1657661863 Inn Social Default

American Property Casualty Insurance Association Issues Public Comment to Homeland Security – InsuranceNewsNet

The American Property Casualty Insurance Association (APCIA) appreciates the opportunity to comment at the Cybersecurity and Information Security Agency (CISA) in response to the Request for Information on the Critical Infrastructure Cyber ​​Incident Reporting Act of 2022 (CIRCIA). APCIA is the primary national trade association for home, auto and business insurers. Our mission is to promote and protect the viability of private competition for the benefit of consumers and insurers. Our members represent all sizes, structures and regions – to families, communities and businesses in the USA and international.

The business community, including property and casualty insurers, and government have parallel interests in encouraging stronger cybersecurity and preventing cyberattacks and cybercrime. Cyber ​​threats pose a societal risk that we must combat together. APCIA continues to engage constructively with Congress and the Administration to share our perspective on legislative and regulatory proposals. As CISA works to develop its proposed rulemaking, APCIA urges the agency to carefully consider the statute and congressional intent regarding both the covered entities subject to the future regulations and the types of cyber incidents that must be reported. This approach can avoid unintended consequences that the improvements to our country’s cyber security that Congress mean. In short, we encourage CISA to avoid broad inclusion of businesses that are not truly critical to the purposes of this Act, which would divert limited resources away from cyber deterrence and response; and to avoid reporting low-value cyber incidents.

Definition of “covered entity”

2022 12 Webinar Web Banner 1

Congress directed CISA to review the proposed rule in consultation with the Sector Risk Management Agencies (SRMA) and the Department of Justice (DOJ) and CISA must provide a clear description of the types of entities that constitute covered entities from critical infrastructure sectors, as included in PPD-21. The insurance industry is part of a critical infrastructure sector – financial services – and as such meets this criterion. Insurance companies face cyber risks and are responsible for protecting their operations against those threats. Insurers provide essential services to help policyholders transfer risk, settle claims, and recover from disasters.

But with good reason, Congress recognizes that not every entity in a critical infrastructure sector must be a “covered entity” and CIRCIA further outlines additional elements that CISA must consider when defining a “covered entity” in the regulations. Based on these additional elements, APCIA strongly urges CISA to exclude the insurance industry from the definition of a “covered entity.” We provide the following analysis to support our request for an express exclusion.

Section 2242 (c)(1) of the CIRCIA states that a clear description of the types of entities that constitute covered entities must be based on “(A) the consequences that disruption to or compromise of such entity may have on national security cause, economic security, or public health and safety; (B) the likelihood that such entity could be targeted by a malicious cyber actor, including a foreign country; and (C) the extent to which damage, disruption, or unauthorized access to such an entity, including access to sensitive cybersecurity information or penetration testing tools or techniques, is likely to enable the disruption of the reliable operation of critical infrastructure.”

The insurance industry, like every industry, is susceptible to cyber attacks and as such uses risk-based resilience measures to protect their operations and customer information. Our industry appreciates the resources, tools, collaboration and partnership that CISA provides to improve our resilience and we look forward to continued engagement.

Although susceptible to cyber attacks, the insurance industry is distinct from many other industries that are considered critical infrastructure, and it is also unique among other businesses in the financial services sector. The nature of the insurance transaction is very different from the nature of other industries in the financial services sector. For example, insurance companies collect premiums and accumulate capital with the goal of paying covered claims in the future. In addition, those claim payments occur after investigations and analysis of the circumstances and policies in question. For context, the United States property and casualty insurance market premiums in 2021 are approx $800 billionwith insurers approx $1.1 trillion in policyholder surplus./1

For comparison, the four largest USA banks held more assets individually than the entire property and casualty insurance industry./2

As a matter of function and scale, we believe that the property and casualty insurance industry does not rise to the level of “covered entity” for purposes of this regulation.

Current experience has shown that insurers affected by cyber security events have not sustained significant detrimental damage. In those limited situations, insurers could process premium receipts and pay claims. Any delays in those processes have not resulted in serious harm to their clients or claimants. Thus, even if a property and casualty insurer were to experience a cyber incident that disrupted its operations, delays of a few hours or days would not have a significant impact on an insurer providing those services to policyholders . For the property and casualty insurance industry, such delays are at most an inconvenience and will not impact national security, economic security, or public health and safety as described in CIRCIA.

