Insure Cybersecurity Act of 2025
The Insure Cybersecurity Act of 2025 would require the Assistant Secretary of Commerce for Communications and Information to create a formal, interagency Working Group on Cyber Insurance within 90 days of enactment. The group would include representatives from CISA, NIST, the Treasury, the Justice Department, the FTC, and at least one state insurance regulator, with the Assistant Secretary serving as chair. Its duties include clarifying and explaining cyber insurance terms and policy provisions to customers, mapping policy language to common cyber incidents (notably ransomware), and exploring how coverage aligns with customer responses and losses. It would also examine issuer constraints, data needs, potential cost-reduction measures, and ways to improve information sharing. The Working Group would consult industry, regulators, businesses, academia, and critical infrastructure owners. A report detailing activities and recommendations would be due to Congress within one year, after which the group would terminate. Separately, the Act would require the dissemination of consumer- and issuer-friendly cyber insurance resources (within 90 days of the report) on the NTIA website, incorporating the group’s recommendations and including case studies, with broad outreach and voluntary use. Sponsors are Senators Hickenlooper and Capito. The bill does not create new regulatory authority or require adoption of its recommendations, and it emphasizes nonbinding guidance and information sharing rather than new rules.
Key Points
- 1Establishment and composition of a Working Group on Cyber Insurance
- 2- Must be formed within 90 days; chaired by the Assistant Secretary.
- 3- Members must include at least one representative from CISA, NIST, the Treasury, the Justice Department, and the FTC, plus at least one state insurance regulator with cybersecurity expertise.
- 4Defined activities of the Working Group
- 5- May modify the definition of cyber insurance for its purposes if needed.
- 6- Explain policy terms and how they relate to common cyber incidents (e.g., ransomware).
- 7- Explain policy coverage in relation to customer responses and recovery, including ransom considerations.
- 8- Explain terminology that governs what is included or excluded from coverage.
- 9- Assess issuer constraints on high-loss coverage (reputational damage, IP loss) and identify ways to reduce costs and risk.
- 10- Develop information to help customers evaluate coverage and to help issuers communicate provisions clearly.
- 11- Gather issuer input on improving coverage through better data, data sharing, and measurement of customer cybersecurity practices.
- 12- Propose measures to reduce policy costs and cyber risk incidence.
- 13- Provide recommendations to customers on how to use cyber insurance effectively.
- 14Stakeholder consultation
- 15- The group must engage issuers, agents/brokers, business customers (including small businesses), academia, regulators, critical infrastructure owners/operators, and others with expertise.
- 16Reporting and termination
- 17- A report on activities and recommendations due to Congress within 1 year of the group’s first convening.
- 18- The group terminates after submitting the report.
- 19Dissemination of informative resources
- 20- Within 90 days after the report, the Assistant Secretary must publish resources for cyber insurance stakeholders.
- 21- Resources must reflect the group’s recommendations, be broadly applicable, and include case studies.
- 22- Materials will be published on the NTIA website with active outreach; use of the resources is voluntary.
- 23Limitations on authority
- 24- The bill explicitly does not require adoption of the working group’s recommendations.
- 25- It does not grant new regulatory authority beyond what exists under current law.
- 26Definitions and scope
- 27- Defines key terms (Assistant Secretary, critical infrastructure, customer, cyber incident, cyber insurance, issuer, policy, small business, working group) and ties several definitions to established statutes.