S 245 Ordered Reported Favorably in Senate - Insure Cybersecurity Act

Yesterday, the Senate Commerce, Science, and Transportation Committee held a business meeting to consider 17 pieces of legislation. Among those bills was S 245, the Insure Cybersecurity Act of 2025. According to yesterday’s Congressional Record the bill was ordered reported favorably without any amendments. No word is available in the CR or the meeting record about the type vote held on that order.

Once the Committee report is published (which could be months), the bill would be cleared for consideration before the full Senate. It is unlikely to be considered under regular order (too time consuming with too many nominations to consider). If it is considered it would be under the Senate’s unanimous consent process.

No committee action was taken on a similar bill, S 513, last session. This is not a Republican vs Democrat issue since the sponsor of the bill, Sen Hickenlooper (D,CO), is a Democrat. This seems more likely to be a change in focus of the new Republican Committee Chair, Sen Cruz (R,TX).

Review – S 245 Introduced – Insure Cybersecurity

Last month, Sen Hickenlooper (D,CO) introduced S 245, the Insure Cybersecurity Act of 2025. The bill would require the Department of Commerce to convene an interagency working grout to look at issues related to cyber insurance. Once a report from the working group is produced, DOC would be required to provide the public with “informative resources for cyber insurance stakeholder”. No funding is authorized by this bill.

The bill is very similar to S 513 that was introduced by Hickenlooper in January 2023. No action was taken on that bill. Significant changes were made in S 245, including adding the Federal Trade Commission and at least one State insurance regulator to the list of Working Group members. There were also numerous minor changes to the focus of listed activities for the Working Group.

Moving Forward

Both Hickenlooper and his sole cosponsor {Sen Capito (R,WV)} are both member of the Senate Commerce, Science and Transportation Committee to which this bill was assigned for consideration. This means that there should be sufficient influence to see the bill considered in Committee. I see nothing in the bill that would engender any significant opposition. I expect that the bill would receive bipartisan support.

The bill is not ‘important’ enough to be considered on the floor of the Senate under regular order. I suspect that the bill could be considered under the Senate’s unanimous consent process, but you never can tell what unrelated opposition could lead to an objection under that process.

Commentary

This bill makes no attempt at establishing any regulatory framework for cybersecurity insurance, which would probably be the death knell of bill currently containing such provisions. The crafters of this bill did do Congress a disservice, however, when they did not take advantage of this working group to outline what future regulation legislation might look like. I would have added the following subparagraph (K) to Section 3(c)(1):

(K) Identify any regulatory frameworks that may have been proposed to govern the issuance of cyber insurance.

 

For more details about the proposed legislation, see my article at CFSN Detailed Analysis - https://chemical-facility-security-news.blogspot.com/2025/02/review-s-245-introduced-insure.html [link added 2-6-25 11:50 pm EST] - subscription required.

Review - Treasury Publishes RFI for Cyber Incident Financial Risk Assessment

Today, the Treasury Department published a request for comment in the Federal Register (87 FR 59161-59163) concerning “Potential Federal Insurance Response to Catastrophic Cyber Incidents”. This action is being taken in response to a GAO recommendation to “to produce a joint [with CISA] assessment for Congress on the extent to which the risks to the nation's critical infrastructure from catastrophic cyberattacks, and the potential financial exposures resulting from these risks, warrant a federal insurance response.”

The request for comments is looking for responses to questions in the following areas:

Catastrophic cyber incidents,

Potential federal insurance response for catastrophic cyber incidents, and

Other information.

Public Comments

The Treasury is soliciting public comments on these topics. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov). Unfortunately, today’s notice does not include a docket number for this request and the Portal does not currently list this information request, based upon past experiences it should show up there tomorrow. Alternatively, comments may be snail mailed to:

Federal Insurance Office

Attn: Richard Ifft, Room 1410 MT

Department of the Treasury

1500 Pennsylvania Avenue NW

Washington, DC 20220

Comments should be submitted by November 14^th, 2022.

 

For more details about the information that the Treasury is looking for, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/treasury-publishes-rfi-for-cyber - subscription required.

CRS Reports – Cybersecurity Insurance and the War in Ukraine

This week the Congressional Research Service (CRS) published a report on “Insurance, Cyberattacks, and War in Ukraine”. It includes a general discussion about the potential impact of war clauses on insurance policies and how such clauses have been handled in the courts in relation to cyber insurance.

TRIP 2022 Data Call Changes Cyber Insurance Information Request

Today the Treasury Department’s Federal Insurance Office (FIO) published a notice in the Federal Register (86 FR 64600-64603) concerning proposed changes to the Terrorism Risk Insurance Program’s (TRIP) 2022 Data Call. The revised data collection would include changes to the data templates used to collect information about cyber insurance.

