Any tech company developing software as part of their tech solution( Firmware in IoT, applications, portals) could have risk developed in. Most cyber strategies are to defend and react to attacks.
Most companies do not look at the risk in open source software components developers are using to build an application.
In a Cyber Compliance/assurance there should be a layer for looking at code if it is relevant to the organisation looking for insurance. We can produce a report with all the components of the applications how they are licensed (which can be another risk you may want to look at) and whether there are known security vulnerabilities.
Panama Papers - ; Mossack Fonseca were riddled with security flaws. For instance, Wired UK noted that the firm’s client portal was vulnerable to the DROWN attack, a security exploit targeting servers supporting the obsolete and insecure SSL v2 protocol.
Open SSL ;
Any company that has processes in place to have visibility of vulnerabilities as they happen and can fix them in a defined SLA are a better insurance bet. If your client supplies software as part of their solution to customers, they would be open to legal action if they are compromised