[Senate Report 119-28]
[From the U.S. Government Publishing Office]
Calendar No. 90
119th Congress } { Report
SENATE
1st Session } { 119-28
_______________________________________________________________________
INSURE CYBERSECURITY ACT OF 2025
__________
R E P O R T
of the
COMMITTEE ON COMMERCE, SCIENCE, AND
TRANSPORTATION
on
S. 245
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
June 9, 2025.--Ordered to be printed
------
U.S. GOVERNMENT PUBLISHING OFFICE
59-010 WASHINGTON : 2025
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
one hundred nineteenth congress
first session
TED CRUZ, Texas, Chairman
JOHN THUNE, South Dakota MARIA CANTWELL, Washington
ROGER F. WICKER, Mississippi AMY KLOBUCHAR, Minnesota
DEB FISCHER, Nebraska BRIAN SCHATZ, Hawaii
JERRY MORAN, Kansas EDWARD J. MARKEY, Massachusetts
DAN SULLIVAN, Alaska GARY C. PETERS, Michigan
MARSHA BLACKBURN, Tennessee TAMMY BALDWIN, Wisconsin
TODD YOUNG, Indiana TAMMY DUCKWORTH, Illinois
TED BUDD, North Carolina JACKY ROSEN, Nevada
ERIC SCHMITT, Missouri BEN RAY LUJAN, New Mexico
JOHN CURTIS, Utah JOHN W. HICKENLOOPER, Colorado
BERNIE MORENO, Ohio JOHN FETTERMAN, Pennsylvania
TIM SHEEHY, Montana ANDY KIM, New Jersey
SHELLEY MOORE CAPITO, West Virginia LISA BLUNT ROCHESTER, Delaware
CYNTHIA M. LUMMIS, Wyoming
Brad Grantz, Majority Staff Director
Lila Harper Helms, Democratic Staff Director
Calendar No. 90
119th Congress } { Report
SENATE
1st Session } { 119-28
=======================================================================
INSURE CYBERSECURITY ACT OF 2025
--------------
June 9, 2025.--Ordered to be printed
--------------
Mr. Cruz, from the Committee on Commerce, Science, and
Transportation, submitted the following
R E P O R T
[To accompany S. 245]
[Including cost estimate of the Congressional Budget Office]
The Committee on Commerce, Science, and Transportation, to
which was referred the bill (S. 245) to require the Assistant
Secretary of Commerce for Communications and Information to
establish a working group on cyber insurance, to require
dissemination of informative resources for issuers and
customers of cyber insurance, and for other purposes, having
considered the same, reports favorably thereon without
amendment and recommends that the bill do pass.
PURPOSE OF THE BILL
The purpose of S. 245 is to direct the National
Telecommunications and Information Administration (NTIA) to
establish a working group on cyber insurance, to produce a
report on cyber insurance, and to require dissemination of
informative resources for issuers and customers of cyber
insurance.
BACKGROUND AND NEEDS
Over the past 5 years, cyberattacks on U.S. businesses and
organizations have surged\1\ with ransomware and data breaches
among the most common cyber incidents impacting businesses and
consumers.\2\ Between 2022 and 2023, ransomware attacks in the
United States rose by 74 percent.\3\ As of October 2024, the
Office of the Director of National Intelligence reported the
United States was on track to exceed 2023's record-number of
ransomware attacks.\4\ Meanwhile, the rate of data breaches
from cyber incidents in 2024 also remains high with 3,158 data
breach incidents--on par with the rate of incidents in 2023,
which also marked an all-time high.\5\
---------------------------------------------------------------------------
\1\Federal Bureau of Investigation, Internet Crime Complaint
Center, 2023 Internet Crime
Report, April 2024, (https://www.ic3.gov/AnnualReport/Reports/
2023_IC3Report.pdf).
