LESTO
Back to guides

Cyber risk: beyond hacking, the liability of your code

Why the boundary between software bugs and cyber attacks is the primary contractual trap for tech companies.

Sami Zarzour·6 min read

On a Friday afternoon, a minor update is pushed to production on your SaaS platform. This is not an intrusion, no hacker has breached your security perimeters, and yet, three hours later, your most critical clients are suffering direct financial losses due to a calculation error in a code loop. The situation seems like a routine technical incident, but it actually reveals a massive gap in your company's financial protection.

For many founders and finance leaders, cyber risk is reduced to the external threat of a hacker who locks your systems or steals your data. This perspective overlooks an operational reality that is far more frequent in high-growth companies: the liability linked to the very nature of your product. When defective code paralyzes a third party's business, you are not facing an attack, but rather a claim against your professional responsibility. The major difficulty lies in the fact that, for a traditional insurer, these two situations belong to different worlds, even though they represent two sides of the same technological coin for you.

The gray area between the bug and the attack

The distinction between a development error (a mistake made by your teams) and a malicious act (an intrusion by a third party) is foundational in the structure of insurance contracts. Traditionally, the insurance that covers your liability if a client blames you for an error in your service, also known as Professional Indemnity or PI, handles damages caused by your faults, errors, or omissions. Conversely, the insurance that kicks in during a computer attack or data theft, often called Cyber insurance, focuses on damages suffered by your company or third parties following an intrusion or the spread of a virus.

The problem arises when a vulnerability in your code is exploited not by a pirate, but by an unforeseen usage from the client, or simply by a logic failure. If your payment API executes the same transaction twice due to a concurrency issue in the code, is it a cyber incident or a service error? If your insurer's answer is vague, the risk of non-payment is absolute. Traditional brokers often struggle to read the complex business models of scale-ups because they try to fit your reality into pre-established categories. At Lesto, we think in the opposite direction of the market by starting with the analysis of the actual risks linked to your product before searching for or building the appropriate coverage.

Structural limits of standard contracts

Most insurance policies on the market contain exclusion clauses that can prove devastating for a tech company. A common exclusion concerns pure financial loss, which refers to financial damages suffered by your client without any physical damage or injury occurring. For a software editor, almost all damages caused to clients are of this nature. If your contract is not specifically designed to cover these financial losses linked to a code failure, the protection is illusory.

Another point of friction lies in the very definition of an incident. A standard cyber contract might require proof of a malicious intrusion to be triggered. However, in the world of micro-services architectures and continuous deployment, the boundary is porous. A security flaw that is not exploited by a hacker but causes a data leak through a simple configuration error can end up in a contractual blind spot. The maximum amount the insurer will reimburse, known as the coverage limit, must also be calibrated not on your turnover, but on the maximum exposure of your largest clients. An undersized contract does not protect a growing company, it simply gives it a false sense of security until the incident occurs.

Insurance should not be a catalog of guarantees that you endure, but an extension of your technical risk management strategy.

The threat to directors' personal assets

Beyond the survival of the company, a software error or the poor management of a cyber crisis can reach individual levels. This is where the insurance that protects your personal assets if a shareholder or an employee holds you personally liable comes into play, known as Directors and Officers insurance or D&O. In the event of a sudden drop in valuation following a major technical incident or a poorly managed data leak, investors may blame founders or the CFO for negligence in setting up control processes.

This personal protection is too often disconnected from technological reality. A leader of a tech company must ensure that their personal coverage encompasses decisions made regarding cybersecurity and infrastructure choices. If the company's liability is engaged for a product defect, the individual responsibility of the corporate officers is never far behind. It is imperative to verify that the contracts communicate with each other and leave no legal vacuum where your personal wealth could be exposed.

Building coverage adapted to the infrastructure

For a scale-up, insurance must be viewed as a fractional risk partner. This means your broker must be capable of understanding your technical stack and your contractual commitments, such as Service Level Agreements or SLAs. If you guarantee 99.9% availability to your clients, your insurance must be aware of the financial penalties you might have to pay in case of service interruption, even if it does not result from hacking.

The portion you keep at your own expense in the event of an incident, the deductible, is also a strategic lever. In some cases, it is better to accept a higher deductible on small, frequent incidents to obtain much more robust coverage for systemic risks that could threaten the very existence of the company. This bespoke approach allows for the optimization of the insurance budget while ensuring that catastrophic scenarios are truly covered. A detailed analysis of your customer service agreement allows you to align your insurance terms with your actual obligations, preventing the company from finding itself paying indemnities that the insurer refuses to reimburse.

Toward proactive management of technological risk

Moving from a passive vision of insurance to a proactive approach requires constant dialogue between technical teams, financial teams, and your insurance partner. Code is not just an asset, it is a potential liability whose risk must be quantified and transferred wisely. By treating cyber risk not as an inevitability linked to malice, but as an intrinsic component of software production, you strengthen the resilience of your organization.

The ultimate goal is to transform insurance, often perceived as an obscure cost center, into a lever of trust for your clients and your investors. A company that knows exactly how it is covered, whether facing a group of hackers or an internal logic error, is a company that can accelerate without fear. In the end, the strength of your coverage depends less on the name of the insurer than on the precision with which your specific risks have been translated into contractual clauses.

If you wish to audit your current contracts to check if they truly cover the gray area between bugs and hacking, we can analyze your specific risks and build together a protection that will not fail you at the critical moment.

Tags

  • #Cyber insurance
  • #Professional Indemnity
  • #Tech
  • #Risk management
  • #CFO
Sami Zarzour

Sami Zarzour

Co-founder, Lesto

Sami is a co-founder of Lesto. He writes about insurance brokerage, business risk management, and the transformation of the industry.

LinkedIn →