Technology businesses in Canada are expanding at a rapid rate. According to a survey by Canadian Business, the income of the country’s technology companies increased by an astonishing average of 709.02% between the years 2013 and 2018. However, as these technology companies rapidly develop one innovation after another and expand their businesses, the number of hazards that they confront is also increasing.
As a result of this, cyber insurance-focused MGA Ridge Canada has announced a new technology errors and omissions (E&O) insurance product, which complements the other cyber insurance services that it provides.
Insurance Business had a conversation with Cindy Manek, who is the senior vice president of technology professional liability at Ridge Canada, to obtain additional information regarding this new offering. Not only does she explain how the product differs from cyber liability insurance, but she also has something to say about the recent wave of cybercriminal operation that has been targeting technology vendors, which ultimately has an effect on the businesses of the customers of those technology vendors.
IB: Ridge Canada has just introduced its brand new technology E&O product. How would you characterize the state of tech E&O in Canada?
CM: The marketplace for technology errors and omissions (E&O) and cyber liability continues to be in a transitional period between a soft market and hard market conditions, with a tilt toward the more difficult aspect of it. This shift in market conditions has had an impact on the technology industry, and all available evidence suggests that the market will continue to behave in this way for at least the next several years. These market conditions have been brought about by a number of issues, the most important of which are excessive pricing and extensive coverage terms on the cyber front of the packaged insurance, rising claims, and the effects that the COVID-19 pandemic has had on the economy. We have noticed a significant increase in demand for capacity, and a significant proportion of accounts are currently being remarketed, which is leading to an ever-increasing number of excess requirements.
IB: Could you please explain the distinction between technology E&O insurance and cyber liability insurance?
CM: Errors and omissions in technology might include allegations of negligence, breach of contract, breach of an implicit statutory provision, and violation of a guarantee. The failure to prevent unauthorized access to data, which ultimately results in a breach of privacy, is what the cyber liability encompasses. When it comes to technology service providers, the boundary between tech E&O and cyber liability is extremely thin and ambiguous.
IB: Please explain how one type of insurance package complements another.
CM: Because of the nature of their services, technology service providers have wider access to the systems and data of other entities in general. Because a data breach is not always the result of an error or misrepresentation made by the innovation network operator, but it does disclose third party data that is in their care, custody, and control, the cyber liability needs to cover both scenarios where it could be recklessness, or simply the wireless carrier beginning to experience a cyber event themselves, exposing the data of others, which would then result in a possibility third party law suit. This is because a cyber attack does introduce third party data that is in their care, custody, and control. They are written together on a bundled policy with a shared aggregate maximum for this reason, in addition to the interaction that exists between the two different types of liability coverage.
IB: Cybercriminals have started targeting technology vendors more frequently in recent months in an effort to disrupt the supply chain of their more significant customers. What steps can suppliers take to safeguard both themselves and their customers from the threat posed by ransomware and data breaches?
CM: They need to understand the risks and implications of the products they are placing or selling into their client’s transportation system, ensure that they can configure or fully implement all that suitably, and then keep on going to configure authentication scheme in accordance with those risks and potential ramifications. They need to ensure that they understand the specific risk that is applicable to their individual client and should avoid trying to offer everything to everyone. Not only do they need to protect themselves with robust cyber hygiene measures, but they also need to ensure that they defend themselves. Not only is it necessary for them to implement multi-factor authentication for any remote access that is initiated from outside their network by workers including third parties, but they also need to do so for any access to privileged accounts. Meanwhile. A configuration management policy that makes sure critical patches are implemented within 14 days, weekly segregated and offline backups that are checked at least once every quarter, an aided NexGen EDR tool, and an incident response plan that has tested for ransomware incidents on an annual basis are all thought to be required.