Cyber Insurance and Open Source Risks

Losses from cyber attacks rose from USD 4 billion to USD 12 billion between 2020 and 2023. Insurers are responding: premiums are rising, requirements are tightening, coverage exclusions are increasing. For companies that do not have their open source supply chain under control, it is becoming increasingly difficult to remain insurable at all.

What insurers expect today #

Cyber insurers increasingly scrutinise how a company manages its IT risks before concluding a contract. Typical requirements in the underwriting process include:

• Demonstrable vulnerability management with documented patch times
• Inventory of deployed software including open source components
• Governance structures for the software supply chain
• Incident response plans and their regular review

The OECD has noted in its analyses of the cyber insurance market that the insurability of cyber risks depends significantly on whether companies actively manage and reduce their risks. Those who cannot demonstrate this pay more — or receive no policy at all.

The blind spot: open source components #

Most companies have hundreds of open source projects in their software supply chain. For these projects, there are no contractual partners, no SLAs, and no guaranteed response times. When a critical vulnerability appears in an open source component, the response time depends on whether a volunteer maintainer has the time and motivation.

From an insurer's perspective, this is an uncontrolled risk. And uncontrolled risks are difficult to insure.

OTTRIA does not replace insurance #

This must be clear: OTTRIA is not an insurance product. We do not assume liability, we do not pay damages, and we do not replace a policy.

OTTRIA improves insurability #

What OTTRIA does directly affects the factors that insurers assess:

• Patch times decrease. OTTRIA monitors all open source components in your SBOM, detects vulnerabilities — including those not registered as CVEs — and coordinates or creates fixes. This shortens the time between discovery and remediation.
• Risks are documented. Every detected vulnerability is assessed, every measure is logged. You receive audit-ready evidence that you can present to an insurer or auditor.
• Governance becomes demonstrable. Instead of "we take care of it", you can show: there is a structured process, a responsible service provider, and measurable outcomes.
• Abandonment risks are addressed. OTTRIA monitors the vitality of the projects in your SBOM. When a project becomes orphaned, action is taken — before it becomes a security problem.

What does this mean for you? #

The combination of rising cyber risks and tightened regulation (DORA, NIS2, CRA) makes cyber insurance more important than ever. At the same time, it is becoming harder to obtain one. Insurers want to see that you actively manage your risks — including in the open source supply chain.

OTTRIA provides you with the operational foundation and evidence for this. Not as a replacement for your insurance but as a prerequisite for obtaining one — and keeping it.

Further reading #

• D&O liability and the new cyber laws
• Practical audit preparation
• OTTRIA services

Want to improve your underwriting profile in the open source domain? Arrange an initial consultation with OTTRIA.