The challenges faced by underwriters have grown immensely in recent years. For underwriters working specifically within the technology sector on errors and omissions (Tech E&O) coverage, the risks they’re considering have converged with cyber risk, as increasing sophistication and frequency of cyber attacks rattle business operations across industries.
Companies in the technology industry are particularly risky because they tend to have more complex IT systems with many interconnected services and vendors. They are often operating large technology systems to support products and services for customers as well as their own internal resources for employees—and the inherent reliance on technology can make these companies more vulnerable to threat actors. Since tech companies cannot leverage “pen and paper” when systems go down, they can encounter longer downtimes—and with their often higher reliance on outside vendors than non-tech companies, they can face greater downstream risk.
Tech companies’ data and operations are also more often decentralized—both in systems and workforce—opening them up to greater risk via increased entry points. As a result, many Tech E&O underwriters are faced with analyzing significantly greater chances of attack, making the underwriting process all the more challenging.
So, where should underwriters start?
Assess Security Hygiene—Early and Often
Often, threat actors that gain access to a technology company’s network will not just encrypt that business’s files, but also steal its customers’ sensitive data and stall or compromise business operations at client businesses. With the Kaseya attack, the REvil ransomware group was able to gain access to managed service providers—impacting a larger audience—through Kaseya’s zero-day vulnerabilities (weaknesses that had not yet publicly been known or patched). Around 1,500 customers of more than 50 MSPs were impacted, and unsurprisingly, the ransom demand to Kaseya was rumored to be in the tens of millions.
With this in mind, the need to assess a tech company’s general security hygiene early on and often is paramount. Tech E&O underwriters should tap into digital scanning tools built on AI techniques like machine learning to help identify and analyze large networks, rather than relying on self-reported accounts of server quantities and services.
Digital scanning tools can provide initial transparency into a company’s infrastructure, allowing underwriters to quickly identify any major red flags that could cause problems. By understanding the current state of an organization’s overall security posture, underwriters can verify that organizations are incorporating certain measures—like the use of email security software—to close security gaps. (Note: Corvus has found that there’s been a 158 percent lift in the use of email security software across industries.) Then, ongoing scanning provides the long-term picture and any changes in security measures observed over time can be considered in the context of the company’s baseline.
Don’t Stop Evolving
These days, however, scans are only part of the answer for Tech E&O underwriters. While scans are great tools for giving underwriters insight into general security hygiene—which remains a strong starting point—many cloud-native technology companies have aspects of their IT systems that aren’t easily assessed through automated tools.
Since tech companies are on the cutting edge of new information technology, underwriters can’t simply wait for scanning technologies to catch up to help them. And while it’s been reported that the ratio of ransoms demanded to ransoms paid is on the decline, the insurance industry can expect threat actors to adapt their methodology and remain nimble.
With both sides of the risk consideration evolving quickly, it’s critical that underwriters stay just as agile, using any information or tools at their disposal to support their conversations about risk mitigation with insureds.
For example, today’s cyber scans can be supplemented with additional litigation risk quantification tools, which reflect current trends in legal action. There are variations in a tech company’s risk of getting sued based on exactly who their customers are, how many employees those customers have, and what industries they operate in. The data behind this are yet another stream of information that can help underwriters make accurate risk assessments in the face of a difficult environment.
In fact, resulting legal action by clients is shown to increase as employee headcount increases, underscoring how critical it is that underwriters build a foundational understanding of where the biggest vulnerabilities lie. A recent Corvus study shows that customers with 250 or more employees are 216 percent more likely to sue their technology vendors than a company with 10 or fewer employees, and twice as likely as a company with 11- 50 employees.
With so many angles through which underwriters can assess risk, data from cybersecurity scans, supplemental risk quantification tools, and staying up-to-date on security strategies are keys to success in the dynamic Tech E&O underwriting market.