Senate bill aims to improve consumer understanding of cyber insurance coverage, address ‘ambiguities’

A new bill by Sens. John Hickenlooper (D-CO) and Shelley Moore Capito (R-WV) would establish a Commerce Department working group to “improve communication over cybersecurity insurance coverage levels,” addressing potential confusion over what’s actually covered in cyber insurance policies and tracking with a Cyberspace Solarium Commission recommendation.

“Small businesses need to be able to count on cyber insurance policies to protect them,” according to Hickenlooper. “But policies can be confusing or unclear about coverage, leaving many businesses at more risk than they think. That’s why we’re making more cyber insurance resources available and policy information easier to understand.”

Capito said, “The Insure Cybersecurity Act will lower the cost potential targets have to take on when they are attacked by cyber-criminals. By doing so, businesses can make sure their workers will be paid if they are attacked and their operations can continue unabated from criminal instruction to their networks.”

Mark Montgomery, former executive director of the Cyberspace Solarium Commission and now executive director of CSC 2.0, said the bill "is absolutely consistent with the [commission’s] recommendations and I believe the Working Group proposed in this legislation can help tackle some of the insurance industries' underlying problems in cyber policies like a lack of standard terminology and lack of clarity in coverage limits.”

The “Insure Cybersecurity Act” was unveiled Tuesday and referred to the Senate Commerce Committee. Hickenlooper chairs the Senate Commerce consumer protection, product safety and data security subcommittee. Capito is a Commerce Committee member.

Elisabeth Case, a managing director in Marsh’s U.S. and Canada cyber practice, told Inside Cybersecurity, “We view the legislation as a positive development in our mutual goal of bringing more clarity to the cyber insurance marketplace. Clearer policy language and more consistent coverage are essential in realizing the full potential of cyber insurance as a risk transfer tool.”

“Separately,” Case said, “Marsh is engaged in the creation of a cyber lexicon with the hope that a common framework from which to understand and talk about cyber risk will foster mutual understanding and enable a more productive way forward when building cyber insurance solutions to meet the evolving needs of businesses.”

According to a joint release from the senators, the bill directs the National Telecommunications and Information Administration “to create a dedicated working group to develop recommendations for issuers, agents, brokers, and customers to improve communication over cybersecurity insurance coverage levels. It will also direct the NTIA to publish easily understandable resources on cybersecurity insurance.”

The release said “details of cyber insurance coverage are often hard to understand,” citing a Government Accountability Office report finding “ambiguity in policy language can result in misunderstandings and litigation between issuers and policyholders and that many customers, especially smaller businesses, may underestimate the coverage they need to protect against cyber risks.”

The bill requires establishment of the NTIA cyber insurance working group within 90 days of enactment, with members from CISA, NIST, and the Treasury and Justice departments. It would be chaired by Commerce’s assistant secretary for communications and information, who leads NTIA.

The working group would “analyze and explain in a manner most understandable to customers the technical and legal terminology commonly used in policies; analyze, and develop recommendations regarding, provisions in policies that relate to ransomware and ransom payments made in response to ransomware; [and] analyze and explain in a manner most understandable to customers the terminology used in policies to include or exclude coverage for losses due to cyber incidents that are caused by cyberterrorism or acts of war.”

Among elements of the working group’s charter, the body would “develop recommendations for customers on how best to use cyber insurance as a risk response mechanism for cyber risk and incentives for doing so.”

The working group would report to Congress within one year of first convening.

Within 90 days of submitting the report, the head of NTIA “shall disseminate and make publicly available informative resources for cyber insurance stakeholders.” The bill specifies that the tools are for voluntary use.