The notice reports that:

“The cyber insurance market continues to grow and evolve, and cyber-related losses (particularly with regard to ransomware) have increased significantly over the past few years.[14] In view of recent market developments and the important role of cyber insurance in the Program, Treasury would like to obtain more detailed information relating to the availability and affordability of such coverage in the market.”

The changes in the cyber question include:

Premium and limits information for cyber coverages written in non-TRIP-eligible lines of insurance,

Premium and policy count information broken out by size of policyholder,

Specific information on the cyber extortion [ransomware] coverages provided under cyber insurance policies, and

Loss information regarding these ransomware exposures.

The FOI is requesting public comments about the proposed changes in the 2022 data call. Comments may be submitted via the Federal eRulemaking Portal (www.regulations.gov; docket # OMB Control Number 1505-0257. Comments should be submitted by January 18^th, 2022.

NIST Updates Workshop Agenda

This week the National Institute of Standards and Technology (NIST) published an updated version of the draft agenda for next week’s NIST Cybersecurity Framework (CSF) Workshop. The new version provides more details about the breakout sessions where most of the work will be accomplished. It also includes more information on some of the panel discussions.

Panel Discussions

There are two of the panel discussions that may be of specific interest to readers of this blog; one on Coast Guard use of the CSF and the other on insurance and the CSF. Here is how the agenda describes these two panels:

US Coast Guard Maritime Profile Strategy – This panel will focus on the work done by the US Coast Guard and partner organizations on building security profiles, based on the Framework, to secure the bulk liquid transport sector.

Insurance – This panel will discuss the benefits to an evolving and growing insurance market of a widely used and consistent approach to understanding and   communicating cyber risks. Panelists will provide their experience with using the Cybersecurity Framework for developing and analyzing data and using the data for underwriting cyber risks.

Other News

The Workshop web page also announced this week that registration has closed for attending the Workshop in person. People that did not complete the registration process will not be allowed on the NIST campus during the workshop. NIST also announced that they would be web casting at least portions of the Workshop on the Workshop homepage starting at 08:30 EDT on April 6^th.

NIST also published the ‘official’ TWITTER® hashtag for the Workshop; #NISTCSF. Those of you who already follow NIST on TWITTER (@USNISTGOV) will already have seen that hashtag in their announcements about the Workshop. It is nice to see a government agency taking a proactive use of social media and not just flooding media with meaningless sound bites

Enhancing Resilience Through Cyber Incident Data Sharing and Analysis

Today the DHS National Protection and Programs Directorate (NPPD) published a notice in today’s Federal Register (81 FR 17193-17194) requesting comments on three white papers produced by the NPPD Staff in conjunction with work done by the Cyber Incident Data and Analysis Working Group (CIDAWG) (comprised of CISOs and CSOs from various critical infrastructure sectors, insurers, and other cybersecurity professionals). The white papers address the critical need for information sharing as a means to create a more robust cybersecurity insurance marketplace and improve enterprise cyber hygiene practices across the public and private sectors.

The three white papers are:

• The Value Proposition for a Cyber Incident Data Repository;

• Establishing Community-Relevant Data Categories in Support of a Cyber Incident Data Repository; and

• Overcoming Perceived Obstacles to Sharing into a Cyber Incident Data Repository

The Value Proposition

The first whitepaper describes how a cyber incident data repository could help advance the cause of cyber risk management. NPPD is seeking input on the following questions in relation to this document:

• What value would an anonymized and trusted cyber incident data repository, as described in the white paper, have in terms of informing and improving cyber risk management practices?

• Do you agree with the potential benefits of an anonymized and trusted repository, as outlined in the white paper, that enterprise risk owners and insurers could use to share, store, aggregate, and analyze sensitive cyber incident data?

• Are there additional benefits of an anonymized and trusted repository that are not mentioned in the white paper? Please explain them briefly.

• What kinds of analysis from an anonymized and trusted repository would be most useful to your organization?

Establishing Community-Relevant Data Categories

The second whitepaper addresses the kinds of prioritized data categories and associated data points that should be shared among repository users to promote new kinds of needed cyber risk analysis. NPPD is seeking input on the following questions in relation to this document:

• Could specific data points within the 16 data categories effectively inform analysis to bolster cyber risk management activities?

• Are the 16 data categories accurately defined?

• What additional data categories could inform useful analysis to improve cyber risk management practices?

• What do these additional data categories mean from a CISO or other cybersecurity professional perspective?

• Rank the level of importance for each data category, including any additional data categories that you have identified.

• What value does each data category and associated data points bring to a better understanding of cyber incidents and their impacts?

