119 S245 RS: Insure Cybersecurity Act of 2025 U.S. Senate 2025-06-09 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

IICalendar No. 90119th CONGRESS1st SessionS. 245[Report No. 119–28]IN THE SENATE OF THE UNITED STATESJanuary 24, 2025Mr. Hickenlooper (for himself and Mrs. Capito) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and TransportationJune 9, 2025Reported by Mr. Cruz, without amendmentA BILLTo require the Assistant Secretary of Commerce for Communications and Information to establish a working group on cyber insurance, to require dissemination of informative resources for issuers and customers of cyber insurance, and for other purposes.

1.

Short title

This Act may be cited as the Insure Cybersecurity Act of 2025.

2.

Definitions

In this Act:(1)

Assistant Secretary

The term Assistant Secretary means the Assistant Secretary of Commerce for Communications and Information.(2)

Critical infrastructure

The term critical infrastructure has the meaning given the term in subsection (e) of the Critical Infrastructures Protection Act of 2001 (42 U.S.C. 5195c). (3)

Customer

The term customer means an individual or organization that purchases cyber insurance from an issuer. (4)

Cyber incident

The term cyber incident has the meaning given the term incident in section 3552(b) of title 44, United States Code. (5)

Cyber insurance

Subject to section 3(c)(1)(A), the term cyber insurance means an insurance policy that includes coverage for losses, damages, and costs incurred due to cyber incidents. (6)

Issuer

The term issuer means an organization that issues cyber insurance.(7)

Policy

The term policy means a policy for cyber insurance.(8)

Small business

The term small business has the meaning given the term small business concern in section 3 of the Small Business Act (15 U.S.C. 632).(9)

Working group

The term working group means the working group established under section 3(a).

3.

Working group on cyber insurance

(a)

Establishment

Not later than 90 days after the date of enactment of this Act, the Assistant Secretary shall establish a working group on cyber insurance.(b)

Composition

(1)

Membership

The working group shall be composed of the following members: (A)Not less than 1 member from each of the following:(i)The Cybersecurity and Infrastructure Security Agency.(ii)The National Institute of Standards and Technology.(iii)The Department of the Treasury.(iv)The Department of Justice. (v)The Federal Trade Commission.(B)Not less than 1 State insurance regulator with expertise regarding cybersecurity and cyber insurance.(2)

Chairperson

The Assistant Secretary shall be the chairperson of the working group.(c)

Activities

(1)

In general

The working group shall carry out the following activities:(A)For the purposes of the activities of the working group, define the term cyber insurance in a manner that is different from the definition of that term under section 2(5), if the working group determines that such a modified definition is necessary.(B)Analyze and explain in a manner understandable to customers the technical and legal terminology commonly used in policies.(C)Analyze and explain in a manner understandable to customers how provisions in policies correspond to common types of cyber incidents, including those involving ransomware.(D)Analyze and explain in a manner understandable to customers how provisions in policies correspond to common customer responses to cyber incidents, including with respect to system recovery and potential ransom payments.(E)Analyze and explain in a manner understandable to customers the terminology used in policies to include or exclude coverage for losses due to cyber incidents.(F)Analyze and explain in a manner understandable to customers the constraints faced by issuers in covering higher amounts of losses and cyber risk areas, such as reputational damage and the loss of intellectual property.(G)Develop information for customers on ways to effectively evaluate the types and levels of coverage offered under a policy.(H)Develop information for issuers, agents, and brokers regarding how to provide and communicate policy provisions that are clear and easy to understand for customers.(I)Gather input from issuers on what measures could improve the ability of those issuers to offer additional coverage under policies, including— (i)improvements to their actuarial data and cyber risk data; (ii)the development of effective information sharing mechanisms; and (iii)accurate measurement of the cybersecurity practices of customers.(J)Identify what measures could reduce the cost of policies and reduce the amount of cyber risk and the number of cyber incidents.(K)Develop recommendations for customers on how best to use cyber insurance and the benefits of doing so. (2)

Consultation

In carrying out the activities of the working group under paragraph (1), the working group shall consult with the public in an open and transparent manner, including by consulting with the following stakeholders:(A)Issuers.(B)Insurance agents and brokers with experience in the sale and distribution of cyber insurance.(C)Representatives of business customers from multiple sectors and representatives of small businesses.(D)Academia.(E)State insurance regulators with expertise regarding cybersecurity and cyber insurance.(F)Owners and operators of critical infrastructure.(G)Other individuals or entities with cybersecurity and cyber insurance expertise as the Assistant Secretary considers appropriate. (d)

Report

Not later than 1 year after the date on which the working group first convenes, the working group shall submit to Congress a report regarding the activities of the working group under subsection (c) and any recommendations of the working group.(e)

Termination

The working group shall terminate upon submission of the report required under subsection (d).(f)

Rule of construction

Nothing in this section shall be construed to—(1)require adoption of the recommendations of the working group; or(2)provide any authority to any member of the working group or any other individual to regulate the business of insurance that is not already provided under any other provision of law.

4.

Dissemination of informative resources for cyber insurance stakeholders

(a)

In general

Not later than 90 days after the date on which the working group submits the report required under section 3(d), the Assistant Secretary shall disseminate and make publicly available informative resources for cyber insurance stakeholders.(b)

Requirements

The Assistant Secretary shall ensure that the resources disseminated under subsection (a)—(1)incorporate the recommendations included in the report submitted under section 3(d);(2)are generally applicable and usable by a wide range of cyber insurance stakeholders, including issuers, agents, brokers, and customers; and(3)include case studies and specific examples, where appropriate.(c)

Publication

The resources disseminated under subsection (a) shall be published on the public website of the National Telecommunications and Information Administration.(d)

Outreach

The Assistant Secretary shall conduct outreach and coordination activities to promote the availability of the resources disseminated under subsection (a) to relevant industry stakeholders and the general public.(e)

Voluntary use

Nothing in this section may be construed to require the use of the resources disseminated under subsection (a).

June 9, 2025Reported without amendment