Technology companies spend every day in the bullseye of cyberattacks. They are at risk from many directions, as both providers and consumers.
As providers, many technology companies must perpetually manage the risks in their software supply chains. “Technology firms are increasingly using modular approaches for software development, pulling in open-source components which have the functionality they need,” said Grant Thornton Cybersecurity and Privacy Advisory Services Managing Director Maxim Kovalsky. “A lot of code is not written from scratch by developers. In reality, developers often find and use packages that someone else recommends to provide particular functionality. This enables a rapid development cycle.”
“As technology companies become increasingly dependent on external components and other outside factors in their supply chains, their roles as providers and consumers have merged — and their cyber risk awareness must expand,” said Grant Thornton Technology and Telecommunication Industries National Leader Steven Perkins. Risks can arise anywhere along the continuous integration and continuous deployment (CI/CD) pipeline. “Securing CI/CD pipelines along every step in the build process is essential, because that assures your code hasn’t been tampered with along the way,” Kovalsky said.
In the wake of high-profile attacks on common software components and vulnerabilities, technology companies have re-examined their supply chains from both the provider and consumer perspectives. “The industry is taking a deeper look at the level of scrutiny — and the level of assurance — that they need to go through for the software they build and the software they buy,” Kovalsky said.
To support an expanded approach to cybersecurity risks, technology companies need a strategy with three critical legs. Each leg is essential to collectively support your strategic approach to cybersecurity risks:
- Contractual terms
Consider how to build cybersecurity protections into your vendor requirements and contracts. “Contractually, you can require a SOC 2 or an ISO certification,” said Grant Thornton Forensic Technology Principal and National Practice Leader Johnny Lee. “You should do those things because that’s a risk mitigation that’s tried and tested. Likewise, you should revisit your contracts and seek meaningful protections through contractual provisions, indemnifications, limitations on liability, and the duty to disclose and cooperate during an investigation. All of those things are creatures of contract and make sense to address.”
However, Lee said, firms also need to go further to ensure that these protections are meaningful. Kovalsky added that SOC 2 reports, for example, can leave gaps in assurance. “Many are finding that SOC 2 does not provide them with enough visibility and confidence to know that the teams who build the software actually follow all of the best software development practices.” Increasingly, tech firms are seeking a Software Bill of Materials (SBOM) — as the U.S. federal government has begun doing. “For the most critical software, buyers are demanding to know the components of the software. What are the open-source libraries? What versions of those libraries are being used at the time of the release or the purchase, and what are the associated risks?” Kovalsky said.
- Internal assurance
You must ensure that you’ve done what you can to strengthen cybersecurity from within your organization. “You need to have a candid assessment of what you’re able to do internally with your skills, personnel and bandwidth,” Lee said. Most organizations do not have the internal resources to guard against sophisticated attacks like SolarWinds on their own. However, they can take several measures to bolster their capacities for both defense and recovery. Conduct an inventory of where software is deployed, and maintain IT asset management, configuration management databases and good data hygiene. “When the Log4j event happened, most organizations struggled to understand what components were in all of the software that they had within the enterprise,” Kovalsky said. This is where IT asset management needs to integrate with the first leg of your strategy, pulling information from each vendor’s SBOM. “The SBOM doesn’t solve the problem by itself, but a process for managing and tracking the SBOMs that are received goes a long way,” Kovalsky said.
From the perspective of a software provider, companies need to automate testing gates that verify the security of the software and its integrity throughout the build cycle. “You also need some guardrails about which open-source components, and which versions, can, should or should not be used,” Kovalsky said. He added that companies need controls to ensure that the final build of the software corresponds with all the inputs. “With the SolarWinds incident, essentially the code the developers were writing was not the code that ended up being built. That means there was a lack of steps to authenticate the software, or assure what’s known as ‘provenance,’” Kovalsky said.
