30.3: Insurance and Liability Considerations¶

Economics teaches that actors respond to incentives. When the cost of insecurity falls on those making security decisions, investment follows. When costs are externalized—borne by others—investment lags. The market failures described in Section 30.1 persist partly because those who underinvest in security don't bear the full consequences of that underinvestment. Liability and insurance mechanisms can realign these incentives, creating economic pressure for security investment that voluntary approaches cannot achieve.

Cyber insurance has grown into a multi-billion dollar industry, with insurers increasingly scrutinizing policyholder security practices. Liability law is evolving, with the EU Cyber Resilience Act explicitly shifting responsibility to software manufacturers. Together, these mechanisms are reshaping the economics of software security—creating financial consequences for poor security practices that market forces alone never produced. Understanding this evolving landscape helps organizations prepare for a future where security investment is driven not just by good intentions but by economic necessity.

Cyber Insurance and Supply Chain Coverage¶

The cyber insurance market has matured rapidly, with global premiums reaching approximately $15-17 billion in 2024² and growing. As the market matures, insurers have become more sophisticated about risk assessment—and supply chain exposure has emerged as a critical underwriting concern.

Supply chain coverage challenges:

Supply chain attacks create difficult problems for insurers:

• Aggregation risk: A single compromised component (like MOVEit or SolarWinds) affects thousands of policyholders simultaneously
• Attribution complexity: Determining whether an incident stems from supply chain compromise versus other vectors affects coverage
• Policy limits: Widespread incidents can exhaust policy limits across an insurer's book of business
• Cascading effects: Supply chain compromises propagate unpredictably through interconnected systems

The NotPetya attack in 2017 demonstrated these challenges starkly. The attack spread through a compromised Ukrainian accounting software update, causing over $10 billion in damage globally³. Insurers faced claims from organizations who had never directly used the compromised software but were affected through business partners and interconnected systems.

Coverage and exclusions:

Cyber insurance policies vary significantly in supply chain coverage:

Typically covered: - First-party losses from supply chain incidents affecting your systems - Business interruption from supplier unavailability - Incident response costs for supply chain-originating breaches - Some third-party liability for downstream effects

Common exclusions or limitations: - Systemic risk exclusions: Aggregate limits for widespread events - Infrastructure failures: Outages affecting multiple policyholders - Nation-state exclusions: Attacks attributed to state actors (contentious after NotPetya litigation⁴) - Waiting periods: Deductibles measured in hours before coverage begins - Sublimits: Lower limits for supply chain-specific incidents

Underwriting evolution:

Insurers increasingly evaluate supply chain security during underwriting. While specific requirements vary by carrier and continue to evolve, common areas of inquiry include:

• Vendor risk management programs
• Vulnerability response procedures
• Network segmentation limiting supply chain blast radius
• Dependency inventory and SBOM capabilities (emerging requirement)

Explicit SBOM requirements are not yet universal in cyber insurance underwriting, but leading carriers are beginning to inquire about software inventory capabilities—particularly for technology companies and those in regulated industries. As regulatory frameworks like the EU CRA mandate SBOMs, insurers are likely to follow.

Organizations with mature supply chain security practices may receive better coverage terms. Those with poor practices face higher premiums, coverage restrictions, or declination.

Current Open Source Liability Framework¶

As discussed in Chapter 28, the traditional legal framework provides substantial liability protection for open source software through warranty disclaimers and the characterization of software as licensed rather than sold. This framework reflects historical assumptions that may not survive ongoing legal evolution.

Existing protections:

Open source licenses universally disclaim warranty disclaimers:

"THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND..."

These disclaimers, combined with the absence of commercial transaction in most open source use, have historically insulated maintainers from liability claims. The practical barriers—individual maintainers lacking assets worth pursuing, causation complexity in supply chains, community backlash against litigation—have reinforced legal protections.

