Industry Trade Associations Oppose Potential New Cyber Claims Data-Sharing Rules

July 13, 2022
New You can now listen to Insurance Journal articles!

Insurance industry trade associations said they do not want “misguided provisions” related to cyber claims data sharing in the next National Defense Authorization Act (NDAA) for fiscal year 2023.

The American Property Casualty Insurance Association (APCIA), National Association of Mutual Insurance Companies (NAMIC), Independent Insurance Agents & Brokers of America (Big I),and the Council of Insurance Agents and Brokers (The Council), sent a joint letter to members of the U.S. House of Representatives’ Committee on Homeland Security in opposition to an amendment to establish an Office of Cyber Statistics within the Cybersecurity and Infrastructure Security Agency (CISA).

In June the Senate Armed Services Committee voted to advance the the NDAA for fiscal year 2023 to the Senate floor. The act sets the annual budget and expenditures of the U.S. Department of Defense, including for cybersecurity.

The modification to the act requires the newly established office to seek data from insurers about cyber incidents that have led to a covered claim, including “detailed data beyond the scope of information insurers currently collect or need to process claims,” the letter said.

“If passed, this language would be an unwarranted intrusion into the contractual relationship between insurance providers and their customers,” the associations wrote, adding that the proposal has not been introduced or considered by multiple committees with jurisdiction over CISA or the business of insurance in the House or Senate.

The new reporting requirements would require insurers to “retool systems” and add resources to “cull detailed, granular information about a policyholder’s cyber incident that may be buried in forensic or other IT reports outside the control of the insurer.” Plus, insurers may get stuck between paying valid claims and failing to report to the new OCS.

“An insurance provider should not be asked for or required to provide information about their customers’ sensitive data to the federal government,” the group wrote.

As financial institutions, the amendment could make insurers bigger targets for hackers. Not to mention, the proposal would potentially add a new layer of federal regulation to an industry already subject to reporting mandates from the states, CISA and the Securities & Exchange Commission, they said.

Topics Cyber Claims

Was this article valuable?

Here are more articles you may enjoy.