State-based regulation

Importantly, the insurance industry is a government regulated industry. Insurance carriers are unique in the way they operate and function, as well as how they are regulated. It is well established that the business of insurance is most effectively regulated at the state level. The federal government has a relatively limited role in regulating private insurance compared to its role in banking and securities. Unlike banks or securities firms, insurance companies have been chartered and regulated exclusively by the states for the past 150 years. The McCarran-Ferguson Act (15 USC Secs.1011 et follow.) specifically preserved the states’ authority to regulate and tax insurance and granted a federal antitrust exemption to the insurance industry for “the business of insurance.”

Consistent with that approach is the National Association of Insurance Commissioners (NAIC) has developed an insurance data security model law for insurers that has been adopted by 21 states and more adoptions are expected. The insurance industry is also subject to the New York Department of Financial Serviceswhich already requires insurers to do business in New York to report a defined cybersecurity event, regardless of the location of the event within the service provider’s geographic operations. All of these laws have sections aimed at requiring insurers to report cyber incidents, which may include a ransomware incident, to state insurance regulators. Insurers are also subject to regular cyber investigations and the NAIC has created a Cyber ​​Security Working Group to coordinate with each other in the event of an industry incident.

In addition, we note that insurance companies of a certain size, particularly those that are publicly traded, are already subject to Securities and Exchange Commission reporting requirements, which include specific data incidents, including ransomware attacks. Each state also has consumer breach notification requirements that apply to insurers. This robust existing notification structure provides a strong framework of regulations already in place and will minimize the extent of any disruption or damage to the reliable operation of the insurance sector.

For all of the reasons stated above, we believe that the insurance industry does not meet the elements established by CIRCIA for the definition of a “covered entity.” In fact, including insurance in the CISA reporting framework may result in conflicting requirements or otherwise raise compliance issues. APCIA respectfully requests a clear exclusion for the insurance industry from the definition of “covered entity.”


The importance of harmonization in state and federal reporting requirements cannot be overstated. Harmonization allows companies to correctly focus on incident recovery and hardening their systems against future attacks, as opposed to identifying all the regulators that require notification. We strongly encourage CISA to explore meaningful ways to harmonize reporting obligations between state and federal regulators and law enforcement.

Affected entity reports

Congressional drafters of CIRCIA recognized that the mandatory reporting requirement rests with the entity that suffered the cyber incident, as they have first-hand information. CIRCIA also provides an option for a third party to make the report on behalf of the affected entity, but the requirement ultimately rests with the affected entity. The statute appropriately imposes no obligation on a property casualty insurer to report on behalf of any affected “covered entity” it insures. APCIA supports this approach.


APCIA appreciates the opportunity to comment and share our views. The insurance industry shares CISA’s resilience goals and looks forward to continued engagement with CISA as it identifies tools and resources beneficial to the business community. APCIA appreciates CISA’s efforts to gather strong input from various stakeholders prior to a proposed rule and we look forward to the agency holding sector-specific listening sessions in the future. Thank you for your consideration of these comments.

Respectfully submitted,

Shelby SchoenseeDirector, Cyber ​​& Advocate, American Property Casualty Insurance Association

Gary P. SullivanCPCU, AIC, AIM, AIS, Senior Director, Emerging Risks, American Property Casualty Insurance Association

1 Federal Insurance Office, U.S Department of the Treasury“Annual Report on the Insurance Industry”, September 2022

2 Federal Reserve Statistical Release, Major Commercial Banks 30 June 2022https://www.federalreserve.gov/releases/lbr/current/


Original text here: https://downloads.regulations.gov/CISA-2022-0010-0064/attachment_1.pdf

TARGETED NEWS SERVICE (founded 2004) features non-partisan ‘edited journalism’ news briefs and information for news organizations, public policy groups and individuals; as well as ‘gathering’ public policy information, including news releases, reports, speeches. For more information contact MYRON HITeditor, [email protected], Springfield, Virginia; 703/304-1897; https://targetednews.com

Related Posts