Federal cybersecurity leaders argued against the effectiveness of cyber insurance as a way to alleviate financial burdens associated with ransomware attacks during a hearing of the House Homeland Security Committee’s panel on intelligence and counterterrorism on June 28.
During her opening remarks at the hearing, Rep. Elissa Slotkin, D-Mich., urged that critical infrastructure providers consider getting cyber insurance to help deal with the impact of ransomware attacks that may be launched against them. At the same time, she acknowledged that utilizing insurance policies to pay ransoms and re-establish systems after a cyberattack remains an uncertain prospect for organizations that have fewer resources.
“We know that small and medium-sized businesses, small and medium-sized governments, don’t have firms to take care of everything for them, and that not everyone can afford cybersecurity insurance, which is something I encourage all leaders to look into,” Rep. Slotkin said.
Federal government cybersecurity experts testifying before the subcommittee pushed back against the congresswoman’s promotion of cyber insurance options.
Iranga Kahangama, assistant secretary for cyber, infrastructure, risk, and resilience policy at the Department of Homeland Security’s (DHS) Office of Strategy, Policy, and Plans, highlighted how taking out a cyber insurance policy could make organizations a more attractive target for cybercriminals.
“They will do their market research on victims who can afford to pay, and they will look at people who have cyber insurance to see if they are more susceptible to paying [the ransom],” Kahangama said.
Matt Hartman, the Cybersecurity and Infrastructure Security Agency’s (CISA) deputy executive assistant director for cybersecurity, agreed with Kahangama, and identified basic cybersecurity measures that organizations should implement proactively. He also stressed the importance of contacting CISA for help.
“We routinely engage with [state, local, tribal, and territorial government] partners, including [at] events specifically for governors and county leaders, as well as the private sector. [We also] continue to release cyber alerts containing technical details and mitigation measures,” Hartman said.
Hartman explained that combatting ransomware has been a top priority for the Biden-Harris administration, and that CISA works across Federal agencies to improve collective defense, and with the private sector to ensure it has the tools to detect, disrupt, and investigate cybercriminals.
“Our approach to cybercrime must be multi-pronged. We must pursue a comprehensive strategic approach that prioritizes close partnerships with law enforcement, both domestic and foreign, as well as the private sector,” said Hartman.
An example of this, according to Hartman, is CISA’s 2021 cyber awareness campaign – known as “Reduce the Risk of Ransomware” – which promoted resources and best practices to mitigate the risk of ransomware and focused on supporting COVID-19 response organizations, K-12 educational institutions, and state and local governments.
Kahangama also highlighted DHS’ global network of 44 Secret Service-led Cyber Fraud Task Force organizations as another part of the push to combat ransomware attacks. The CFTF partners with state, local, tribal, and territorial governments and foreign law enforcement agencies, private sectors, and academia for information sharing and conducting joint investigations.