Protection limitations:

However, these protections are not absolute:

• Consumer protection laws may override disclaimers in some jurisdictions
• Disclaimers may not protect against gross negligence or intentional misconduct
• Commercial entities using open source in products may face different liability exposure
• Regulatory mandates can impose obligations regardless of license terms

For commercial organizations incorporating open source into products, the liability picture is more complex. The disclaimer protects the upstream maintainer; it doesn't necessarily protect the company that chose to use the component and shipped it to customers.

Product Liability Expansion to Software¶

Product liability law has traditionally applied to tangible goods, imposing strict liability on manufacturers for defects causing physical harm. The extension of product liability to software represents a significant legal evolution with major implications for supply chain security economics.

Traditional distinction:

Courts historically distinguished software from products:

• Software is licensed, not sold
• Software's intangible nature differs from physical products
• Complexity makes perfection impossible
• Users can inspect and choose risk levels

This distinction allowed software vendors to disclaim liability that physical product manufacturers could not.

Erosion of distinction:

This distinction is eroding:

• Software embedded in physical products (vehicles, medical devices) increasingly faces product liability treatment
• Standalone software's role in daily life resembles products
• User expectations treat software as products regardless of licensing terminology
• Courts in various jurisdictions have applied product liability concepts to software

The trajectory points toward treating software more like products, with corresponding manufacturer responsibility.

Supply chain implications:

Product liability expansion would transform supply chain economics:

• Component liability: Every component provider in the chain could face potential liability
• Due diligence requirements: Organizations would need to verify component security before incorporation
• Insurance mandates: Product liability coverage would become necessary for software producers
• Documentation demands: Evidence of security practices would become legally significant

This transformation would internalize externalities that currently leave security costs with victims rather than producers.

EU CRA and Shifting Liability¶

The EU Cyber Resilience Act (CRA) represents the most significant explicit shift of software security liability to date. As discussed in Chapter 26, the CRA imposes mandatory security requirements on products with digital elements sold in the EU market.

Liability provisions:

The CRA creates liability exposure through multiple mechanisms:

• Regulatory penalties: Non-compliance with essential requirements triggers fines up to €15 million or 2.5% of global turnover⁵
• Civil liability: Manufacturers are liable for damage caused by non-compliant products
• Non-waivable rights: Liability cannot be disclaimed away—consumers retain claims regardless of contract terms
• Burden shift: Manufacturers bear responsibility for demonstrating compliance

Impact on supply chain economics:

The CRA transforms economic incentives:

• Cost internalization: Security failures now carry direct financial consequences for manufacturers
• Supply chain responsibility: Manufacturers must ensure component security, creating pressure through the supply chain
• Investment incentives: Avoiding liability costs requires security investment
• Insurance demand: Manufacturers will need coverage for CRA-related liability

For open source, the CRA's carve-outs protect non-commercial development while placing responsibility on commercial integrators. Companies that profit from open source bear the compliance burden—creating incentives for them to invest in the security of components they use.

Broader influence:

The CRA will likely influence developments elsewhere:

• Other jurisdictions may adopt similar frameworks
• Multinational companies may apply CRA-level practices globally for consistency
• CRA compliance may become de facto international standard
• U.S. policy discussions reference CRA as model

Even organizations not directly subject to CRA may feel its effects through customer requirements, competitive pressure, and evolving expectations.

Insurance as Incentive Mechanism¶

Insurance creates incentives through pricing mechanisms that reward security investment and penalize poor practices. This incentive function may prove as significant as the risk transfer insurance provides.

Underwriting requirements:

Insurers increasingly mandate specific security controls for coverage:

• Multi-factor authentication
• Endpoint detection and response
• Backup and recovery capabilities
• Vulnerability management programs
• Supply chain security practices

Organizations lacking required controls face coverage denial, exclusions, or significantly higher premiums. This creates direct financial incentive for security investment.

Premium differentiation:

Insurers differentiate premiums based on premium differentiation and security maturity:

• Organizations with strong security practices receive favorable rates
• Those with poor practices pay more or face declination
• Premium savings can offset security investment costs
• Multi-year improvement trajectories affect pricing

This differentiation channels economic pressure toward security investment in ways regulatory mandates alone cannot achieve.