\2\The number of cyberattacks has almost doubled since before the
COVID-19 pandemic. Most direct reported losses from cyberattacks are
small, around $0.5 million, but the risk of extreme losses-at least as
large as $2.5 billion-has increased. See International Monetary Fund,
Global Financial Stability Report: The Last Mile: Financial
Vulnerabilities and Risks, chapter 3,
April 16, 2024 (https://www.imf.org/-/media/Files/Publications/GFSR/
2024/April/English/ch3.ashx).
\3\Office of the Director of National Intelligence, Cyber Threat
Intelligence Integration Center, Ransomware Attacks Surge in 2023;
Attacks on Healthcare Sector Nearly Double, February 2024 (https://
www.dni.gov/files/CTIIC/documents/products/
Ransomware_Attacks_Surge_in_2023
.pdf).
\4\Matt Kapko, ``Ransomware Attacks Surge Despite International
Enforcement Effort,'' Cybersecurity Dive, October 1, 2024 (https://
www.cybersecuritydive.com/news/ransomware-surges-desite-global-effort/
728534/).
\5\Identity Theft Resource Center, 2024 Data Breach Report, January
2025, (https://www.idtheftcenter.org/wp-content/uploads/2025/02/
ITRC_2024DataBreachReport.pdf).
---------------------------------------------------------------------------
There is a direct connection between cyberattacks and data
breaches. According to the Identity Theft Resource Center's
Data Breach report released in January 2025, cyberattacks are
the root cause of many data breaches.\6\
---------------------------------------------------------------------------
\6\Ibid.
---------------------------------------------------------------------------
Cyberattacks and data breaches have significant financial
and operational impacts. In the past two decades, nearly one-
fifth of reported cyber incidents have affected the global
financial sector, causing $12 billion in direct losses to
financial firms, according to the International Monetary Fund's
(IMF) Global Financial Stability Report. Since 2020, direct
losses amounted to an estimated $2.5 billion.\7\ In 2023, the
average data breach cost for businesses climbed higher than
ever, to $4.45 million, according to IBM's Annual Data Breach
Report. A majority (60 percent) of small businesses say
cybersecurity threats, including phishing, malware, and
ransomware, are a top concern.\8\
---------------------------------------------------------------------------
\7\Spencer Feingold and Johnny Wood, ``Global Financial Stability
at Risk Due to Cyber Threats, IMF Warns. Here's What to Know,'' World
Economic Forum, May 15, 2024 (https://www.weforum.org/stories/2024/05/
financial-sector-cyber-attack-threat-imf-cybersecurity/).
\8\Thaddeus Swanek, ``Small Businesses Think Cyberattacks Are
Biggest Threat, Survey Shows,'' U.S. Chamber of Commerce, April 2, 2024
(https://www.uschamber.com/small-business/new-survey-finds-small-
businesses-think-cyberattacks-are-biggest-threat).
---------------------------------------------------------------------------
Considering the growing threat and cost of cyberattacks,
private companies are increasingly turning to cyber insurance
as part of their organization's large cybersecurity strategy.
There is a rising demand for cyber insurance among small and
medium-sized enterprises, as 72 percent without cyber insurance
say a major cyberattack could destroy their business.\9\
---------------------------------------------------------------------------
\9\Cowbell Insure, Cyber Round-Up: Q2 2023, at p. 4, May 11, 2023
(https://cowbell.insure/wp-content/uploads/pdfs/Cowbell-Cyber-Round-Up-
Q2-2023.pdf).
---------------------------------------------------------------------------
As part of an organization's overall cybersecurity
strategy, cyber insurance can provide both financial protection
and a framework for companies' cyber risk management strategy.
Benefits of cyber insurance include:
Lowering the cost to a business in the event of a
data breach or cyberattack by helping cover costs
related to data recovery, legal fees, regulatory fines,
and public relations efforts;
Requiring organizations to assess their
cybersecurity posture before purchasing a cyber
insurance policy, and encouraging companies to
proactively assess, identify, and address cybersecurity
risks;
Assisting companies with cyber incident responses by
connecting companies to experts and resources; and
Providing insurance customers with ongoing best
practices for their cybersecurity posture.
