[Congressional Bills 119th Congress]
[From the U.S. Government Publishing Office]
[S. 245 Introduced in Senate (IS)]
<DOC>
119th CONGRESS
1st Session
S. 245
To require the Assistant Secretary of Commerce for Communications and
Information to establish a working group on cyber insurance, to require
dissemination of informative resources for issuers and customers of
cyber insurance, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
January 24, 2025
Mr. Hickenlooper (for himself and Mrs. Capito) introduced the following
bill; which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To require the Assistant Secretary of Commerce for Communications and
Information to establish a working group on cyber insurance, to require
dissemination of informative resources for issuers and customers of
cyber insurance, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Insure Cybersecurity Act of 2025''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Assistant secretary.--The term ``Assistant Secretary''
means the Assistant Secretary of Commerce for Communications
and Information.
(2) Critical infrastructure.--The term ``critical
infrastructure'' has the meaning given the term in subsection
(e) of the Critical Infrastructures Protection Act of 2001 (42
U.S.C. 5195c).
(3) Customer.--The term ``customer'' means an individual or
organization that purchases cyber insurance from an issuer.
(4) Cyber incident.--The term ``cyber incident'' has the
meaning given the term ``incident'' in section 3552(b) of title
44, United States Code.
(5) Cyber insurance.--Subject to section 3(c)(1)(A), the
term ``cyber insurance'' means an insurance policy that
includes coverage for losses, damages, and costs incurred due
to cyber incidents.
(6) Issuer.--The term ``issuer'' means an organization that
issues cyber insurance.
(7) Policy.--The term ``policy'' means a policy for cyber
insurance.
(8) Small business.--The term ``small business'' has the
meaning given the term ``small business concern'' in section 3
of the Small Business Act (15 U.S.C. 632).
(9) Working group.--The term ``working group'' means the
working group established under section 3(a).
SEC. 3. WORKING GROUP ON CYBER INSURANCE.
(a) Establishment.--Not later than 90 days after the date of
enactment of this Act, the Assistant Secretary shall establish a
working group on cyber insurance.
(b) Composition.--
(1) Membership.--The working group shall be composed of the
following members:
(A) Not less than 1 member from each of the
following:
(i) The Cybersecurity and Infrastructure
Security Agency.
(ii) The National Institute of Standards
and Technology.
(iii) The Department of the Treasury.
(iv) The Department of Justice.
(v) The Federal Trade Commission.
(B) Not less than 1 State insurance regulator with
expertise regarding cybersecurity and cyber insurance.
(2) Chairperson.--The Assistant Secretary shall be the
chairperson of the working group.
(c) Activities.--
(1) In general.--The working group shall carry out the
following activities:
(A) For the purposes of the activities of the
working group, define the term ``cyber insurance'' in a
manner that is different from the definition of that
term under section 2(5), if the working group
determines that such a modified definition is
necessary.
(B) Analyze and explain in a manner understandable
to customers the technical and legal terminology
commonly used in policies.
(C) Analyze and explain in a manner understandable
to customers how provisions in policies correspond to
common types of cyber incidents, including those
involving ransomware.
(D) Analyze and explain in a manner understandable
to customers how provisions in policies correspond to
common customer responses to cyber incidents, including
with respect to system recovery and potential ransom
payments.
(E) Analyze and explain in a manner understandable
to customers the terminology used in policies to
include or exclude coverage for losses due to cyber
incidents.
(F) Analyze and explain in a manner understandable
to customers the constraints faced by issuers in
covering higher amounts of losses and cyber risk areas,
such as reputational damage and the loss of
intellectual property.
(G) Develop information for customers on ways to
effectively evaluate the types and levels of coverage
offered under a policy.
(H) Develop information for issuers, agents, and
brokers regarding how to provide and communicate policy
provisions that are clear and easy to understand for
customers.
(I) Gather input from issuers on what measures
could improve the ability of those issuers to offer
additional coverage under policies, including--
(i) improvements to their actuarial data
and cyber risk data;
(ii) the development of effective
information sharing mechanisms; and
(iii) accurate measurement of the
cybersecurity practices of customers.
(J) Identify what measures could reduce the cost of
policies and reduce the amount of cyber risk and the
number of cyber incidents.
(K) Develop recommendations for customers on how
best to use cyber insurance and the benefits of doing
so.
(2) Consultation.--In carrying out the activities of the
working group under paragraph (1), the working group shall
consult with the public in an open and transparent manner,
including by consulting with the following stakeholders:
(A) Issuers.
(B) Insurance agents and brokers with experience in
the sale and distribution of cyber insurance.
(C) Representatives of business customers from
multiple sectors and representatives of small
businesses.
(D) Academia.
(E) State insurance regulators with expertise
regarding cybersecurity and cyber insurance.
(F) Owners and operators of critical
infrastructure.
(G) Other individuals or entities with
cybersecurity and cyber insurance expertise as the
Assistant Secretary considers appropriate.
(d) Report.--Not later than 1 year after the date on which the
working group first convenes, the working group shall submit to
Congress a report regarding the activities of the working group under
subsection (c) and any recommendations of the working group.
(e) Termination.--The working group shall terminate upon submission
of the report required under subsection (d).
(f) Rule of Construction.--Nothing in this section shall be
construed to--
(1) require adoption of the recommendations of the working
group; or
(2) provide any authority to any member of the working
group or any other individual to regulate the business of
insurance that is not already provided under any other
provision of law.
SEC. 4. DISSEMINATION OF INFORMATIVE RESOURCES FOR CYBER INSURANCE
STAKEHOLDERS.
(a) In General.--Not later than 90 days after the date on which the
working group submits the report required under section 3(d), the
Assistant Secretary shall disseminate and make publicly available
informative resources for cyber insurance stakeholders.
(b) Requirements.--The Assistant Secretary shall ensure that the
resources disseminated under subsection (a)--
(1) incorporate the recommendations included in the report
submitted under section 3(d);
(2) are generally applicable and usable by a wide range of
cyber insurance stakeholders, including issuers, agents,
brokers, and customers; and
(3) include case studies and specific examples, where
appropriate.
(c) Publication.--The resources disseminated under subsection (a)
shall be published on the public website of the National
Telecommunications and Information Administration.
(d) Outreach.--The Assistant Secretary shall conduct outreach and
coordination activities to promote the availability of the resources
disseminated under subsection (a) to relevant industry stakeholders and
the general public.
(e) Voluntary Use.--Nothing in this section may be construed to
require the use of the resources disseminated under subsection (a).
<all>