Claims experience:

Insurance claims experience creates feedback:

• Organizations with claims face premium increases
• Claims analysis identifies security gaps
• Post-incident requirements drive improvement
• Market-wide claims data influences underwriting standards

The accumulating data on supply chain incidents is shifting underwriting attention to this risk category.

Limitations:

Insurance as incentive mechanism has limits:

• Not all organizations carry cyber insurance
• Coverage terms vary significantly
• Risk assessment capabilities are still maturing
• Aggregate events challenge insurance model sustainability

Insurance works best alongside—not instead of—other incentive mechanisms including regulation, liability, and market pressure.

Future Trajectory¶

While predicting legal and market evolution involves inherent uncertainty, multiple observable trends point toward increased liability exposure for software security. The following analysis reflects current trajectories that may accelerate, stall, or shift based on political, economic, and technological developments.

Regulatory expansion:

The EU CRA represents the most concrete liability shift, but similar approaches are under discussion elsewhere:

• The U.S. National Cybersecurity Strategy (March 2023) explicitly calls for legislation to "prevent manufacturers and software publishers with market power from fully disclaiming liability by contract" while establishing "higher standards of care for software in specific high-risk scenarios"¹
• The UK's Product Security and Telecommunications Infrastructure Act (2022) imposes security requirements on connected devices
• Sector-specific regulations (FDA medical device guidance, NERC CIP for energy, TSA pipeline directives) increasingly address software supply chain security

Judicial evolution:

Case law continues to develop, though landmark software liability precedents remain limited:

• The NotPetya insurance litigation (Merck, Mondelez) established that traditional war exclusions may not apply to state-sponsored cyberattacks, potentially expanding coverage
• Courts have applied product liability concepts to software embedded in physical products, though standalone software treatment remains inconsistent across jurisdictions
• Class action mechanisms enable aggregation of diffuse harms, making litigation economically viable even when individual damages are modest

Insurance market maturation:

Insurers are refining their approach to supply chain risk:

• Underwriting questionnaires increasingly address third-party risk management, vulnerability response, and software inventory
• Post-NotPetya policy language updates (including Lloyd's 2022 state-backed attack exclusions) show insurers actively managing aggregation exposure
• Premium differentiation based on security maturity creates measurable financial incentives

Policy advocacy:

Software liability reform remains an active policy discussion:

• The National Cybersecurity Strategy proposes "safe harbor" frameworks for organizations following recognized security practices
• Industry groups and open source advocates engage on frameworks that incentivize security without imposing unworkable burdens on volunteers or small developers
• Bipartisan interest in critical infrastructure security may accelerate supply chain-focused legislation

Organizations should monitor these developments and plan for a future where software security liability carries real financial consequences—recognizing that the pace and specifics of this evolution remain uncertain.

Recommendations¶

We recommend organizations prepare for the evolving liability and insurance landscape:

For risk managers:

1. Review cyber insurance coverage for supply chain provisions, exclusions, and sublimits
2. Evaluate SBOM capabilities as insurers increasingly expect dependency visibility
3. Document security practices to demonstrate due diligence
4. Assess EU CRA exposure for products sold in or affecting EU market

For executives:

1. Treat liability evolution as strategic issue affecting product decisions and market access
2. Budget for compliance costs associated with emerging regulatory requirements
3. Consider insurance as incentive using premium savings to justify security investment
4. Plan for manufacturer responsibility even when using open source components

For legal teams:

1. Monitor liability developments in courts and legislatures
2. Review supplier agreements for security requirements and indemnification
3. Assess open source usage for liability implications of component choices
4. Prepare for CRA compliance if EU market access is relevant

For the ecosystem:

1. Support safe harbor development protecting those following security best practices
2. Advocate for liability frameworks that incentivize investment without crushing innovation
3. Develop industry standards that can serve as compliance baselines
4. Share best practices that help organizations meet evolving expectations

The shift toward software security liability represents fundamental change in the economics of security investment. Organizations that prepare for this shift—implementing security practices, documenting due diligence, and securing appropriate insurance coverage—will navigate the transition more successfully than those caught unprepared.