WASHINGTON, D.C. — Today, House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY) delivered the following opening statement in a hearing to examine the United States’ critical-infrastructure vulnerabilities and the role cyber insurance plays in planning, response, and recovery efforts.

Watch Subcommittee Chairman Garbarino’s opening statement.

As prepared for delivery:

Let’s imagine some scenarios for our critical infrastructure: Our electrical grid goes down. Our hospitals are taken offline. Our water systems are shut down indefinitely. We’re unable to make transactions.

Each of these scenarios is nothing short of catastrophic for our economy and for our national security interests, especially if we do not know how quickly they can be resolved. From healthcare to banking, we depend on each of these sectors daily, such that it may seem unfathomable to have one of these sectors go down. However, rapidly evolving tactics in cyberspace heighten the possibility of their occurrence each and every day.

Recognizing the widespread damage that these events would cause, our public and private sectors must be prepared to respond quickly, effectively, and collaboratively.

To do this, entities must know who to go to, how much of the damage they will be responsible for covering, and what assistance will be available to them. This will help them develop a proactive recovery plan before a major attack occurs, rather than scrambling when they are at their most vulnerable point.

Given the nature of threats is changing and impacts vary, the cyber insurance industry is critical to determining how nimble we can respond. This is a challenge today because absent a major attack, our standards for coverage are still being defined.

However, we should have hope: with clearer expectations for cyber insurance coverage, there is promise for mitigating risks to individual companies and broader society. For example, cyber insurance providers can help cover the financial cost of a cyberattack, much like any other form of insurance. We can also build off the work firms are already doing. Currently, many firms provide cyber analytics for covered companies, and look for potential vulnerabilities in advance of a cyberattack. Some also provide legal defense for any compromised data, while others have best practices and recommendations for resiliency that they provide to clients.

We are here today to dig into these issues by exploring a range of scenarios to think through the development of standards. We must start with the basics by understanding what cyber insurance is and what is currently covered under a range of circumstances. This will inform our discussion about what should be covered.

The U.S. government also plays a pivotal role in responding to major cyberattacks on our critical infrastructure. Private sector companies cannot be expected to handle the impact of nation-state attacks alone.

Although we do not have our federal partners present today, I hope that we can have a robust discussion about existing federal mechanisms for incident response in a major attack. This will help us understand where our private sector partners might need more help, and where we can strengthen and clarify our lines of communication within public-private partnerships.

We have a unique opportunity to revisit incident response for critical infrastructure, given federal action that has unfolded in recent months. For example, as this subcommittee examined last month, CISA will begin to work on the final CIRCIA rule soon, which aims to create a proactive, federal standard for incident reporting.

Additionally, the recent release of National Security Memorandum-22 (NSM-22) reaffirmed the 16 critical infrastructure sectors and has now kickstarted the rewrite of Sector-Specific Plans for Sector Risk Management Agencies (SRMAs). These have not been updated in almost 10 years, despite a dramatically different threat landscape. The new Sector-Specific Plans will feed into CISA’s development of the 2025 National Infrastructure Risk Management Plan. This hearing is a good opportunity to examine how SRMAs manage collective risk, and how CISA executes its role as National Coordinator.

I want to thank our witnesses for being here to help us understand the complex cyber threat landscape against our critical infrastructure sectors, and how the cyber ecosystem—government, owners and operators, insurance providers, and others—can improve their coordination and collaboration.

My goal is for us to leave this hearing with a better grasp of what is working well among these partners, and where we need to improve our relationships and response processes.

###