Canada’s tech companies are growing – fast. Canadian Business reported that from 2013 to 2018, the nation’s tech companies grew their revenue by an impressive average of 709.02%. But as these tech companies quickly produce innovation after innovation and grow out their businesses, the number of risks they face are also increasing.
This is why cyber insurance-focused MGA Ridge Canada recently launched a new technology errors & omissions (E&O) insurance product, which complements its other cyber insurance offerings.
To learn more about this new offering, Insurance Business spoke with Cindy Manek, senior vice president of technology professional liability at Ridge Canada. Not only does she explain how the product differs from cyber liability insurance, but she also has a thing to say about the recent rash of cybercriminal activity targeting tech vendors, which ultimately impacts the businesses of their business clients.
IB: Ridge Canada recently launched its new technology E&O offering. How is the tech E&O landscape in Canada?
CM: At present, the technology errors and omission (E&O) and cyber liability marketplace continues to be in a transitional phase from a soft market to hard market conditions, leaning towards the hardest part of it. The tech sector has been affected by this change in market conditions, and all current indications are that these conditions will last for the next few years. These market conditions have been driven by numerous factors, but most notably unsustainable pricing and broad coverage terms on the cyber front of the packaged policy, increased claims, and due to the impacts on the economy from the COVID-19 pandemic. We have seen an important needs of capacity and large portion of accounts are being remarketed, creating more and more excess requirements.
IB: What is the difference between technology E&O and cyber liability insurance?
CM: Technology errors & omissions can cover breach of a warranty, breach of Contracts, breach of an implied statutory term and allegation of negligence. The cyber liability covers failure to prevent unauthorized access to data, resulting in a privacy breach. There is a very fine line between tech E&O and cyber liability for technology service providers.
IB: How does one insurance product complement the other?
CM: Technology service providers have greater access to other’s networks and data in general because of the nature of their services. Because a data breach isn’t always a result of an error or omission from the technology service provider, but does expose third party data which is in their care, custody and control, the cyber liability needs to cover both scenarios where it could be negligence, or simply the service provider experiencing a cyber event themselves, exposing data of others, which would then results in a potential third party law suit. For that reason, and the interrelationship between the two-liability coverage, they are written together on a packaged policy with a shared aggregate limit.
IB: Cybercriminals have been increasingly targeting tech vendors in an attempt to disrupt the supply chain of their bigger clients. What can vendors do to properly protect themselves and their clients from data breaches and ransomware?
CM: They need to understand the risks and implications of the products they are placing/selling into their client’s infrastructure, ensure that they can configure or implement everything properly and then continue to configure security architecture accordingly. They don’t only need to protect themselves with strong cyber hygiene controls, but they need to ensure to understand the specific risk applicable to their specific client and not try to sell all things to all people. In terms of their own protection, they need to have MFA enabled for any remote access originating from outside their network by employees and third parties but also for any privileged account access. Furthermore. weekly segregated and offline backups that are least tested quarterly, a patch management policy that includes critical patches are implemented within 14 days, NexGen EDR tool enabled, and an incident response plan that has been tested for ransomware incidents on an annual basis would be considered necessary.