Another day, another massive ransomware attack.
For technology companies, supply chain hacks are yet another cybersecurity risk to mitigate. They may also introduce new errors and omissions liability exposures.
While the virtual dust is still settling around this latest incident, it appears to have originated from a software developer and affected (or is that infected?) hundreds of companies around the world.1
What’s notable about this attack isn’t simply the scale, but the vector: Like the massive breach reported in December 2020,2 this ransomware attack initially targeted a software company whose products are used by businesses globally. By exploiting a vulnerability in this particular company’s software, the hackers successfully smuggled their malicious code into hundreds of unsuspecting businesses, making it, in the words of one report, “the largest and most significant such attack to date.”3
This form of ransomware attack, called a supply-chain attack,4 isn’t simply disruptive and costly. It may present an errors and omissions (E&O) liability risk exposure to companies and professionals at multiple points along the technology and software supply chain.
Why are supply-chain attacks so effective?
In two words, efficiency and trust.
Supply-chain hacks are efficient, because all the hacker needs to do is crack the defenses of a single software or hardware company, exploit holes in the existing code, and then watch as the company opens pathways for the hacker’s malware far and wide through its own customer base—sometimes in the form of software updates.5
Hackers are strategic in their choice of targets. In several recent incidents, hackers have implanted malware into software used by IT professionals to maintain their computer networks, clean hard drives, and develop software.6 In other words, hackers embed malware onto software that’s designed to be broadly distributed and used in the very networks and systems the hackers aim to compromise.
Trust is another critical factor. By now, most of us are at least generally aware of good cybersecurity protocols: We shouldn’t click on attachments from senders we don’t recognize or provide login credentials to anonymous phone callers. But when an IT professional downloads a software update from a vendor they’ve worked with in the past, they may trust that the update is free from malicious code. Indeed, keeping software updated is often considered an important cybersecurity best practice.7 By spreading malicious code through software updates, supply-chain hackers subvert this best practice into a new vulnerability.
An emerging errors and omissions risk
For technology companies, supply chain hacks are yet another cybersecurity risk to mitigate. They may also introduce new errors and omissions (E&O) liability exposures. Generally, E&O exposures manifest by mistakes or negligent acts made by a professional (or business) providing technology services that results in financial damage to a third party. For instance, a company that manages company networks could face the risk of a lawsuit if it installs software onto a client’s network that’s loaded with ransomware and encrypts all of the client’s data.
Companies that provide professional services or advice should consider obtaining an Errors and Omissions insurance policy which could potentially cover the cost to defend against lawsuits brought by clients or third parties and/or pay any resulting judgements and settlements, up to the limit of insurance.
To address the unique E&O exposures faced by technology companies and IT professionals, Verisk is currently developing a technology errors and omissions insurance policy program, which will join our existing lineup of professional liability insurance solutions. To learn more about the new technology E&O program and ISO Specialty Lines programs, please visit our webpage.