Cyber Insurance Clarity: New Act Launches Working Group to Demystify Policies and Lower Costs

The Insure Cybersecurity Act of 2025 is a clear attempt to put the brakes on one of the fastest-growing headaches for modern business: cyber insurance. This legislation sets up a temporary, high-level Working Group on Cyber Insurance, chaired by the Assistant Secretary of Commerce for Communications and Information, with a clear mandate: figure out why these policies are so confusing and how to make them better and cheaper. This group has one year to deliver a report detailing how to untangle the legal jargon and technical terms that currently make buying cyber coverage feel like reading ancient runes.

The Mission: Making Cyber Coverage Make Sense

Think of this Working Group as the policy friend who actually reads the fine print so you don't have to. The group must include heavy hitters from agencies like CISA, NIST, the Treasury, and the FTC, plus state insurance regulators, ensuring a broad view of the problem. Their core job, laid out in Section 3, is translating policy language into plain English. For customers—from a small manufacturing shop to a mid-sized tech firm—this means getting clear answers on crucial questions, such as how their policy covers a ransomware attack, whether paying the ransom is covered, and what exactly is excluded from coverage. Right now, these details are often buried in dense contracts, leading to ugly surprises when a claim is filed.

What’s in It for the Customer?

The biggest win for everyday people and small businesses is the focus on clarity and cost reduction. The Working Group is specifically tasked with developing guides to help customers figure out what type and amount of coverage they actually need, rather than just guessing. Crucially, they must also identify steps that could lower the price of policies and reduce the overall cyber risk across the board (Section 3(c)(9)). For a small business owner already juggling rising payroll and supply chain costs, a clearer, cheaper insurance policy is a huge relief. If the group can identify ways for insurers to better measure a customer’s cybersecurity practices, it could lead to premium discounts for businesses that invest in strong digital defenses.

The Final Report and the Voluntary Catch

After a year, the Working Group packs up, but not before delivering a comprehensive report to Congress. Within 90 days of that report, the Assistant Secretary must publicly post all the findings and recommendations on the National Telecommunications and Information Administration’s website (Section 4). This information—which includes the suggested policy clarifications and customer guides—will then be actively promoted to the industry and the public. It’s important to note the catch: the Act explicitly states that using these resources and adopting the recommendations is entirely voluntary. No one is getting new regulatory power here. This means the success of the effort relies on insurers, agents, and brokers choosing to adopt the clearer standards because it makes good business sense, not because the government is forcing them to.