Emerging Risks for Tech E&O Clients in 2025

In 2024, IT Services and Consultants was one of the many industries that saw a net rise in cyber threat activity, showing that while the technology industry tends to have more advanced security controls than some other highly targeted industries (such as construction), companies with large IT footprints are still appealing targets for threat actors.   

What are Corvus’s Tech E&O underwriters keeping an eye on for the Tech E&O market? We’re sharing a few major trends in today’s post?

A Shift Toward Credential-Based Attacks

In 2024, ransomware groups shifted away from relying on high-profile software vulnerabilities and instead focused on more scalable, repeatable methods of gaining access to victim networks. A key tactic involved targeting virtual private network (VPN) accounts with weak credentials and no multifactor authentication (MFA).

This shift in approach was confirmed by the leak of a ransomware training playbook in mid-2023, which outlined strategies for exploiting VPNs by identifying common usernames like “admin” or “test” and attempting combinations of easily guessed passwords. The method proved effective, allowing attackers to gain access with minimal effort. 

By Q3 2024, nearly 30% of ransomware incidents were attributed to attackers exploiting VPN vulnerabilities and weak passwords for initial access. These incidents often stemmed from outdated software or VPN accounts lacking adequate protection, making them susceptible to automated brute-force attacks.

This shift underscores the importance of robust cybersecurity practices, including the use of strong, unique passwords and the implementation of MFA across all remote access points. And it’s not just about self-protection. Many tech companies develop the software used by others, putting them at risk of downstream liability if an exploited product impacts customers.

Heightened Risk = Heightened Responsibility

For technology companies looking to combat rising cybercrime, it isn’t just about protecting themselves. At the end of the day, they’re responsible for the security of the products they develop and sell. Welcome to downstream risk.

In 2023, the MOVEit exploit changed the perspectives of many in the industry as far as how deep this risk can run. Of the more than 2,700 organizations that were impacted, many had never even touched the exploited software. For example, when an educational reporting non-profit that was using MOVEit was breached, it unwittingly exposed data from over 1,000 U.S. colleges, “downstream.”

The onus of responsibility is falling on the shoulders of tech companies with the Cybersecurity and Infrastructure Security Agency’s (CISA) “Secure by Design” recommendations, which ask that organizations take ownership of the security outcomes of their customers.

In 2024, CISA expanded its Secure by Design initiative with new guidance emphasizing memory-safe programming languages, adoption of Software Bills of Materials (SBOMs), and greater accountability for default security settings in software. 

With heightened risk and heightened responsibility on the horizon, there’s never been a better time for technology companies to invest in their security controls and overall cybersecurity strategies.

Demands for Data Protection 

Litigation under privacy laws such as the Biometric Information Privacy Act (BIPA) in Illinois and the California Consumer Privacy Act (CCPA) remained a risk concern for technology companies in 2024, while two much older – and arguably more expansive – laws have become more frequent targets for plaintiff’s lawyers.

BIPA lawsuits have reportedly declined in volume due to improving compliance. Now in effect for well over a decade, organizations have had ample time to understand the law’s implications, and a new legislative amendment passed in 2024 clarified that repeated biometric data collections may count as a single violation per individual, thereby reducing the total potential fine amount in some cases. Nonetheless, companies collecting biometric data must continue to be vigilant in maintaining proper disclosures and consent procedures, as the potential for costly class-action lawsuits still exists.

Under the CCPA, litigation continued apace. In key cases, “unauthorized access” was interpreted by the court to include intentional data sharing with third parties — particularly in the context of online tracking technologies, like pixel trackers. 

Pixel Litigation Continues, with New Tactics 

In 2022, “pixel” technology made headlines when reports cited that 30 percent of the top 100,000 websites sent customer data back to Meta, the parent company of Facebook, Instagram and WhatsApp. Long story short: unseen Javascript code was transmitting personal information back to Meta for tracking and advertising purposes. This became a problem when it was revealed that one-third of the top 100 hospitals in the United States were sending patient data back to a third-party platform.

