such as tech errors and omissions (E&O) insurance, is more crucial than ever in helping to prevent, respond to and recover from an incident.
 

Cyber and Tech Risk Exposures

Rolando Torres, chief operating officer at Abacode, said cyber risks are beginning to shift to a shared risk model as companies shift their work to the cloud, SaaS systems and using third-party service providers.
 
“Even though companies benefit from inheriting security controls from mature cloud and SaaS platform providers, they also share the risk of compromise from an incident impacting those technologies and service providers that have access to their systems,” he explained.
 
A business’ cyber and tech risk exposure can come from:
 
Network Liability:  From tech companies to law firms, to schools and government institutions, entities across every industry are experiencing cyberattacks and data breaches. Their own networks are being locked up, data is getting exfiltrated, ransoms are getting paid, business operations are getting interrupted and data restoration is needed.
 
Professional / Product Liability: A tech company’s hacking risk also materially heightens their professional liability exposure and could lead to potentially vast downstream impact. Tech companies are often the springboard to supply chain attacks and systemic vulnerabilities for all other companies.  Any industry hack can lead to disruption of their products or services, but they may be able to recoup those costs by filing a claim against the tech company responsible for the vulnerability.
 
Any software or communication company’s hack magnifies the potential for passing cyber vulnerabilities to downstream users via the following avenues:
 
  • Use of open-source software: Think of the Log4J incident in 2021 where a commonly used open source was loaded with malware.2 Around 90% of software developers use open-source software into their own product. In some cases, a programmer may reuse code that they previously used at their last employer.3
  • Remote patching: Remote patch management allows admins to install patches and updates on applications, software or devices operating on or connected to a network from anywhere in the world. SolarWinds was a good example of malware spreading to clients via remote patching.4
  • Remote access: MSPs, MSSPs and other companies with remote access to their clients can be compromised. This means their credentials and access can be used to target and compromise their clients.
  • Storage of client usernames and passwords: The hacks of Okta and LastPass, both password managers, led to downstream client hacks via use of their clients' stolen login information.5
  • Remote management and monitoring tools: These kinds of tools, such as Kaseya, get compromised and used to access and further compromise clientele.
  • A promise of uptime: Companies upon which clients are depending to operate their own business. such as communications companies or other service providers, also have a greater professional liability risk. Since their own network liability is heightened, a service provider’s dependency exposure rises as well.

Precautionary Steps Technology Companies Can Take for Protection

There are some specific precautions a technology vendor can take to help minimize the risk of passing downstream vulnerabilities to users of their products and services.
 
For businesses delivering software, they can implement an internal information security management program based on a security standard, such as NIST Cybersecurity Framework; or ISO 27001, NIST 800-53, CIS Top 20, which aims to protect an organization’s own networks and their software development lifecycle (SDLC).
 
It can also be a good idea to follow NIST’s SP 800-218: Secure Software Development Framework (SSDF) – Recommendations for Mitigating the Risk of Software Vulnerabilities.
 
Notably, businesses should employ DevSecOps – the practice of integrating security into the software development lifecycle. This includes limiting the use of open-source code and:6
 
  • Performing a software composition analysis and tracking the sources of code being deployed within a work product to locate and address known vulnerabilities more easily.
  • Regular code reviews through a peer code review, an internal code review team that’s not part of the development team, or a third-party code review. These reviews can include a static scan that validates security coding practice during development or a dynamic scan to validate vulnerabilities that occur when the software is running.
  • Security testing, or penetration testing of a product. This can be done with an in-house team or through a third party.
  • Having an incident response plan where a business anticipates that a software product is going to get hacked and having a plan to respond to it quickly to reduce the impact.
  • Having a rollback plan to close vulnerabilities and limit impact.
  • Monitoring product and beyond. Some software companies monitor the dark web for early chatter about exploits in their code so they can try to get “left of breach” and close doors before they become widely known.
For businesses that remotely connect to clients, leverage a zero-trust approach that includes a separation of concern between the:
 
  • Support laptops
  • Technical environment
  • Environment of their clients

Real World Examples

Read about actual examples where E&O insurance helped technology companies:
 
  1. An IT company was providing various services to law firms. When the IT company was breached, the hackers used the IT companies’ administrative access to access their clients’ email files. The hackers then sent fraudulent emails to the law firms pretending to be a new client and requesting release of various funds being held by the firm in escrow. As a result, the law firm issued payments of more than $3 million to fraudulent bank accounts and the money was permanently lost. While the initial breach response cost the IT company less than $50,000, the law firm is now suing the IT company for $3 million, claiming that the initial intrusion caused the loss at issue.
  2. Our insured provides various IT services to hundreds of clients, which include hosting, network security, firewalls and various email assistance. When the insured was breached, their computer system was inoperable for almost a week. This resulted in all the clients going offline and their data being compromised. As a result, our insured lost hundreds of thousands of dollars in revenue due to this business interruption. They are also still trying to resolve more than 40 claims made by their clients due to their own inability to operate while the insured’s system was down.

