The jury is still out on how using insurance policies to pay ransoms and re-establish systems after a cyberattack affects critical infrastructure organizations’ individual and collective resilience.
Rep. Elissa Slotkin, D-Mich., urged critical infrastructure entities to consider getting cyber insurance in preparation for ransomware attacks, even as she acknowledged that may be challenging for those with fewer resources.
“We know that small and medium sized businesses, small and medium sized governments, don't have firms to take care of everything for them,” she said opening a hearing of the House Homeland Security Committee’s panel on intelligence and counterterrorism Tuesday. “Not everyone can afford cybersecurity insurance, which is something I encourage all leaders to look into.”
Slotkin chairs the subcommittee. Her comments come amid concerns from her constituents—who she addressed in a field hearing from her state—and as the Government Accountability Office reports limitations of both the private cyber insurance industry and the Treasury Department’s Terrorism Risk Insurance Program for addressing the potential cascading impacts of a cyberattack.
GAO suggested Treasury work with the Cybersecurity and Infrastructure Security Agency in reporting to Congress on the merits of establishing a federal cyber insurance program.
Testifying before the subcommittee, cybersecurity officials from the Department of Homeland Security did not validate Slotkin’s promotion of current cyber insurance options as an unquestionable benefit for organizations.
“A few years ago, one of our local infrastructure authorities ended up paying $25,000 in ransom to unlock their internal communication system. Responding to that attack, in addition, cost them $2.4 million,” Slotkin said, contextualizing a question for Matt Hartman, CISA’s deputy executive assistant director for cybersecurity. “Luckily, the attack did not disrupt our power grid or our water distribution networks, and they had insurance that provided protection against network disruption.”
Slotkin gave another example, saying of a small town met with a ransom demand for $40,000, “luckily, they had insurance or else that would have been borne by a local government that just cannot afford it.”
“There are many organizations who do not have that insurance, who do not have that cushion … Tell us what you can do for our smallest businesses and who do they call the minute they walk into work and there's a problem?” she asked.
Hartman identified basic cybersecurity measures organizations should implement proactively and stressed the importance of contacting CISA.
Also testifying before the subcommittee, Iranga Kahangama, assistant secretary for cyber, infrastructure, risk and resilience policy at DHS’ Office of Strategy, Policy and Plans, said taking out a cyber insurance policy could even make organizations a more attractive target for cyber criminals.
“They will do their market research on victims who can afford [a ransom],” Kahangama said, also listing other factors such as figuring out the perfect time for an attack—when organizations most need their systems. “They will look at people who have cyber insurance to see if they are more susceptible to paying [the ransom].”