Neglected Software Vulnerabilities and Their Costs

Cyber insurance is essential for the internet-connected business. Yet, when was the last time you reviewed your policy? You may find new text outlining coverage for neglected software vulnerabilities. You may not even know what that involves. This article explains these vulnerabilities and how to avoid their associated costs.

Cyber insurance typically helps cover the costs associated with the following common risks:

• network security failure;
• class action litigation;
• regulatory fines related to violating standards or privacy legislation;
• business interruption.

Still, cyber threats always evolve. As a result, insurance companies continually rewrite their policies to cover risk areas. More insurers are adding neglected software vulnerabilities to their policies. Here’s what that means for your business.

What is a neglected software vulnerability?

Keeping your software current is an important best practice. It’s your responsibility to check for vulnerabilities and protect your systems. The National Vulnerability Database (NVD) informs businesses globally of known threats and patches available.

Patching the vulnerability helps prevent business losses, yet you may not be able to do so right away. You may need to test the update’s compatibility and capacity before installing it.

Still, once the NVD publishes a vulnerability and its patch, many insurers give you 45 days. If you fail to address a known threat, that’s considered neglect. The longer you neglect that vulnerability, the more responsibility you’ll bear.

The costs of a neglected software vulnerability

Software vulnerabilities can lead to network failure, business interruption, and liability. You could end up needing to cover:

• IT forensics;
• data restoration;
• legal expenses;
• lost profit;
• credit monitoring and identity restoration;
• expenses for implementing workarounds.

Yet insurers cover neglected software vulnerabilities on a sliding scale. Once you know about a vulnerability, you’re expected to patch it. So, the longer you wait, the more you’ll pay.

Chubb, for example, shifts more risk to their policyholders after 46, 91, 181, and 366 days. The limit of insurance covered might start at $1,000,000 with zero percent coinsurance costs. For neglected exploits 46–90 days old, the coverage falls to $500,000, and coinsurance increases to five percent.

Addressing software vulnerabilities

Cybercriminals continue to exploit publicly known vulnerabilities. Why? Because organizations continue to neglect patching and upgrading against known security risks.

Your attack surface grows when your business adds applications, merges with another organization, or allows employees to bring their own devices to work. Using legacy software that has reached it’s end of life can also leave you vulnerable.

Scanning your software for vulnerabilities could expose many risks. You may need to prioritize which to patch first. It can help to consider which ones pose the greatest risk to your mission-critical systems.

Lack the expertise to detect and mitigate vulnerabilities? A managed service provider can help keep your software up to date to prevent exploitation. Book an appointment today: