The bill requires the Assistant Secretary of Commerce for Communications and Information to establish a time-limited working group on cyber insurance that brings together federal agencies, at least one state insurance regulator, and private-sector stakeholders. The working group must analyze policy language, map coverage to common cyber incidents and customer responses, solicit issuer input on data and risk measurement gaps, and then deliver a report to Congress within one year.
After the report, NTIA must publish publicly available guidance and illustrative resources on its website — aimed at issuers, agents, brokers, and customers — and conduct outreach to promote those resources. The statute is explicitly advisory: it creates no new insurance regulatory authority and makes use of the published materials voluntary, but it aims to reduce confusion in the market and surface measures that could lower costs and expand available coverage.
At a Glance
What It Does
Creates a federally chaired working group under NTIA that must define or refine the term “cyber insurance,” analyze policy terms and coverage gaps, gather issuer input on data and measurement needs, and deliver recommendations in a report within one year. Following the report, NTIA must publish general-purpose resources and case studies on its public site and perform outreach to stakeholders.
Who It Affects
Primary audiences are cyber insurers, agents and brokers, business customers (including small businesses and critical infrastructure owners), state insurance regulators, and federal cybersecurity agencies (CISA, NIST, DOJ, Treasury, FTC). Insurers and brokers are the most directly implicated because the work focuses on policy wording, actuarial inputs, and distribution practices.
Why It Matters
The bill addresses pervasive uncertainty about what cyber policies cover, how policies map to ransomware and recovery actions, and why coverage limits vary. By centralizing cross-agency expertise and industry input, it could produce shared definitions, improve insurer data practices, and lower barriers to purchasing adequate coverage — without creating binding federal insurance rules.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The bill tasks the Assistant Secretary at the National Telecommunications and Information Administration (NTIA) with convening a working group within 90 days of enactment. The group must include representatives from specified federal agencies and at least one state insurance regulator; the Assistant Secretary chairs the effort.
Membership and consultation requirements are designed to force conversation between cybersecurity agencies (who understand threat and mitigation), financial regulators (who understand risk and market stability), and insurance regulators (who control how insurance is sold and priced at the state level).
The working group’s analysis is operational: it must translate technical and legal policy language into plain English for customers, explain how standard policy provisions behave in common incidents (for example, how coverage responds to ransomware payments or business recovery actions), and produce guidance on evaluating coverage levels. It must also gather concrete input from issuers about what data and information-sharing practices would allow them to underwrite broader or deeper coverage, and identify measures that could reduce underwriting costs and the frequency of incidents.The group has authority to redefine the statutory term “cyber insurance” for the purposes of its work if necessary, but its output is advisory.
It must submit a report to Congress within one year of first convening and then terminate. Within 90 days after that report, NTIA must publish generally applicable, example-rich resources on its public website and conduct outreach so market participants know they exist.
The statute explicitly preserves existing state insurance regulatory authority and does not force adoption of any recommendations; use of the published resources is voluntary.
The Five Things You Need to Know
NTIA must establish the working group within 90 days of enactment and the Assistant Secretary chairs it.
The working group must include representatives from CISA, NIST, Treasury, DOJ, FTC, and at least one state insurance regulator.
The group can produce a modified definition of “cyber insurance” for its analyses if it determines a different definition is necessary.
The working group must submit a report to Congress within one year of first convening; the group terminates upon submission of that report.
NTIA must publish informative resources on its website within 90 days after the report and perform outreach, but the resources are explicitly voluntary and carry no regulatory force.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Establishes the Act’s name as the “Insure Cybersecurity Act of 2025.” This is purely formal but signals the bill’s policy focus: bridging cybersecurity practice and the cyber insurance market.
Definitions used throughout the bill
Sets baseline definitions for terms such as Assistant Secretary, issuer, customer, cyber incident, and small business, and incorporates the existing statutory meaning of critical infrastructure. The definitions form the reference point for the working group but also leave space—under section 3(c)(1)(A)—for the group to adapt the operative meaning of “cyber insurance” for its work.
