Insure Cybersecurity Act of 2025

The term Assistant Secretary means the Assistant Secretary of Commerce for Communications and Information.

The term critical infrastructure has the meaning given the term in subsection (e) of the Critical Infrastructures Protection Act of 2001 (42 U.S.C. 5195c).

The term customer means an individual or organization that purchases cyber insurance from an issuer.

The term cyber incident has the meaning given the term incident in section 3552(b) of title 44, United States Code.

Subject to section 3(c)(1)(A), the term cyber insurance means an insurance policy that includes coverage for losses, damages, and costs incurred due to cyber incidents.

The term issuer means an organization that issues cyber insurance.

The term policy means a policy for cyber insurance.

The term small business has the meaning given the term small business concern in section 3 of the Small Business Act (15 U.S.C. 632).

The term working group means the working group established under section 3(a).

Not later than 90 days after the date of enactment of this Act, the Assistant Secretary shall establish a working group on cyber insurance.

The working group shall be composed of the following members:

(A) Not less than 1 member from each of the following:

(i) The Cybersecurity and Infrastructure Security Agency.

(ii) The National Institute of Standards and Technology.

(iii) The Department of the Treasury.

(iv) The Department of Justice.

(v) The Federal Trade Commission.

(B) Not less than 1 State insurance regulator with expertise regarding cybersecurity and cyber insurance.

The Assistant Secretary shall be the chairperson of the working group.

The working group shall carry out the following activities:

(A) For the purposes of the activities of the working group, define the term cyber insurance in a manner that is different from the definition of that term under section 2(5), if the working group determines that such a modified definition is necessary.

(B) Analyze and explain in a manner understandable to customers the technical and legal terminology commonly used in policies.

(C) Analyze and explain in a manner understandable to customers how provisions in policies correspond to common types of cyber incidents, including those involving ransomware.

(D) Analyze and explain in a manner understandable to customers how provisions in policies correspond to common customer responses to cyber incidents, including with respect to system recovery and potential ransom payments.

(E) Analyze and explain in a manner understandable to customers the terminology used in policies to include or exclude coverage for losses due to cyber incidents.

(F) Analyze and explain in a manner understandable to customers the constraints faced by issuers in covering higher amounts of losses and cyber risk areas, such as reputational damage and the loss of intellectual property.

(G) Develop information for customers on ways to effectively evaluate the types and levels of coverage offered under a policy.

(H) Develop information for issuers, agents, and brokers regarding how to provide and communicate policy provisions that are clear and easy to understand for customers.

(I) Gather input from issuers on what measures could improve the ability of those issuers to offer additional coverage under policies, including—

(i) improvements to their actuarial data and cyber risk data;

(ii) the development of effective information sharing mechanisms; and

(iii) accurate measurement of the cybersecurity practices of customers.

(J) Identify what measures could reduce the cost of policies and reduce the amount of cyber risk and the number of cyber incidents.

(K) Develop recommendations for customers on how best to use cyber insurance and the benefits of doing so.

In carrying out the activities of the working group under paragraph (1), the working group shall consult with the public in an open and transparent manner, including by consulting with the following stakeholders:

(A) Issuers.

(B) Insurance agents and brokers with experience in the sale and distribution of cyber insurance.

(C) Representatives of business customers from multiple sectors and representatives of small businesses.

(D) Academia.

(E) State insurance regulators with expertise regarding cybersecurity and cyber insurance.

(F) Owners and operators of critical infrastructure.

(G) Other individuals or entities with cybersecurity and cyber insurance expertise as the Assistant Secretary considers appropriate.

Not later than 1 year after the date on which the working group first convenes, the working group shall submit to Congress a report regarding the activities of the working group under subsection (c) and any recommendations of the working group.

The working group shall terminate upon submission of the report required under subsection (d).

Nothing in this section shall be construed to—

(1) require adoption of the recommendations of the working group; or

(2) provide any authority to any member of the working group or any other individual to regulate the business of insurance that is not already provided under any other provision of law.

Not later than 90 days after the date on which the working group submits the report required under section 3(d), the Assistant Secretary shall disseminate and make publicly available informative resources for cyber insurance stakeholders.

The Assistant Secretary shall ensure that the resources disseminated under subsection (a)—

(1) incorporate the recommendations included in the report submitted under section 3(d);

(2) are generally applicable and usable by a wide range of cyber insurance stakeholders, including issuers, agents, brokers, and customers; and

(3) include case studies and specific examples, where appropriate.

The resources disseminated under subsection (a) shall be published on the public website of the National Telecommunications and Information Administration.

The Assistant Secretary shall conduct outreach and coordination activities to promote the availability of the resources disseminated under subsection (a) to relevant industry stakeholders and the general public.

Nothing in this section may be construed to require the use of the resources disseminated under subsection (a).