Nexus Podcast: Dave Elfering on Cyber Liability Insurance

In less than a decade, security leadership’s view of cyber liability insurance has drastically shifted, from considering insurance as something that might be nice to have, to a core part of the corporate business. 

That dynamic has really been impacted by the escalation of risk during the past three years, not only brought on by the COVID-19 pandemic, but unrelenting ransomware attacks on hospitals and other critical infrastructure, to the risks posed by the ongoing war in Ukraine. 

In this episode of the Nexus podcast, David Elfering, senior vice president at Marsh, a global insurance broker and risk management company, joins to discuss the current state of cyber insurance. A longtime figure in information security, Elfering recalls a time not long ago when a $200,000 spend on cyber insurance brought upwards of $10 million in coverage, wrapped by forensics or response services. 

Subscribe and listen to the Nexus podcast on your favorite platform.

“That’s how we talked about it. We didn’t think much about the transference of risk to somebody,” Elfering said. “Now you go fast forward to today and the last three years have been a really tough time from a risk perspective. I think that’s where now we see the intersection of it’s not if something will happen, it’s when. 

“Everybody is looking around the world and saying we should be covered, we need some assurance. So risk management to me is the process of removing doubt … about what our real posture is,” he continued. “Similarly, for cyber liability coverage and other coverages, is viewed as we really need to have it as part of our corporate business. For key partners, they are probably asking you, if not demanding, if you have this coverage.”

In this discussion, Elfering covers what can sometimes be contentious discussions about qualifications and controls that must be implemented in order to be eligible for coverage, in addition to policy exclusions. Marsh, for example, publishes a list of 12 controls, some of which are a minimum requirement across carriers when considering an organization’s potential insurability; those include basic blocking-and-tackling controls such as multifactor authentication, secured backups, endpoint detection and response, incident response planning and testing, and more. 

Ransomware, meanwhile, remains the biggest driver for organizations looking for coverage, including core supply chain dependencies that threaten business continuity, for example. 

“If you have a core dependency on ransomware, and that provider (is hit with ransomware), they’ve just transferred their poor practices and passive risk retention directly to you. Now it’s in your bucket,” Elfering said. “You’re undergoing a business outage. Well that’s fine, eventually, 90 days, six months, a year. And in the meantime, you can’t operate.”