David Elfering has had a unique career journey as a longtime enterprise security leader and as a security and risk executive at one of the world’s largest insurance carriers. Now back in the CISO chair at Carrix, a critical supply chain provider for the transportation industry, Elfering has amassed a wealth of lessons related to cyber liability insurance, which is a key component of any company’s risk reduction strategy.
In this episode of the Nexus podcast, Elfering returns for his second discussion on cyber insurance and shares those lessons, along with his invaluable insights for CISOs around how carrier cybersecurity requirements align with risk reduction, some of the red flags that can imperil coverage or claims, and how cyber insurance providers are looking at geopolitical conflict.
“My view on cyber insurance used to be: ‘Let's just get this as a failsafe because if everything goes to heck and a handbasket, we've got some backup here. We've got some financial reserves to fall back on,’” Elfering said. “Maybe we thought of it as a piggy bank. Something is going to go tremendously wrong, and we're pretty sure it's going to go wrong, and we got a piggy bank or rainy day fund and thereby we didn't really manage that risk.”
Elfering said his perspective differs now, focusing instead on the amount of risk an organization can tolerate proportionate to its expectations of outcomes over a certain period of time.
“Do we expect something to happen highly likely within the next year and if so, what is the potential impact to the organization, and let's align security and our services in proportion to the importance of these things,” he said. “I'm not just thinking of it as a piggy bank. I'm thinking of insurance as… it's not the only thing we do, but we have to have discussions around our posture and assess ourselves. Look very clearly at ourselves and also at the risks and talk to the business about those things, rather than just managing security stuff and then we have this policy and we fall back on it.”
Also in this discussion, Elfering defines and discusses insurability from a carrier’s perspective, the substantial and subtle differences between carriers, and whether their expectations properly align with enterprise risk reduction strategies. He also points out some red flags, including end-of-life technology and unsupported operating systems still in production, that may imperil an enterprise’s hopes for comprehensive coverage from a carrier.
“You're going to have them; every company has some of that somewhere, yet do you have a story around it? How are you securing it? What's your plan for it?” Elfering said, adding that carriers want to understand any compensating controls in place—such as domain account inventory, privileged account management, logging, and 24/7/365 monitoring—that could fill in a glaring security gap that might make a carrier uneasy.
“Your amount of coverage might be fairly low, and so those gaps are going to matter a lot in terms of red flags,” Elfering said.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.