[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 513 Introduced in Senate (IS)]

<DOC>






118th CONGRESS
  1st Session
                                 S. 513

 To require the Assistant Secretary of Commerce for Communications and 
Information to establish a working group on cyber insurance, to require 
  dissemination of informative resources for issuers and customers of 
                cyber insurance, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                           February 16, 2023

Mr. Hickenlooper (for himself and Mrs. Capito) introduced the following 
 bill; which was read twice and referred to the Committee on Commerce, 
                      Science, and Transportation

_______________________________________________________________________

                                 A BILL


 
 To require the Assistant Secretary of Commerce for Communications and 
Information to establish a working group on cyber insurance, to require 
  dissemination of informative resources for issuers and customers of 
                cyber insurance, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Insure Cybersecurity Act of 2023''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Assistant secretary.--The term ``Assistant Secretary'' 
        means the Assistant Secretary of Commerce for Communications 
        and Information.
            (2) Customer.--The term ``customer'' means an individual or 
        organization that purchases cyber insurance from an issuer.
            (3) Cyber incident.--The term ``cyber incident'' has the 
        meaning given the term ``incident'' in section 3552(b) of title 
        44, United States Code.
            (4) Cyber insurance.--Subject to section 3(c)(1)(A), the 
        term ``cyber insurance'' means an insurance policy that, 
        whether by explicit inclusion or by lack of exclusion, offers 
        coverage for losses, damages, and costs incurred due to cyber 
        incidents.
            (5) Issuer.--The term ``issuer'' means an organization that 
        issues cyber insurance.
            (6) Policy.--The term ``policy'' means a policy for cyber 
        insurance.
            (7) Small business.--The term ``small business'' has the 
        meaning given the term ``small business concern'' in section 3 
        of the Small Business Act (15 U.S.C. 632).
            (8) Working group.--The term ``working group'' means the 
        working group established under section 3(a).

SEC. 3. WORKING GROUP ON CYBER INSURANCE.

    (a) Establishment.--Not later than 90 days after the date of 
enactment of this Act, the Assistant Secretary shall establish a 
working group on cyber insurance.
    (b) Composition.--
            (1) Membership.--The working group shall be composed of not 
        less than 1 member from each of the following:
                    (A) The Cybersecurity and Infrastructure Security 
                Agency.
                    (B) The National Institute of Standards and 
                Technology.
                    (C) The Department of the Treasury.
                    (D) The Department of Justice.
            (2) Chairperson.--The Assistant Secretary shall be the 
        chairperson of the working group.
    (c) Activities.--
            (1) In general.--The working group shall carry out the 
        following activities:
                    (A) For the purposes of the activities of the 
                working group, define the term ``cyber insurance'' in a 
                manner that is different from the definition of that 
                term under section 2(4), if the working group 
                determines that such a modified definition is 
                necessary.
                    (B) Analyze and explain in a manner most 
                understandable to customers the technical and legal 
                terminology commonly used in policies.
                    (C) Analyze, and develop recommendations regarding, 
                provisions in policies that relate to ransomware and 
                ransom payments made in response to ransomware.
                    (D) Analyze and explain in a manner most 
                understandable to customers the terminology used in 
                policies to include or exclude coverage for losses due 
                to cyber incidents that are caused by cyberterrorism or 
                acts of war.
                    (E) Develop recommendations for prospective 
                customers on ways to effectively evaluate the types and 
                levels of coverage offered under a policy.
                    (F) Develop recommendations for issuers, agents, 
                and brokers regarding how to provide and communicate 
                policy provisions that are clear and easy to understand 
                for customers.
                    (G) Identify the constraints of issuers in covering 
                higher amounts of losses and new cyber risk areas 
                currently not covered, including reputational damage 
                and intellectual property lost.
                    (H) Gather input from issuers on what measures 
                would improve the ability of those issuers to offer 
                additional coverage under policies, including 
                improvements to their actuarial data, cyber risk data, 
                and information sharing mechanisms and effective 
                measurement of the cybersecurity practices of 
                consumers.
                    (I) Identify the constraints of the market and why 
                more organizations do not use cyber insurance as a risk 
                response mechanism.
                    (J) Develop recommendations for customers on how 
                best to use cyber insurance as a risk response 
                mechanism for cyber risk and incentives for doing so.
            (2) Consultation.--In carrying out the activities of the 
        working group under paragraph (1), the working group shall 
        consult with the public in an open and transparent manner, 
        including by consulting with the following stakeholders:
                    (A) Issuers.
                    (B) Insurance agents and brokers with experience in 
                the sale and distribution of cyber insurance.
                    (C) Representatives of business customers from 
                multiple sectors and representatives of small 
                businesses.
                    (D) Academia.
                    (E) State insurance regulators with expertise 
                regarding cybersecurity and cyber insurance.
                    (F) Other individuals or entities with 
                cybersecurity and cyber insurance expertise as the 
                Assistant Secretary considers appropriate.
    (d) Report.--Not later than 1 year after the date on which the 
working group first convenes, the working group shall submit to 
Congress a report regarding the activities of the working group under 
subsection (c) and any recommendations of the working group.
    (e) Termination.--The working group shall terminate upon submission 
of the report required under subsection (d).
    (f) Rule of Construction.--Nothing in this section shall be 
construed to--
            (1) require adoption of the recommendations of the working 
        group; or
            (2) provide any authority to any member of the working 
        group or any other individual to regulate the business of 
        insurance that is not already provided under any other 
        provision of law.

SEC. 4. DISSEMINATION OF INFORMATIVE RESOURCES FOR CYBER INSURANCE 
              STAKEHOLDERS.

    (a) In General.--Not later than 90 days after the date on which the 
working group submits the report required under section 3(d), the 
Assistant Secretary shall disseminate and make publicly available 
informative resources for cyber insurance stakeholders.
    (b) Requirements.--The Assistant Secretary shall ensure that the 
resources disseminated under subsection (a)--
            (1) incorporate the recommendations included in the report 
        submitted under section 3(d);
            (2) are generally applicable and usable by a wide range of 
        cyber insurance stakeholders, including issuers, agents, 
        brokers, and customers; and
            (3) include case studies and specific examples, where 
        appropriate.
    (c) Publication.--The resources disseminated under subsection (a) 
shall be published on the public website of the National 
Telecommunications and Information Administration.
    (d) Outreach.--The Assistant Secretary shall conduct outreach and 
coordination activities to promote the availability of the resources 
disseminated under subsection (a) to relevant industry stakeholders and 
the general public.
    (e) Voluntary Use.--Nothing in this section may be construed to 
require the use of the resources disseminated under subsection (a).
                                 <all>