How The Hartford Can Help Tech Companies

We offer professional, media and cyber risk solutions through our FailSafe® product suite, which helps before, during and after cyberattacks. It offers stronger protection than other policies you may find. Some of our holistic offerings include:
 
The Hartford Ransomware Mitigation Suite, which proactively reduces risks through best practices, resources and employee training. After signing up, insureds can access cyber risk support provided through our partners, such as:
 
  • "Meet Your Breach Coach"
  • Identifying your organization's cyber vulnerabilities through a network scan provided by Bitsight
  • Engaging an IT expert firm to help remediate vulnerabilities, an optional service provided by Abacode
  • Optional security awareness training
CyberChoice First Responders, a panel of third-party service providers with deep breach response experience.
 
 
1 The Manufacturer, “A Pathway to Digital Success: Why the C-Suite Needs to Understand Cyber Risk”, September 2022
 
2 The Conversation, “What Is Log4j? A Cybersecurity Expert Explains the Latest Internet Vulnerability, How Bad It Is and What’s at Stake, September 2022
 
3 ZDNet, “Open-Source Software: Nine out of 10 Companies Use It, But How Much Is It Really Worth?”, September 2022
 
4 Business Insider, “The U.S. Is Readying Sanctions Against Russia Over the SolarWinds Cyber Attack. Here’s a Simple Explanation of How the Massive Hack Happened and Why It’s Such a Big Deal”, September 2022
 
5 Forbes, “Okta Hack Exposes a Huge Hole in the Tech Giant Security: Their Call Centers’, September 2022
 
6 Vince Kuchar, CEO of Risk Mitigation Consulting, September 2022
 
Third-party service providers discussed herein, though not affiliates of The Hartford, are pre-approved by The Hartford to provide cyber-related services. You are not required to avail yourself of their services. Sharing any information with any such vendor is at your sole discretion. References to any vendor are provided for your convenience only and are not intended as a substitute for your own due diligence and selection of vendors to suit your company’s needs. The vendors are independent contractors that charge their own rates. Discounted third-party service rates offered by any vendor are not offered by The Hartford, nor on any premium for a policy of insurance. Any such vendor discount is subject to change without notice and is not guaranteed by The Hartford. The Hartford does not warrant the performance or services of the vendors or their websites. The Hartford assumes no responsibility for the control, correction or legal compliance of your cyber security measures or other business practices and operations. Notice of any claim, act, fact or circumstance to a vendor does not constitute notice thereof to The Hartford. Approved vendors are current as of April 2022 and may change at our discretion at any time, with or without notice.
 
The Hartford does not offer or provide third-party services and cannot make any claims or promises that use of those products or services will result in lower cyber losses. All such products and services are provided by third-party services.
 
The information provided in these materials is intended to be general and advisory in nature. In no event will The Hartford be liable for direct, special, incidental, or consequential damages (including, without limitation, damages for loss of business profits, business interruption, loss of business information or other pecuniary loss) arising directly or indirectly from the use of (or failure to use) or reliance on the information contained herein, even if The Hartford has been advised of the possibility that such damages may arise.
Links from this site to an external site, unaffiliated with The Hartford, may be provided for users' convenience only. The Hartford does not control or review these sites nor does the provision of any link imply an endorsement or association of such non-Hartford sites. The Hartford is not responsible for and makes no representation or warranty regarding the contents, completeness or accuracy or security of any materials on such sites. If you decide to access such non-Hartford sites, you do so at your own risk.
 
The Hartford Financial Services Group, Inc., (NYSE: HIG) operates through its subsidiaries, including the underwriting company Hartford Fire insurance Company, under the brand name, The Hartford,® and is headquartered in Hartford, CT. For additional details, please read The Hartford’s legal notice at https://www.thehartford.com.
Dan Silverman
Dan Silverman
Dan Silverman is a director of cyber and professional liability at The Hartford.