Lawmaker questions CNA’s reported ransom payment

House Oversight and Reform Committee Chairwoman Carolyn Maloney on Thursday wrote to CNA Financial Corp. raising concerns over the insurer’s reported $40 million payment to hackers to end a ransomware attack on its systems.

“I am concerned that the decision to pay the cybercriminal actors sets a dangerous precedent that will put an even bigger target on the backs of companies at risk for ransomware attacks going forward,” the New York Democrat said in a letter to the insurer’s CEO Dino Robusto.

The alleged payment, which CNA last month declined to confirm, is the latest example of a company paying millions of dollars in ransom to cybercriminals without any public disclosure, Rep. Maloney said.

“Congress needs detailed information about ransom payments that companies like CNA made to cybercriminal actors to legislate effectively on ransomware and cybersecurity in the United States,” she said.

Rep. Maloney sent a similar letter to Colonial Pipeline CEO Joseph Blount over the company’s $4.4 million payment to hackers last month.

The Congresswomen asked the companies to provide all documents and communications related to the attacks, including communications about any ransom payments.

In a statement, CNA said it is reviewing the letter from Rep. Maloney.

“While our investigation is still ongoing, CNA is confident that the attack has been successfully contained and we are operating normally. We support Congress in their efforts to understand and identify appropriate solutions to the growing threat of ransomware attacks,” the statement said.