Currently, the details of cyber insurance coverage are
often hard to understand, according to a 2021 Government
Accountability Office report, which found that ambiguity in
policy language can result in misunderstandings and litigation
between issuers and policyholders and that many customers,
especially smaller businesses, may underestimate the coverage
they need to protect against cyber risks.\10\
---------------------------------------------------------------------------
\10\John Pendleton, Cyber Insurance: Insurers and Policyholders
Face Challenges in an Evolving Market, Government Accountability
Office, GAO-21-477, May 20, 2021 (https://www.gao.gov/products/gao-21-
477).
---------------------------------------------------------------------------
According to the U.S. Cyberspace Solarium Commission (CSC),
there are also other challenges to the insurance industry and
customers to ensuring cybersecurity coverage effectively
models, prices, and understands risk to stabilize the industry
and its coverage.\11\ To address this challenge, the CSC
recommended that Congress, other Federal agencies, State and
local governments, and the private sector address the gaps in
data sets, best practices, and information to help inform
insurers and consider convening a working group with
stakeholders, including insurance companies and cyber risk
modeling companies to collaborate in pooling and leveraging
available statistics and data that can inform innovations in
cyber risk modeling.
---------------------------------------------------------------------------
\11\Jiwon Ma and RADM (Ret.) Mark Montgomery, 2024 Annual Report on
Implementation, CSC 2.0, September 19, 2024 (https://cybersolarium.org/
annual-assessment/2024-annual-report-on-implementation/).
---------------------------------------------------------------------------
This bill would develop additional resources to better
inform cybersecurity insurance customers, particularly small
businesses, and also develop additional insights pertaining to
measuring cyber risk and cyber insurance costs and how to bring
down those risks and costs in the future.
SUMMARY OF PROVISIONS
S. 245 would do the following:
Require the Assistant Secretary to create a working
group that will develop information about cyber
insurance to help inform and assist issuers, agents,
brokers, and customers in their understanding of cyber
insurance and to improve communication over
cybersecurity insurance coverage levels.
Direct the working group to gather input from
insurers on what measures could improve their ability
to offer additional coverage policies including: (1)
improvements to their actuarial data and cyber risk
data; (2) the development of effective information
sharing mechanisms; and (3) accurate measures of
customers' cybersecurity practices.
Direct the working group to identify what measures
could reduce the cost of policies and reduce the amount
of cyber risk and cyber incidents.
Require that no later than 1 year after the working
group first convenes that the working group submit to
Congress a report describing its activities and
recommendations, upon which time the group would
terminate.
Provide that nothing in the working group report
submitted to Congress shall be construed to require
adoption of the working group's recommendations or
provide any authority to any member of the working
group or any other individual to regulate the business
of insurance that is not already provided under any
other provision of law.
Require, no later than 90 days after the working
group submits the cyber insurance report to Congress,
that the Assistant Secretary and NTIA to disseminate
and make publicly available the informative resources
developed by the working group.
Provide that the Assistant Secretary of NTIA's
dissemination of the informative resources developed by
the working group not be construed as requiring the use
of such resources.
LEGISLATIVE HISTORY
S. 245 was introduced on January 24, 2025, by Senator
Hickenlooper (for himself and Senator Capito) and was referred
to the Committee on Commerce, Science, and Transportation of
the Senate. On February 5, 2025, the Committee met in open
Executive Session and, by voice vote, ordered S. 245 to be
reported favorably without amendment.
ESTIMATED COSTS
In accordance with paragraph 11(a) of rule XXVI of the
Standing Rules of the Senate and section 403 of the
Congressional Budget Act of 1974, the Committee provides the
following cost estimate, prepared by the Congressional Budget
Office:
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Summary of legislation: On February 5, 2025, the Senate
Committee on Commerce, Science, and Transportation ordered
reported a total of 17 bills. This document provides estimates
for 5 of those bills.