Establish and scope the working group
Requires the Assistant Secretary to convene a working group within 90 days and serve as chair. The composition requirement names federal agencies (CISA, NIST, Treasury, DOJ, FTC) and at least one state insurance regulator, ensuring cross-cutting expertise. The statutory activities are detailed and practical: translate policy language for customers, map provisions to incident types and to customer responses (including ransom-related choices), solicit issuer views on actuarial and data gaps, and recommend ways to reduce costs and incidents. The group must consult broadly with issuers, brokers, customers (including small businesses), academia, and critical infrastructure operators. It must report to Congress within one year and then disband. A rule of construction clarifies that the group’s recommendations are nonbinding and do not create new insurance-regulatory authority.
Publish and promote informative resources
Mandates NTIA to publish the working group’s recommendations as generally applicable guidance on the NTIA website within 90 days after the report, including case studies and examples. The materials must be usable by issuers, agents, brokers, and customers; NTIA must also run outreach to ensure market visibility. The statute states explicitly that use of the resources is voluntary and that NTIA cannot use this authority to regulate the business of insurance — positioning the deliverables as market-shaping guidance rather than binding rules.
This bill is one of many.
Codify tracks hundreds of bills on Finance across all five countries.
Explore Finance in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Small businesses and other customers — They gain clearer, example-driven materials to compare policy terms, understand what typical cyber incidents mean for coverage, and make more informed purchasing choices.
- Insurance issuers able to access better data — The bill encourages development of actuarial data and information-sharing mechanisms, which can reduce model uncertainty and enable insurers to offer broader or lower-cost coverages if implemented effectively.
- Agents and brokers — Standardized plain-language explanations and case studies reduce ambiguity in sales and placement, lowering potential disputes over coverage and simplifying client counseling.
- State insurance regulators — Participation gives regulators early visibility into federal coordination efforts and insurer data gaps, helping align oversight priorities without ceding regulatory authority.
- Critical infrastructure operators — Guidance that maps policy provisions to incident responses helps these organizations assess whether their cyber insurance aligns with continuity and recovery needs.
Who Bears the Cost
- NTIA / Assistant Secretary — NTIA must staff and run the working group, prepare the report, publish materials, and conduct outreach, imposing administrative and coordination burdens on the agency.
- Insurers — While participation is voluntary, market pressure could push insurers to share more actuarial and cyber risk data, update policy language, or change underwriting practices, which could require investment in data systems and legal review.
- State insurance regulators — Engagement requires time and resources from regulators who must balance this work with enforcement and rulemaking priorities at the state level.
- Agents and brokers — They may need to revise client-facing materials and training to reflect new illustrative resources, incurring modest implementation costs.
- Smaller market entrants — If the working group’s recommendations coalesce into widely adopted market conventions, smaller insurers could face competitive pressure to conform, which may raise compliance costs.
Key Issues
The Core Tension
The bill tries to improve transparency and expand cyber insurance availability by producing authoritative, plain-language guidance and by encouraging data sharing, but doing so risks creating de facto standards and information regimes that could privilege large incumbents, conflict with state insurance prerogatives, or expose sensitive competitive and incident data; balancing helpful standardization against market competition, privacy, and state regulation is the central dilemma.
The Act is deliberately advisory, but advisory products can become de facto standards. If the working group’s plain-language templates or definitions gain industry traction, insurers, brokers, and courts may begin to treat them as benchmark practice even though the statute preserves state regulatory authority.
That dynamic creates a coordination benefit (standardization) and a risk (informal centralization of market norms without formal rulemaking or notice-and-comment).
Collecting the actuarial and cyber-risk data the bill asks for is easier said than done. Issuers hold proprietary loss data and may be reluctant to share it without clear antitrust, confidentiality, or privacy safeguards.
Designing voluntary information-sharing mechanisms that produce useful, comparable metrics while protecting competition and sensitive incident details will be a technical and legal challenge. Similarly, the bill’s requirement to measure cybersecurity practices of customers raises measurement problems: simple checklists risk gaming, while deep technical audits are costly and raise privacy and operational concerns for customers.
Finally, the bill sits at the intersection of federal advisory action and state-based insurance regulation. The rule-of-construction preserves state authority, but practical coordination is required to avoid mixed signals: states may view federal guidance as interference, while federal cybersecurity agencies may expect alignment.
The timeline (working group convenes within 90 days, report within a year, publication within 90 days thereafter) is tight, which heightens the risk that the output will favor readily available stakeholders and entrenched market participants rather than smaller or less-resourced entities.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.