II
119THCONGRESS
1
STSESSION S. 245
To require the Assistant Secretary of Commerce for Communications and
Information to establish a working group on cyber insurance, to require
dissemination of informative resources for issuers and customers of cyber
insurance, and for other purposes.
IN THE SENATE OF THE UNITED STATES
JANUARY24, 2025
Mr. H
ICKENLOOPER(for himself and Mrs. CAPITO) introduced the following
bill; which was read twice and referred to the Committee on Commerce,
Science, and Transportation
A BILL
To require the Assistant Secretary of Commerce for Commu-
nications and Information to establish a working group
on cyber insurance, to require dissemination of inform-
ative resources for issuers and customers of cyber insur-
ance, and for other purposes.
Be it enacted by the Senate and House of Representa-1
tives of the United States of America in Congress assembled, 2
SECTION 1. SHORT TITLE. 3
This Act may be cited as the ‘‘Insure Cybersecurity 4
Act of 2025’’. 5
SEC. 2. DEFINITIONS. 6
In this Act: 7
VerDate Sep 11 2014 21:27 Feb 03, 2025 Jkt 059200 PO 00000 Frm 00001 Fmt 6652 Sfmt 6201 E:\BILLS\S245.IS S245
kjohnson on DSK7ZCZBW3PROD with $$_JOB 2
•S 245 IS
(1) ASSISTANT SECRETARY.—The term ‘‘Assist-1
ant Secretary’’ means the Assistant Secretary of 2
Commerce for Communications and Information. 3
(2) C
RITICAL INFRASTRUCTURE .—The term 4
‘‘critical infrastructure’’ has the meaning given the 5
term in subsection (e) of the Critical Infrastructures 6
Protection Act of 2001 (42 U.S.C. 5195c). 7
(3) C
USTOMER.—The term ‘‘customer’’ means 8
an individual or organization that purchases cyber 9
insurance from an issuer. 10
(4) C
YBER INCIDENT.—The term ‘‘cyber inci-11
dent’’ has the meaning given the term ‘‘incident’’ in 12
section 3552(b) of title 44, United States Code. 13
(5) C
YBER INSURANCE .—Subject to section 14
3(c)(1)(A), the term ‘‘cyber insurance’’ means an in-15
surance policy that includes coverage for losses, 16
damages, and costs incurred due to cyber incidents. 17
(6) I
SSUER.—The term ‘‘issuer’’ means an or-18
ganization that issues cyber insurance. 19
(7) P
OLICY.—The term ‘‘policy’’ means a policy 20
for cyber insurance. 21
(8) S
MALL BUSINESS.—The term ‘‘small busi-22
ness’’ has the meaning given the term ‘‘small busi-23
ness concern’’ in section 3 of the Small Business Act 24
(15 U.S.C. 632). 25
VerDate Sep 11 2014 21:27 Feb 03, 2025 Jkt 059200 PO 00000 Frm 00002 Fmt 6652 Sfmt 6201 E:\BILLS\S245.IS S245
kjohnson on DSK7ZCZBW3PROD with $$_JOB 3
•S 245 IS
(9) WORKING GROUP.—The term ‘‘working 1
group’’ means the working group established under 2
section 3(a). 3
SEC. 3. WORKING GROUP ON CYBER INSURANCE. 4
(a) E
STABLISHMENT.—Not later than 90 days after 5
the date of enactment of this Act, the Assistant Secretary 6
shall establish a working group on cyber insurance. 7
(b) C
OMPOSITION.— 8
(1) M
EMBERSHIP.—The working group shall be 9
composed of the following members: 10
(A) Not less than 1 member from each of 11
the following: 12
(i) The Cybersecurity and Infrastruc-13
ture Security Agency. 14
(ii) The National Institute of Stand-15
ards and Technology. 16
(iii) The Department of the Treasury. 17
(iv) The Department of Justice. 18
(v) The Federal Trade Commission. 19
(B) Not less than 1 State insurance regu-20
lator with expertise regarding cybersecurity and 21
cyber insurance. 22
(2) C
HAIRPERSON.—The Assistant Secretary 23
shall be the chairperson of the working group. 24
(c) A
CTIVITIES.— 25
VerDate Sep 11 2014 21:27 Feb 03, 2025 Jkt 059200 PO 00000 Frm 00003 Fmt 6652 Sfmt 6201 E:\BILLS\S245.IS S245
kjohnson on DSK7ZCZBW3PROD with $$_JOB 4
•S 245 IS
(1) IN GENERAL.—The working group shall 1
carry out the following activities: 2
(A) For the purposes of the activities of 3
the working group, define the term ‘‘cyber in-4
surance’’ in a manner that is different from the 5
definition of that term under section 2(5), if the 6
working group determines that such a modified 7
definition is necessary. 8
(B) Analyze and explain in a manner un-9
derstandable to customers the technical and 10
legal terminology commonly used in policies. 11
(C) Analyze and explain in a manner un-12
derstandable to customers how provisions in 13
policies correspond to common types of cyber 14
incidents, including those involving ransomware. 15
(D) Analyze and explain in a manner un-16
derstandable to customers how provisions in 17
policies correspond to common customer re-18
sponses to cyber incidents, including with re-19
spect to system recovery and potential ransom 20
payments. 21
(E) Analyze and explain in a manner un-22
derstandable to customers the terminology used 23
in policies to include or exclude coverage for 24
losses due to cyber incidents. 25
VerDate Sep 11 2014 21:27 Feb 03, 2025 Jkt 059200 PO 00000 Frm 00004 Fmt 6652 Sfmt 6201 E:\BILLS\S245.IS S245