S. 99, S. 195, and S. 245 would require the Department of
Commerce to study supply chains, promote music tourism, and
establish a working group on cyber insurance; S. 281 and S. 314
would direct the Federal Trade Commission (FTC) to enforce new
prohibitions related to ticket prices for live events and hotel
prices.
Estimated Federal cost: The estimated costs do not include
any effects of interactions among the bills. If all five bills
were combined and enacted as a single piece of legislation, the
estimated costs could be different from the sum of the separate
estimates, although CBO expects that any differences would be
small. The costs of the legislation fall within budget function
370 (commerce and housing credit).
Basis of estimate: For these estimates, CBO assumes that
the bills will be enacted near the middle of fiscal year 2025
and that the estimated amounts will be appropriated each year.
CBO estimates that all five bills would affect spending subject
to appropriation and that S. 281 and S. 314 would affect
revenues.
S. 99, Strengthening Support for American Manufacturing
Act, would require the Department of Commerce to contract with
the National Academy of Public Administration to study programs
operated by the department that aim to improve the resilience
of critical supply chains and provide technical assistance to
U.S. manufacturers. The report would identify interagency gaps
and duplicative responsibilities among offices and recommend
improvements.
Using information from the Department of Commerce, CBO
estimates that completing the study would cost $2 million over
the 2025-2030 period, including employee and contracting costs.
Any related spending would be subject to the availability of
appropriated funds.
S. 195, American Music Tourism Act of 2025, would require
the Assistant Secretary of Commerce for Travel and Tourism to
promote music tourism in the United States and periodically
report to the Congress. In 2024, the Assistant Secretary
received $3.5 million to carry out the requirements of the
Visit America Act, a 2022 law to promote travel and tourism in
the United States.
Using information about the Assistant Secretary's
responsibilities under current law, CBO estimates that
implementing the requirements in the bill would cost less than
$500,000 over the 2025-2030 period. Any related spending would
be subject to the availability of appropriated funds.
S. 245, Insure Cybersecurity Act of 2025, would require the
National Telecommunications and Information Administration to
establish an interagency working group on cyber insurance,
composed of members from the Cybersecurity and Infrastructure
Security Agency, Department of Justice, Department of the
Treasury, National Institute of Standards and Technology, and
the FTC. The working group would be required to report to the
Congress no later than one year after it forms.
Using information about the cost of similar working groups,
CBO estimates that implementing the bill would cost less than
$500,000 over the 2025-2026 period. Any related spending would
be subject to the availability of appropriated funds.
S. 281, TICKET Act, would require companies that issue
tickets or that sell tickets on the secondary market to clearly
display the total price of any ticket, including itemizing any
fees not included in the base ticket price. The bill also would
prohibit entities from offering or advertising tickets that
they do not possess, require entities to clearly disclose if a
ticket is for re-sale, and direct ticket sellers to refund
buyers if an event is cancelled. Those requirements would apply
to live events at venues with an attendance capacity of 200
people or more. The FTC would enforce those requirements.
Based on the cost of similar provisions, CBO estimates
implementing the bill would cost the FTC $4 million over the
2025-2030 period to issue guidance and to monitor and enforce
violations. Any related spending would be subject to the
availability of appropriated funds. In addition, CBO estimates
that enacting the bill could increase civil penalty
collections, which are recorded in the budget as revenues, by
an insignificant amount.
S. 314, Hotel Fees Transparency Act of 2025, would require
providers of short-term lodging and websites that advertise or
offer such lodging to display upfront the full lodging price
and each mandatory fee required to complete a booking. The FTC
would enforce those requirements.
Based on the cost of similar provisions, CBO estimates
implementing the bill would cost the FTC $4 million over the
2025-2030 period to issue guidance and to monitor and enforce
violations. Any related spending would be subject to the
availability of appropriated funds. In addition, CBO estimates
that enacting the bill could increase civil penalty
collections, which are recorded in the budget as revenues, by
an insignificant amount.
Pay-As-You-Go considerations: CBO estimates that enacting
S. 281 and S. 314 would each increase revenues by less than
$500,000 over the 2025-2035 period; therefore, pay-as-you-go
procedures apply to those bills.
