The Network and Information Security Directive (NIS2) and Digital Operational Resilience Act (DORA) legislation – both of which must be implemented by select businesses in the EU this year1 – are set to reshape the cyber security landscape across the continent.
Though NIS2 and DORA legislation may not directly apply to some IT and software companies, their customers might choose to assess the cyber security and operational resilience of their critical third-party providers to ensure compliance with the legislation. As such, it is vitally important that technology companies are aware of the new requirements and the possible risks involved, to implement risk mitigation strategies accordingly.
This article suggests some ways that IT and software companies can minimise their exposure to risk and liability, considering this new legislation.
Software Vulnerability Disclosure Policy (VDP): Encourage a culture of responsible vulnerability-reporting by establishing a well-defined VDP. Customers should be incentivised to report vulnerabilities to their IT or software provider. The VDP should clearly outline how to report vulnerabilities, the process for coordinating fixes, and assure reporters of anonymity and protection from retaliation.
Patch Management: Establish a system for swiftly addressing vulnerabilities identified through internal testing or customer reports. When vulnerabilities are found, IT companies should clearly communicate to their customers the nature of the problem, the potential impact, and the availability of a patch or update.
Use Clear Language: Avoid jargon or overly technical language when communicating security issues or updates to customers. Using clear and concise language will make communications easy for their customers to understand.
Document Everything: IT companies should create well-defined processes to document all interactions with customers, including advice given and any agreements made. Should they have a disagreement with a customer or encounter the threat of liability, having detailed documentation may help support their position.
Customer Confidence: Acquiring certifications or SOC2 audit reports can assure customers that their IT provider’s security control environment is secure and of a high standard. Maintain readiness to share evidence of control testing under determined circumstances with customers and regulators.
Threat-Led Penetration Testing: Where required by customers, IT companies should plan to participate in threat-led penetration testing exercises including pooling testing.
Clear Disclaimers: For software providers, include disclaimers in software license agreements that outline the limitations of the software's security capabilities, to set clear expectations. Highlight what the software is designed to do and the security measures that have been implemented within its functionalities.
Service Scope: A well-defined contract and/or Service Level Agreement (SLA) outlines the specific services provided by the technology company and its obligations. This will help to establish exactly what the technology company is responsible for. It is also useful to state what the IT provider will not do, for the avoidance of doubt.
Customer Obligations: The contract should clearly outline the customer's security responsibilities, the most important being the notification of incidents. Responsibilities may also include timely software updates, proper user access controls, and adherence to security best practices. When working with large organisations that have their own in-house IT departments, the need for clear wording detailing each party’s obligations is even more important.
Limited Warranties: Consider including limited warranties in agreements between IT provider and customer that disclaim liability for indirect or consequential damages arising from cyber attacks, and ensure liability is always limited to a reasonable amount. These limitations can help to manage potential liability exposure.
Indemnification Clauses: In some cases, IT and software companies might consider incorporating indemnification clauses in their agreements. They may also want to include force majeure clauses, such as defining a cyber attack as a force majeure in the contract. Such clauses may shift some liability to the customer, but they are complex and may not be enforceable in all jurisdictions. Consulting with legal counsel is crucial.
Security Documentation: Comprehensive IT security documentation can empower customers to use their software securely. This documentation should outline best practices for the secure configuration and deployment of software and help them to get the most out of its security features. As mentioned above, the language in this documentation should be thorough and easy to understand.
Informing Customers: IT and software companies should aim to inform customers if their existing or proposed level of IT security is deficient. For example, if they do not use multi-factor authentication or have poor firewall capability. Whenever customers are informed of such weaknesses, it should be clearly documented.
Security Awareness Training: Tech companies should consider offering cyber security awareness training to their customers. This training can educate them on how to use their IT systems securely and identify potential threats. It is equally important for IT companies to ensure they are also conducting similar training internally.
These are general recommendations, and the specific processes implemented will depend on the nature of a technology company’s operations and products, their target market, and the legal environment in which they operate. Consulting with legal counsel and insurer is crucial to ensure their approach aligns with relevant regulations and best practices. However, the general principles outlined here may help IT and software companies to build a more robust and resilient framework to mitigate risk and liability.
From general liability to cyber, property to errors and omissions, Chubb’s Technology Industry Practice provides insurance solutions for technology businesses of all sizes across a broad range of sectors.
1 DORA and NIS2: Two EU legislative instruments”, Deloitte 2023.
Disclaimer: This information is descriptive only. All products may not be available in all jurisdictions. Coverage is subject to the language of the policies as issued.
We’re here with an answer.