And it wasn’t just Meta’s pixel. Class action lawsuits have cited the use of other pixels, cookies, tracking technology, and analytics tools – anything that is allegedly collecting data and transmitting to a third party without user consent. Since then, the Federal Trade Commission and the U.S. Department of Health and Human Services Office for Civil Rights (OCR) have issued guidance regarding protecting private health data: “Companies not covered by HIPAA still have a responsibility to protect against the unauthorized disclosure of personal health information.”

In addition to regulatory risks for healthcare providers, recently plaintiffs have sued a variety of other types of companies over the collection of data using the federal Video Privacy Protection Act (VPPA), a 1988 law originally designed to protect video rental records that is now being applied digital activity. Plaintiffs allege that companies' use of pixel tracking tools unlawfully shares users' video viewing data with third parties without consent.

Plus, as the boundaries of the CCPA become clearer through the results of the past four years of litigation, another strategy has become more popular for plaintiffs: using the 1967 California Invasion of Privacy Act (CIPA) for “trap and trace” claims involving web analytics and advertising trackers. Under this law, the violation does not have to have been a data breach – providing a clearer opening for lawsuits regarding intentional use of tracking technologies than the CCPA provides. Plus, the potential penalties are significant, up to $5,000 per violation.

Together, these trends reflect a shifting legal landscape in which plaintiffs, regulators, and courts are scrutinizing how consumer data is collected, shared, and protected. For technology companies — and the insurers that help protect them — staying on top of these developments is key to minimizing liability and ensuring the adequacy of their Tech E&O and Cyber coverages. 

Insurers Are Paying Attention to Data Privacy and Security

As technology companies look for the right coverage options, they’ll most likely be asked about their data practices as regulations change by the day. Insurers want to know that consumers are getting the opportunity to opt-out of data collection, and that once their data is collected, it is being handled carefully.

That’s where an additional layer of privacy concerns comes into play. Once an informed consumer trusts an organization with their data, can they trust that they are doing everything in its power to protect it?

Again, technology companies are being asked to shoulder more responsibility when it comes to having adequate safeguards in place if an attack occurs. In 2020, a software company experienced a ransomware attack that impacted more than 13,000 companies. They did not disclose that threat actors accessed sensitive data, such as bank accounts and social security information, which resulted in a number of fines and settlements totaling tens of millions of dollars in penalties.

Transparency extends beyond asking for users to opt-in. It also requires that organizations have the right controls and procedures in place so that if an attack happens, they can minimize the impact to their customers — and respond accordingly if sensitive data is stolen.

What does this mean for your clients?    

The cyber climate for technology companies is getting complicated. Fallout from scrutiny towards Big Tech, varying privacy expectations across states, and increasing liability concerns have made finding the right coverage more important — and more challenging. Here’s what you need to know as you explore Tech E&O coverage options this year:

Keep clients informed on risk

At this point, most clients are aware of ad-tracking technology and the associated risks. But when it comes time to fill out Tech E&O applications, they should be well-informed on how they are storing data, if their privacy policies address any ad-tracking technology, and that their consumers can consent to the usage of these technologies.

Penalties for wrongful collection of data can be significant. As the adequate handling of sensitive information becomes increasingly important in the face of sweeping cybercrime, experienced brokers — and carriers — can be great assets to help clients understand exactly what risks they’re facing (and what they should do to mitigate their exposure).

Avoid sweeping generalizations    

With increased risk against the technology sector, certain organizations (like software companies) may face sweeping generalizations or exclusions when looking for coverage. That’s where specialization is key. By working with underwriters who are experienced in the industry, they’ll work with your clients and their unique challenges — not write them off because of it.

Lean on experts

Risks are evolving by the day. Underwriters who dedicate most of their time to Tech E&O and Cyber have unparalleled knowledge of the exposures your clients are facing. But it’s not just our underwriters who understand what the technology industry is facing, our in-house claims and Cyber Risk Services team also have a vast knowledge of the complex regulatory and privacy landscape. This real-time input allows us to help our brokers and customers assess their risk.