[Congressional Bills 118th Congress]
[From the U.S. Government Publishing Office]
[S. 513 Introduced in Senate (IS)]
<DOC>
118th CONGRESS
1st Session
S. 513
To require the Assistant Secretary of Commerce for Communications and
Information to establish a working group on cyber insurance, to require
dissemination of informative resources for issuers and customers of
cyber insurance, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
February 16, 2023
Mr. Hickenlooper (for himself and Mrs. Capito) introduced the following
bill; which was read twice and referred to the Committee on Commerce,
Science, and Transportation
_______________________________________________________________________
A BILL
To require the Assistant Secretary of Commerce for Communications and
Information to establish a working group on cyber insurance, to require
dissemination of informative resources for issuers and customers of
cyber insurance, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Insure Cybersecurity Act of 2023''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Assistant secretary.--The term ``Assistant Secretary''
means the Assistant Secretary of Commerce for Communications
and Information.
(2) Customer.--The term ``customer'' means an individual or
organization that purchases cyber insurance from an issuer.
(3) Cyber incident.--The term ``cyber incident'' has the
meaning given the term ``incident'' in section 3552(b) of title
44, United States Code.
(4) Cyber insurance.--Subject to section 3(c)(1)(A), the
term ``cyber insurance'' means an insurance policy that,
whether by explicit inclusion or by lack of exclusion, offers
coverage for losses, damages, and costs incurred due to cyber
incidents.
(5) Issuer.--The term ``issuer'' means an organization that
issues cyber insurance.
(6) Policy.--The term ``policy'' means a policy for cyber
insurance.
(7) Small business.--The term ``small business'' has the
meaning given the term ``small business concern'' in section 3
of the Small Business Act (15 U.S.C. 632).
(8) Working group.--The term ``working group'' means the
working group established under section 3(a).
SEC. 3. WORKING GROUP ON CYBER INSURANCE.
(a) Establishment.--Not later than 90 days after the date of
enactment of this Act, the Assistant Secretary shall establish a
working group on cyber insurance.
(b) Composition.--
(1) Membership.--The working group shall be composed of not
less than 1 member from each of the following:
(A) The Cybersecurity and Infrastructure Security
Agency.
(B) The National Institute of Standards and
Technology.
(C) The Department of the Treasury.
(D) The Department of Justice.
(2) Chairperson.--The Assistant Secretary shall be the
chairperson of the working group.
(c) Activities.--
(1) In general.--The working group shall carry out the
following activities:
(A) For the purposes of the activities of the
working group, define the term ``cyber insurance'' in a
manner that is different from the definition of that
term under section 2(4), if the working group
determines that such a modified definition is
necessary.
(B) Analyze and explain in a manner most
understandable to customers the technical and legal
terminology commonly used in policies.
(C) Analyze, and develop recommendations regarding,
provisions in policies that relate to ransomware and
ransom payments made in response to ransomware.
(D) Analyze and explain in a manner most
understandable to customers the terminology used in
policies to include or exclude coverage for losses due
to cyber incidents that are caused by cyberterrorism or
acts of war.
(E) Develop recommendations for prospective
customers on ways to effectively evaluate the types and
levels of coverage offered under a policy.
(F) Develop recommendations for issuers, agents,
and brokers regarding how to provide and communicate
policy provisions that are clear and easy to understand
for customers.
(G) Identify the constraints of issuers in covering
higher amounts of losses and new cyber risk areas
currently not covered, including reputational damage
and intellectual property lost.
(H) Gather input from issuers on what measures
would improve the ability of those issuers to offer
additional coverage under policies, including
improvements to their actuarial data, cyber risk data,
and information sharing mechanisms and effective
measurement of the cybersecurity practices of
consumers.
(I) Identify the constraints of the market and why
more organizations do not use cyber insurance as a risk
response mechanism.
(J) Develop recommendations for customers on how
best to use cyber insurance as a risk response
mechanism for cyber risk and incentives for doing so.
(2) Consultation.--In carrying out the activities of the
working group under paragraph (1), the working group shall
consult with the public in an open and transparent manner,
including by consulting with the following stakeholders:
(A) Issuers.
(B) Insurance agents and brokers with experience in
the sale and distribution of cyber insurance.
(C) Representatives of business customers from
multiple sectors and representatives of small
businesses.
(D) Academia.
(E) State insurance regulators with expertise
regarding cybersecurity and cyber insurance.
(F) Other individuals or entities with
cybersecurity and cyber insurance expertise as the
Assistant Secretary considers appropriate.
(d) Report.--Not later than 1 year after the date on which the
working group first convenes, the working group shall submit to
Congress a report regarding the activities of the working group under
subsection (c) and any recommendations of the working group.
(e) Termination.--The working group shall terminate upon submission
of the report required under subsection (d).
(f) Rule of Construction.--Nothing in this section shall be
construed to--
(1) require adoption of the recommendations of the working
group; or
(2) provide any authority to any member of the working
group or any other individual to regulate the business of
insurance that is not already provided under any other
provision of law.
SEC. 4. DISSEMINATION OF INFORMATIVE RESOURCES FOR CYBER INSURANCE
STAKEHOLDERS.
(a) In General.--Not later than 90 days after the date on which the
working group submits the report required under section 3(d), the
Assistant Secretary shall disseminate and make publicly available
informative resources for cyber insurance stakeholders.
(b) Requirements.--The Assistant Secretary shall ensure that the
resources disseminated under subsection (a)--
(1) incorporate the recommendations included in the report
submitted under section 3(d);
(2) are generally applicable and usable by a wide range of
cyber insurance stakeholders, including issuers, agents,
brokers, and customers; and
(3) include case studies and specific examples, where
appropriate.
(c) Publication.--The resources disseminated under subsection (a)
shall be published on the public website of the National
Telecommunications and Information Administration.
(d) Outreach.--The Assistant Secretary shall conduct outreach and
coordination activities to promote the availability of the resources
disseminated under subsection (a) to relevant industry stakeholders and
the general public.
(e) Voluntary Use.--Nothing in this section may be construed to
require the use of the resources disseminated under subsection (a).
<all>