Increase in long-term net direct spending and deficits: CBO
estimates that none of the bills would increase net direct
spending or deficits in any of the four consecutive 10-year
periods beginning in 2036.
Mandates: Two of the bills ordered reported by the
committee contain mandates, as defined in the Unfunded Mandates
Reform Act (UMRA).
S. 281, TICKET Act, would impose private-sector mandates as
defined in UMRA on ticket sellers and resellers by requiring
certain changes, including new refund policies to the ticketing
process. CBO estimates the aggregate cost to comply with the
mandates would be above the threshold established in UMRA for
private-sector mandates ($206 million in 2025, adjusted
annually for inflation).
Under the bill, if an event is cancelled, ticket sellers
and resellers would be required to provide a refund of the full
ticket price, including taxes and fees, to ticket purchasers.
If an event is postponed, sellers and resellers would be
required to provide customers either a full refund or a
replacement ticket, if available, subject to the customer's
preference. Sellers also would be required to disclose this
refund policy. The bill allows for exceptions to this policy in
cases where the cancellation or postponement is beyond the
control of the ticker issuer, such as natural disasters. Based
on discussions with industry sources, a substantial share of
sellers and resellers already provide full refunds for
cancelled events but few offer refunds for postponed events.
Considerable uncertainty surrounds the ways that federal
regulations might define what is within the control of the
issuer in the event of a cancellation or postponement or what
might constitute comparable replacement events. Given the large
size of the industry and the amount of revenue generated by
ticketed events, CBO estimates that the cost of this mandate
would exceed the threshold for private-sector mandates.
S. 281 also would require ticket sellers and resellers to
make certain up-front disclosures to consumers. They would need
to disclose the ticket prices, including taxes and fees. Those
disclosures would occur at the time a ticket is first displayed
to a consumer and in any advertisements or marketing. The bill
also would require ticket sellers and resellers to provide an
itemized list of the base price and all fees. Information from
industry sources indicates that most ticket sellers have
already begun to provide the total cost to consumers in
advance; thus, CBO expects the additional requirements in the
bill to have small costs.
The bill also would require ticket resellers to disclose to
consumers that they are resellers before any purchase is
complete. Sellers and resellers would be prohibited from
selling or advertising any ticket that the seller does not have
actually or constructively possess. In certain instances,
sellers also would be prohibited from revealing to consumers
and using the name of venues, teams, artists, and events in
their online domain names. CBO expects that those disclosures
and prohibitions would impose minimal costs on the sellers.
The bill contains no intergovernmental mandates as defined
in UMRA.
S. 314, Hotel Fees Transparency Act of 2025, would impose
intergovernmental and private-sector mandates as defined in
UMRA. CBO estimates that the cost to comply with those mandates
would not exceed thresholds established in UMRA ($103 million
and $206 million in 2025, respectively, adjusted annually for
inflation).
The bill would preempt state and local laws governing the
display of prices for short-term lodging. Although the
preemptions would limit the application of state and local
laws, it would impose no duty on state or local governments
that would result in significant spending or loss of revenues.
The bill would require hotels, short-term rentals, online
booking websites, and any other third-party temporary
accommodation sellers to disclose upfront the total price of
lodging, including any government-imposed fees. Information
from industry sources and the FTC indicates that several
lodging providers already comply with provisions in the bill.
In addition, an FTC final rule, set to go into effect in April,
will require short-term lodging sellers to disclose all
associated fees to customers. CBO expects the cost for other
entities to comply would be small because many providers
already comply and those who do not already possess the fee
information required to be displayed.
Estimate prepared by: Federal Costs and Revenues: David
Hughes; Mandates: Grace Watson and Rachel Austin.
Estimate reviewed by: Justin Humphrey, Chief, Finance,
Housing, and Education Cost Estimates Unit; Kathleen
FitzGerald, Chief, Public and Private Mandates Unit; H. Samuel
Papenfuss, Deputy Director of Budget Analysis.