• What does each data point actually mean (and to whom); and which ones are the greatest priority, to which stakeholders, and why?

• How easy/difficult would it be to access data associated with these categories in your organization and then share it into a repository and why?

Overcoming Perceived Obstacles

The final white paper identifies perceived obstacles to voluntary cyber incident data sharing and offers potential approaches to overcoming those obstacles. NPPD is seeking input on the following questions in relation to this document:

Would your organization be interested in contributing to a cyber incident data repository and using repository-supported analysis to improve your organization's risk management practices?

• What obstacles do you anticipate—both internal and external to your organization—that might prevent the sharing of cyber incident data into a repository?

• Who might say `no' to sharing and why?

• What mechanisms, policies, and procedures could help overcome these obstacles to sharing?

Public Comments

NPPD is soliciting public comments on the above topics. In particular, it is looking for comments from members of the cybersecurity and insurance communities; chief information security officers (CISOs); chief security officers (CSOs); academia; Federal, State, and local governments; industry; and professional organizations/societies.

NPPD tries to make it clear in this request for comments that they are not looking for specific program proposals at this time. What they are trying to do at this stage is to provide additional information to the CIDAWG for its continued work to better understand the potential of an anonymized and trusted cyber incident data repository to address the cybersecurity needs of the public and private sectors.

Comments may be submitted via email (cyber.security.insurance@hq.dhs.gov). Comments should be submitted by May 24^th, 2016.

Commentary

There is no indication in the Federal Register Notice whether NPPD is looking at IT or OT systems or both. The reason for this (after a brief look at the table of contents of the three white papers) is that NPPD is apparently not making any differentiation between the two. The second white paper, for instance, includes five theoretical case studies and the first of those is a control system incident.

I have not yet had a chance to take a detailed look at any of the publications, but the brief look that I have made seems to indicate that the CIDAWG is making some subtle (and probably unintentional) oversights in the scope of their work. For instance, the sample data input page (pg 8 of the data categories paper) lists health records under data theft, but it does not specifically include an mention of medical devices, apparently lumping them under the ‘SCADA/ICS Attack’ category. Similarly, there is no specific mention of transportation related attacks.

The other thing that is missing from this discussion appears to be any focus on who would be collecting and analyzing the incident data. It looks to me like there has been an underlying assumption that the government (specifically some organization within NPPD) would  be responsible for this function. That may be an appropriate governmental function, but there are alternatives that should also be addressed in this work. The Insurance Institute for Highway Safety, for instance, comes to mind as an organization with a similar function.

The last point that I would like to make here is a question about the openness of this comment process. NPPD has chosen to internalize the comment management process instead of utilizing the Federal eRulemaking Portal. The public advantage of the formal submission process is that all comments are publicly posted in an easily accessible and well understood web site. Now NIST has successfully used an internalized submission management process and they did a good job on their request for information projects in making sure that the comments were clearly posted on their web site. NIST made it clear in the request notices that such postings would be made. NPPD has not done that in this notice.

Congressional Hearings – Week of 3-20-16

This week the House will be in session for a short week and then leave for their two week (plus) Easter Recess while the Senate is already home for their two weeks. Budget hearings are slowing down and there will be one non-budget hearing of potential interest to readers of this blog.

Budget

Only one budget hearing this week of potential interest. The Defense Subcommittee of the House Appropriations Committee will be holding a hearing on Tuesday to look at the budget for Guard and Reserve forces. Since many of the cybersecurity troops are found in Guard and Reserve units, this portion of the budget may be of interest.

Cyber Insurance

Also on Tuesday the Cybersecurity, Infrastructure Protections and Security Technologies Subcommittee of the House Homeland Security Committee will be holding a hearing on “The Role of Cyber Insurance in Risk Management”. The witness list includes:

• Matthew McCabe, Marsh Finpro;

• Adam W. Hamm, North Dakota Insurance Commissioner;

• Daniel Nutkis, Health Information Trust Alliance;

• Tom Finan, Ark Network Security Solutions

I have not really begun to address cyber insurance in this blog, mainly because it has not yet become a real part of control system risk management. I would expect that this hearing could provide some insight into how this risk management tool is evolving, but I do not think that there will be any mention of ICS related insurance. Watch, however, for mention of 3^rd party liability. Once the insurance industry starts to address that in cyber insurance then I would expect to start to see real control system policies being written.

On the Floor

There will be one bill coming to the House floor this week that may be of specific interest to readers of this blog, S 1180 – Integrated Public Alert and Warning System Modernization Act of 2015. It is interesting that the House leadership has decided to take up this bill instead of either of the two House bills on this topic.

The bill will be considered under suspension of the rules, so there will be no amendments and limited debate. I expect that the bill will be sent to the President with substantial bipartisan support.