I received the below email from a friend of mine today.
How are old copiers / network devices being handled with regard to cybersecurity + insurances?
They can be disastrous, a lot of "it depends" but plenty of examples of copiers and multi-function devices being exploited by us when we do penetration testing. Everything from insecure protocols being used, dated and vulnerable software, even to how many automatically store in their memory anything scanned/copied. Then when it's serviced by a third party tech, he/she often just swaps the logic board (which contains the memory) and walks off with tons of sensitive data. Is it the top risk to most orgs? Definitely not, but it's often a neat one to bring up since most orgs aren’t even thinking of it. We have not heard cybersecurity insurers ask about them from an insurance perspective.