S. 245: Insure Cybersecurity Act of 2025

This bill, titled the Insure Cybersecurity Act of 2025, aims to enhance the understanding and accessibility of cyber insurance. Here are the key components of the bill:

Working Group Establishment

The bill requires the Assistant Secretary of Commerce for Communications and Information to create a working group focused on cyber insurance within 90 days of the bill’s enactment. This group will consist of various stakeholders, including:

• Members from the Cybersecurity and Infrastructure Security Agency
• The National Institute of Standards and Technology
• The Department of the Treasury
• The Department of Justice
• The Federal Trade Commission
• A State insurance regulator with expertise in cybersecurity

Activities of the Working Group

The working group will conduct several activities aimed at improving the clarity and effectiveness of cyber insurance policies. These activities include:

• Defining the term "cyber insurance" for clearer understanding
• Explaining technical and legal terms used in insurance policies in simpler language
• Describing how policy provisions relate to common cyber incidents, such as ransomware attacks
• Providing guidance on how policies respond to customer actions in the event of an incident
• Clarifying exclusions in policies regarding various cyber incidents
• Identifying measures to help insurers cover more losses and reduce overall cyber risk
• Offering recommendations to customers on the effective use of cyber insurance

Consultation Process

Throughout its activities, the working group will consult with a range of stakeholders to ensure varied perspectives are considered. This will include:

• Cyber insurance issuers
• Insurance agents and brokers
• Business representatives across different sectors, including small businesses
• Academics and experts in cybersecurity and insurance
• Operators of critical infrastructure
• Others deemed relevant by the Assistant Secretary

Reporting and Dissemination

Within one year of its first meeting, the working group must submit a report to Congress detailing its activities and findings. Following the report, the Assistant Secretary is tasked with:

• Making the report publicly available
• Distributing informative resources related to cyber insurance
• Ensuring that resources incorporate the report's recommendations and are accessible to a wide audience

Resource Availability

The resources developed will be published on the official website of the National Telecommunications and Information Administration, and outreach activities will be conducted to inform industry stakeholders and the public about these resources. Importantly, the use of these resources will be voluntary.

Regulatory Considerations

The bill clarifies that it does not mandate the adoption of the working group’s recommendations and does not grant regulatory authority over the insurance industry beyond what is already available under existing law.

Relevant Companies

• ALL (Allstate Corporation) - As a major provider of various insurance products, including cyber insurance, Allstate may need to adjust its policies in response to the recommendations of the working group.
• ACE (Chubb Limited) - Chubb is heavily involved in cyber insurance, and changes resulting from the working group could impact their insurance model and policy offerings.
• AIG (American International Group, Inc.) - AIG's involvement in cyber insurance may lead to necessary adaptations of policies influenced by the working group's findings.
• CMI (Marsh & McLennan Companies, Inc.) - Marsh & McLennan, as a global leader in insurance brokerage, could be impacted as they navigate the potential shifts in the landscape of cyber insurance following the recommendations.