CFSN Detailed Analysis

Share this post

User's avatar
CFSN Detailed Analysis
S 513 Introduced
Copy link
Facebook
Email
Notes
More

S 513 Introduced

Cyber Insurance

Patrick Coyle
Mar 10, 2023

Share this post

User's avatar
CFSN Detailed Analysis
S 513 Introduced
Copy link
Facebook
Email
Notes
More
Share

Last month, Sen Hickenlooper (D,CO) introduced S 513, the Insure Cybersecurity Act of 2023. The bill would require the Department of Commerce to convene an interagency working grout to look at issues related to cyber insurance. Once a report from the working group is produced, DOC would be required to provide the public with “informative resources for cyber insurance stakeholder”. No funding is authorized by this bill.

Definitions

Section 2 of the bill provides definitions of eight key terms used in the legislation. Two of the terms are defined by reference to existing statutes. It includes an interim definition of the technical term ‘cyber insurance’.

The Working Group

Section 3 of the bill outlines the proposed membership of the working group as well as establishing the activities to be carried out by the group.

The group would be chaired by the Assistant Secretary of Commerce for Communications and Information. The following agencies would provide at least on member for the working group:

  • The Cybersecurity and Infrastructure Security Agency,

  • The National Institute of Standards and Technology,

  • The Department of the Treasury, an

  • The Department of Justice.

Section 3(c) would require the working group to carry out the following activities:

  • Ddefine the term “cyber insurance” in a manner that is different from the definition of that term under section 2(4), if the working group determines that such a modified definition is necessary,

  • Analyze and explain in a manner most understandable to customers the technical and legal terminology commonly used in policies,

  • Analyze, and develop recommendations regarding, provisions in policies that relate to ransomware and ransom payments made in response to ransomware,

  • Analyze and explain in a manner most understandable to customers the terminology used in policies to include or exclude coverage for losses due to cyber incidents that are caused by cyberterrorism or acts of war,

  • Develop recommendations for prospective customers on ways to effectively evaluate the types and levels of coverage offered under a policy,

  • Develop recommendations for issuers, agents, and brokers regarding how to provide and communicate policy provisions that are clear and easy to understand for customers,

  • Identify the constraints of issuers in covering higher amounts of losses and new cyber risk areas currently not covered, including reputational damage and intellectual property lost,

  • Gather input from issuers on what measures would improve the ability of those issuers to offer additional coverage under policies, including improvements to their actuarial data, cyber risk data, and information sharing mechanisms and effective measurement of the cybersecurity practices of consumers,

  • Identify the constraints of the market and why more organizations do not use cyber insurance as a risk response mechanism, and

  • Develop recommendations for customers on how best to use cyber insurance as a risk response mechanism for cyber risk and incentives for doing so.

Public Information

Section 4 of the bill would require DOC to establish on the National Telecommunications and Information Administration web site a list of informative resources for cyber insurance stakeholders. That list would include resources that would:

  • Incorporate the recommendations included in the report submitted by the working group,

  • Are generally applicable and usable by a wide range of cyber insurance stakeholders, including issuers, agents, brokers, and customers, and

  • Include case studies and specific examples, where appropriate.

The public use of these resources would be entirely voluntary.

Moving Forward

Both Hickenlooper and his sole cosponsor {Sen Capito (R,WV)} are both member of the Senate Commerce, Science and Transportation Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see the bill considered in Committee. I see nothing in the bill that would engender any significant opposition. I expect that the bill would receive bipartisan support.

The bill is not ‘important’ enough to be considered on the floor of the Senate under regular order. I suspect that the bill could be considered under the Senate’s unanimous consent process, but you never can tell what unrelated opposition could lead to an objection under that process.

Commentary

This bill makes no attempt at establishing any regulatory framework for cybersecurity insurance, which would probably be the death knell of bill currently containing such provisions. The crafters of this bill did do Congress a disservice, however, when they did not take advantage of this working group to outline what future regulation legislation might look like. I would have added the following subparagraph (K) to Section 3(c)(1):

(K) Identify any regulatory frameworks that may have been proposed to govern the issuance of cyber insurance.

Share this post

User's avatar
CFSN Detailed Analysis
S 513 Introduced
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

User's avatar

No posts

Ready for more?

© 2025 Patrick Coyle
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More