Federal cybersecurity leaders argued against the effectiveness of cyber insurance as a way to alleviate financial burdens associated with ransomware attacks during a hearing of the House Homeland Security Committee’s panel on intelligence and counterterrorism on June 28.
During her opening remarks at the hearing, Rep. Elissa Slotkin, D-Mich., urged that critical infrastructure providers consider getting cyber insurance to help deal with the impact of ransomware attacks that may be launched against them. At the same time, she acknowledged that utilizing insurance policies to pay ransoms and re-establish systems after a cyberattack remains an uncertain prospect for organizations that have fewer resources.
“We know that small and medium-sized businesses, small and medium-sized governments, don’t have firms to take care of everything for them, and that not everyone can afford cybersecurity insurance, which is something I encourage all leaders to look into,” Rep. Slotkin said.
Federal government cybersecurity experts testifying before the subcommittee pushed back against the congresswoman’s promotion of cyber insurance options.
Iranga Kahangama, assistant secretary for cyber, infrastructure, risk, and resilience policy at the Department of Homeland Security’s (DHS) Office of Strategy, Policy, and Plans, highlighted how taking out a cyber insurance policy could make organizations a more attractive target for cybercriminals.
“They will do their market research on victims who can afford to pay, and they will look at people who have cyber insurance to see if they are more susceptible to paying [the ransom],” Kahangama said.
Matt Hartman, the Cybersecurity and Infrastructure Security Agency’s (CISA) deputy executive assistant director for cybersecurity, agreed with Kahangama, and identified basic cybersecurity measures that organizations should implement proactively. He also stressed the importance of contacting CISA for help.
“We routinely engage with [state, local, tribal, and territorial government] partners, including [at] events specifically for governors and county leaders, as well as the private sector. [We also] continue to release cyber alerts containing…