The third element is the classic residual risk response, as Lee says: “That which you can neither prevent nor detect, you should insure for.” A side benefit to insurance is that insurers often require examinations that can help you identify risks. “The things that the insurers are asking you to do are actually very good things,” said Grant Thornton Cyber Risk Advisory Services Principal John Pearce. “A presidential executive order on how to protect your organization, or guidance from the Cybersecurity and Infrastructure Security Agency, will advise you to use multifactor authentication and endpoint detection response capabilities. These are the areas that insurers are really pushing,” Pearce said. “I think that we will see increasing scrutiny by underwriters, evaluating the robustness of the management focus on third-party risk,” Kovalsky said. He added that insurance companies are well aware of the unique risks which technology companies face as both providers and consumers. “The concept of aggregate risk really comes to focus for software makers and technology providers, where a breach against their systems could have aggregate effects on all of their customers and clients. There’s higher scrutiny on firms that expose carriers to those aggregate risks.”
It’s also worth considering what insurance your supply chain partners are carrying. “Understand the nature of your key vendors — that they themselves might not be sitting on a war chest able to pay out on claims, especially if they’re self-insured. Ask about the insurance coverage that key vendors have. I think that’s quite relevant to the risk calculus,” Lee said.
Turn a risk to an advantage
As technology companies face cybersecurity risks from multiple directions, companies can win market share by getting out ahead of cybersecurity and turning the issue into a competitive differentiator.
“What I’ve seen as a competitive advantage is tech companies that are very transparent on their website and in marketing about the level of diligence that goes into securing their products,” Kovalsky said. “Try to anticipate the requests that might come from potential customers and clients that want to get a level of assurance and confidence.”
Clients find it reassuring when a company has already met their cybersecurity requirements in advance. “You can seek and obtain SOC reports and ISO certifications for your data centers,” Lee said. “You can publish the level of diligence with which you test your own product, or have independent parties do the same. I think those are important, but we’re also seeing that go a little further.” Kovalsky explained, “Some companies have webpages, webcasts, articles and case studies dedicated to describing the details of activities that the teams take to secure the product. When they talk about software, it’s not just the functionality of the product, but also what’s behind it in terms of security. Certainly, that’s being used as a competitive differentiator.”
Lee said that you can think about cybersecurity as a differentiator when dealing with vendors, as well. “It’s the flipside of the coin. It’s asking, ‘What is it that we can do vis-à-vis that key vendor, to up our defensibility quotient — to better cover our risks?’ You can seek better indemnification; you can update the contract to confirm and guarantee that they are required to disclose issues that they see before you do. Those notice disclosures and cooperation requirements can be baked into a contract, and general counsel should be negotiating those.”
Some cybersecurity partners even carry insurance coverage that extends to their customers. “I think you’ll see creative solutions like that, to address ‘How do we differentiate ourselves in a crowded marketplace? As a technology company, what are we doing differently to address these core concerns?’” Lee said.
To address cybersecurity concerns, you need the three legs of your strategy to work together. “For instance, you need to do this with the practical guidance that your indemnifications may be rock solid in a contract — but if you have a $10 million claim against a company that makes $1.5 million a year, that’s not very meaningful,” Lee said. You could need insurance to cover that risk.
“A lot of this comes down to an assessment of your vendors, knowing what they are and what they provide, and then revisiting the vendors that have more access to your environment or serve a critical infrastructure role,” Lee said. “Seek protections through third-party assessments, internal audits, SOC reports, contractual provisions and more; take on the internal diligence that you can; then insure for the remainder.”
“Cybersecurity will continue to be an essential issue for tech companies, and the pressure’s not going to abate just because there’s a recession or a slowdown in spending,” Perkins said. To manage cybersecurity risks, technology companies need clear understandings of their capabilities and protections on every front — because they can be targeted on every front, on any day.
About the authors
Steven R. Perkins is the national leader for the technology and telecommunications industries at Grant Thornton LLP. Johnny Lee is a principal in the advisory services practice at Grant Thornton LLP. John Pearce is a principal in the cyber risk advisory services practice at Grant Thornton LLP. Maxim Kovalsky is a managing director in the cybersecurity and privacy advisory services at Grant Thornton LLP.