Estimate approved by: Phillip L. Swagel, Director,
Congressional Budget Office.
REGULATORY IMPACT STATEMENT
In accordance with paragraph 11(b) of rule XXVI of the
Standing Rules of the Senate, the Committee provides the
following evaluation of the regulatory impact of the
legislation, as reported:
Number of Persons Covered
S. 245 would not create any new programs and would have no
additional regulatory impact. The bill would result in minimal
additional reporting requirements because the working group is
directed to gather input from insurance issuers.
Economic Impact
S. 245 would have no economic impact.
Privacy
S. 245 is not expected to have an impact on privacy.
Paperwork
S. 245 would have no further impact on the paperwork
required from individuals and businesses, with the exception of
the input directed to be gathered by the working group from
insurance issuers.
CONGRESSIONALLY DIRECTED SPENDING
In compliance with paragraph 4(b) of rule XLIV of the
Standing Rules of the Senate, the Committee provides that no
provisions contained in the bill, as reported, meet the
definition of congressionally directed spending items under the
rule.
SECTION-BY-SECTION ANALYSIS
Section 1. Short title.
This section would provide that the bill may be cited as
the ``Insure Cybersecurity Act of 2025''.
Section 2. Definitions.
This section would establish definitions for the terms
``Assistant Secretary'', ``critical infrastructure'',
``customer'', ``cyber incident'', ``cyber insurance'',
``issuer'', ``policy'', ``small business'', and ``working
group''.
Section 3. Working group on cyber insurance.
Subsection (a) would require the Assistant Secretary of
Commerce for Communications and Information to establish a
working group on cyber insurance no later than 90 days after
enactment.
Subsection (b) would require that the composition of the
cyber insurance working group established under this section
include at least one member from the Cybersecurity and
Infrastructure Security Agency, the National Institute of
Standards and Technology, the Department of the Treasury, the
Department of Justice, and the Federal Trade Commission; at
least one State insurance regulator; and the Assistant
Secretary who would serve as the working group's chairperson.
Subsection (c) would direct the working group to define the
term ``cyber insurance'' and do the following:
Analyze and explain relevant terminology, common
types of cyber incidents, common customer responses,
coverage for losses, and constraints by issuers;
Develop information on coverage policies and
information for insurers on communicating policies;
Gather input on policy improvements;
Identify ways to reduce costs and risks; and
Develop recommendations for customers.
This section would also direct the working group to engage
in public consultations with relevant stakeholders.
Subsection (d) would require the working group, no later
than 1 year after first convening, to submit to Congress a
report regarding the activities of the working group under
subsection (c) and any recommendations of the working group.
Subsection (e) would require that upon submitting the cyber
insurance report required under subsection (d) the working
group would terminate.
Subsection (f) would provide that nothing in the section
shall be construed to require adoption of the working group's
recommendations or provide any authority to any member of the
working group or any other individual to regulate the business
of insurance that is not already provided under any other
provision of law.
Section 4. Dissemination of informative resources for cyber insurance
stakeholders.
Subsection (a) would require the Assistant Secretary to
disseminate and make publicly available informative resources
for cyber insurance stakeholders no later than 90 days after
the working group submits the report to Congress.
Subsection (b) would provide the requirements for carrying
out subsection (a), specifically, that the Assistant Secretary
would ensure the resources distributed: (1) incorporate the
recommendations of the cyber insurance report; (2) are
generally applicable to cyber insurance stakeholders; and (3)
include case studies and examples where appropriate.
Subsection (c) would require the resources disseminated by
the Assistant Secretary be published on the NTIA's website.
Subsection (d) would require that the Assistant Secretary
conduct outreach and coordination to promote the resources
produced and made available.
Subsection (e) would provide that nothing in this section
may be construed to require the use of the resources
disseminated by the Assistant Secretary.
CHANGES IN EXISTING LAW
In compliance with paragraph 12 of rule XXVI of the
Standing Rules of the Senate, the Committee states that the
bill as reported would make no change to existing law.
[all]