Those are the questions
Congress has also been busy tackling the issue of cyberattacks and the role the insurance industry is playing in trying to protect vulnerable businesses. The Senate Judiciary Committee recently held a hearing specifically on how best to prevent and respond to ransomware attacks. Those attacks involve hacking a computer system, stealing and encrypting the data, and then demanding a ransom for its release.
Witnesses at the hearing included various officials with the Justice Department, FBI, the Cybersecurity and Infrastructure Security Agency, and U.S. Secret Service. One of the first questions was whether there should even be cyber insurance, under the theory that if the crime is insured, it will only guarantee a payout to the crooks. The FBI’s Assistant Director of its Cyber Division, Bryan Vorndran was careful in his response, saying it was a legitimate question and discussion to have, and that the crooks and special negotiators who represent hacked businesses to get their data back, do indeed discuss whether there is insurance to cover the financial loss or payout. Vorndran said, however, that he would not make such ransomware payments illegal because doing so would discourage businesses from reporting the crimes to the FBI, something that is crucial and needs to be encouraged.
The Secret Service testified that the best way to reduce ransomware attacks is to reduce the profit motive by beefing up detection and better coordinating national and international efforts to investigate and prosecute the criminals. There was consensus expressed throughout the hearing on the need for a public-private solution to cyberattacks and the need for mandatory reporting of attacks that occur in both the public and private sector. Reporting has increased in the pipeline sector since the May 7 Colonial Pipeline attack, due to TSA security directives requiring it.
There are several bills in play in Congress that have various forms of mandatory reporting of cyberattacks:
The International Cybercrime Prevention Act of 2021, which among its provisions would use current RICO laws to toughen penalties.
The Cyber Incident Notification Act of 2021, by Senator Warner (D-VA) and Senator Rubio (R-FL) that would mandate cyberattack reporting for government agencies, their contractors, and for companies involved in critical infrastructure impacting national security.
The DHS Industrial Control Systems Capabilities Enhancement Act of 2021, to make the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency responsible to maintain capabilities to identify threats to the nation’s industrial control systems.
The Sanction and Stop Ransomware Act, by Senator Rubio (R-FL) and Senator Feinstein (D-CA) designed primarily to strengthen the cybersecurity of critical infrastructure and target foreign governments that knowingly provide safe haven for cyber criminals.
Insurance industry representatives have been meeting with the public-private Ransomware Task Force sharing data and collaborating on potential solutions. The question of whether ransomware payments should be prohibited was considered in its report but there was no consensus, only that such payments should be discouraged at this time.
LMA Newsletter of 8-9-21
