118 S513 IS: Insure Cybersecurity Act of 2023
U.S. Senate
2023-02-16
text/xml
EN
Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.
1.This Act may be cited as the Insure Cybersecurity Act of 2023
.2.In this Act:(1)The term Assistant Secretary means the Assistant Secretary of Commerce for Communications and Information.(2)The term customer means an individual or organization that purchases cyber insurance from an issuer. (3)The term cyber incident has the meaning given the term incident in section 3552(b) of title 44, United States Code. (4)Subject to section 3(c)(1)(A), the term cyber insurance means an insurance policy that, whether by explicit inclusion or by lack of exclusion, offers coverage for losses, damages, and costs incurred due to cyber incidents. (5)The term issuer means an organization that issues cyber insurance.(6)The term policy means a policy for cyber insurance.(7)The term small business has the meaning given the term small business concern in section 3 of the Small Business Act (15 U.S.C. 632).(8)The term working group means the working group established under section 3(a).3.Working group on cyber insurance(a)Not later than 90 days after the date of enactment of this Act, the Assistant Secretary shall establish a working group on cyber insurance.(b)(1)The working group shall be composed of not less than 1 member from each of the following:(A)The Cybersecurity and Infrastructure Security Agency.(B)The National Institute of Standards and Technology.(C)The Department of the Treasury.(D)The Department of Justice. (2)The Assistant Secretary shall be the chairperson of the working group.(c)(1)The working group shall carry out the following activities:(A)For the purposes of the activities of the working group, define the term cyber insurance in a manner that is different from the definition of that term under section 2(4), if the working group determines that such a modified definition is necessary.(B)Analyze and explain in a manner most understandable to customers the technical and legal terminology commonly used in policies.(C)Analyze, and develop recommendations regarding, provisions in policies that relate to ransomware and ransom payments made in response to ransomware.(D)Analyze and explain in a manner most understandable to customers the terminology used in policies to include or exclude coverage for losses due to cyber incidents that are caused by cyberterrorism or acts of war.(E)Develop recommendations for prospective customers on ways to effectively evaluate the types and levels of coverage offered under a policy.(F)Develop recommendations for issuers, agents, and brokers regarding how to provide and communicate policy provisions that are clear and easy to understand for customers.(G)Identify the constraints of issuers in covering higher amounts of losses and new cyber risk areas currently not covered, including reputational damage and intellectual property lost.(H)Gather input from issuers on what measures would improve the ability of those issuers to offer additional coverage under policies, including improvements to their actuarial data, cyber risk data, and information sharing mechanisms and effective measurement of the cybersecurity practices of consumers.(I)Identify the constraints of the market and why more organizations do not use cyber insurance as a risk response mechanism.(J)Develop recommendations for customers on how best to use cyber insurance as a risk response mechanism for cyber risk and incentives for doing so. (2)In carrying out the activities of the working group under paragraph (1), the working group shall consult with the public in an open and transparent manner, including by consulting with the following stakeholders:(A)Issuers.(B)Insurance agents and brokers with experience in the sale and distribution of cyber insurance.(C)Representatives of business customers from multiple sectors and representatives of small businesses.(D)Academia.(E)State insurance regulators with expertise regarding cybersecurity and cyber insurance.(F)Other individuals or entities with cybersecurity and cyber insurance expertise as the Assistant Secretary considers appropriate. (d)Not later than 1 year after the date on which the working group first convenes, the working group shall submit to Congress a report regarding the activities of the working group under subsection (c) and any recommendations of the working group.(e)The working group shall terminate upon submission of the report required under subsection (d).(f)Nothing in this section shall be construed to—(1)require adoption of the recommendations of the working group; or(2)provide any authority to any member of the working group or any other individual to regulate the business of insurance that is not already provided under any other provision of law. 4.Dissemination of informative resources for cyber insurance stakeholders(a)Not later than 90 days after the date on which the working group submits the report required under section 3(d), the Assistant Secretary shall disseminate and make publicly available informative resources for cyber insurance stakeholders.(b)The Assistant Secretary shall ensure that the resources disseminated under subsection (a)—(1)incorporate the recommendations included in the report submitted under section 3(d);(2)are generally applicable and usable by a wide range of cyber insurance stakeholders, including issuers, agents, brokers, and customers; and(3)include case studies and specific examples, where appropriate.(c)The resources disseminated under subsection (a) shall be published on the public website of the National Telecommunications and Information Administration.(d)The Assistant Secretary shall conduct outreach and coordination activities to promote the availability of the resources disseminated under subsection (a) to relevant industry stakeholders and the general public.(e)Nothing in this section may be construed to require the use of the resources disseminated under subsection (a).