kjohnson on DSK7ZCZBW3PROD with $$_JOB 5
•S 245 IS
(F) Analyze and explain in a manner un-1
derstandable to customers the constraints faced 2
by issuers in covering higher amounts of losses 3
and cyber risk areas, such as reputational dam-4
age and the loss of intellectual property. 5
(G) Develop information for customers on 6
ways to effectively evaluate the types and levels 7
of coverage offered under a policy. 8
(H) Develop information for issuers, 9
agents, and brokers regarding how to provide 10
and communicate policy provisions that are 11
clear and easy to understand for customers. 12
(I) Gather input from issuers on what 13
measures could improve the ability of those 14
issuers to offer additional coverage under poli-15
cies, including— 16
(i) improvements to their actuarial 17
data and cyber risk data; 18
(ii) the development of effective infor-19
mation sharing mechanisms; and 20
(iii) accurate measurement of the cy-21
bersecurity practices of customers. 22
(J) Identify what measures could reduce 23
the cost of policies and reduce the amount of 24
cyber risk and the number of cyber incidents. 25
VerDate Sep 11 2014 21:27 Feb 03, 2025 Jkt 059200 PO 00000 Frm 00005 Fmt 6652 Sfmt 6201 E:\BILLS\S245.IS S245
kjohnson on DSK7ZCZBW3PROD with $$_JOB 6
•S 245 IS
(K) Develop recommendations for cus-1
tomers on how best to use cyber insurance and 2
the benefits of doing so. 3
(2) C
ONSULTATION.—In carrying out the activi-4
ties of the working group under paragraph (1), the 5
working group shall consult with the public in an 6
open and transparent manner, including by con-7
sulting with the following stakeholders: 8
(A) Issuers. 9
(B) Insurance agents and brokers with ex-10
perience in the sale and distribution of cyber in-11
surance. 12
(C) Representatives of business customers 13
from multiple sectors and representatives of 14
small businesses. 15
(D) Academia. 16
(E) State insurance regulators with exper-17
tise regarding cybersecurity and cyber insur-18
ance. 19
(F) Owners and operators of critical infra-20
structure. 21
(G) Other individuals or entities with cy-22
bersecurity and cyber insurance expertise as the 23
Assistant Secretary considers appropriate. 24
VerDate Sep 11 2014 21:27 Feb 03, 2025 Jkt 059200 PO 00000 Frm 00006 Fmt 6652 Sfmt 6201 E:\BILLS\S245.IS S245
kjohnson on DSK7ZCZBW3PROD with $$_JOB 7
•S 245 IS
(d) REPORT.—Not later than 1 year after the date 1
on which the working group first convenes, the working 2
group shall submit to Congress a report regarding the ac-3
tivities of the working group under subsection (c) and any 4
recommendations of the working group. 5
(e) T
ERMINATION.—The working group shall termi-6
nate upon submission of the report required under sub-7
section (d). 8
(f) R
ULE OFCONSTRUCTION.—Nothing in this sec-9
tion shall be construed to— 10
(1) require adoption of the recommendations of 11
the working group; or 12
(2) provide any authority to any member of the 13
working group or any other individual to regulate 14
the business of insurance that is not already pro-15
vided under any other provision of law. 16
SEC. 4. DISSEMINATION OF INFORMATIVE RESOURCES FOR 17
CYBER INSURANCE STAKEHOLDERS. 18
(a) I
NGENERAL.—Not later than 90 days after the 19
date on which the working group submits the report re-20
quired under section 3(d), the Assistant Secretary shall 21
disseminate and make publicly available informative re-22
sources for cyber insurance stakeholders. 23
VerDate Sep 11 2014 21:27 Feb 03, 2025 Jkt 059200 PO 00000 Frm 00007 Fmt 6652 Sfmt 6201 E:\BILLS\S245.IS S245
kjohnson on DSK7ZCZBW3PROD with $$_JOB 8
•S 245 IS
(b) REQUIREMENTS.—The Assistant Secretary shall 1
ensure that the resources disseminated under subsection 2
(a)— 3
(1) incorporate the recommendations included 4
in the report submitted under section 3(d); 5
(2) are generally applicable and usable by a 6
wide range of cyber insurance stakeholders, includ-7
ing issuers, agents, brokers, and customers; and 8
(3) include case studies and specific examples, 9
where appropriate. 10
(c) P
UBLICATION.—The resources disseminated 11
under subsection (a) shall be published on the public 12
website of the National Telecommunications and Informa-13
tion Administration. 14
(d) O
UTREACH.—The Assistant Secretary shall con-15
duct outreach and coordination activities to promote the 16
availability of the resources disseminated under subsection 17
(a) to relevant industry stakeholders and the general pub-18
lic. 19
(e) V
OLUNTARYUSE.—Nothing in this section may 20
be construed to require the use of the resources dissemi-21
nated under subsection (a). 22
Æ
VerDate Sep 11 2014 21:27 Feb 03, 2025 Jkt 059200 PO 00000 Frm 00008 Fmt 6652 Sfmt 6301 E:\BILLS\S245.IS S245
kjohnson on DSK7ZCZBW3PROD with $$_JOB