Insurance industry unions said they don’t want “misguided provisions” regarding cyber claim data sharing in the next National Defense Authorization Act (NDAA) for fiscal year 2023.
The American Property Casualty Insurance Association (APCIA), National Association of Mutual Insurance Companies (NAMIC), Independent Insurance Agents & Brokers of America (Big I), and the Council of Insurance Agents and Brokers (The Council) have sent a joint letter to members of the United States Committee of Delegates for Homeland Security against a change to create a Bureau of Cyber Statistics within the Cybersecurity and Infrastructure Security Agency (CISA).
In June, the Senate Armed Services Committee voted to bring the NDAA to the Senate floor for fiscal year 2023. The law determines the annual budget and expenditures of the US Department of Defense, including on cybersecurity.
The amendment to the law requires the newly established office to collect data from insurers about cyber incidents that led to a covered claim, including “detailed data that is beyond the scope of information insurers currently collect or need to process claims,” it said. the letter.
“If passed, this language would be an unwarranted breach of the contractual relationship between insurance providers and their customers,” the associations wrote, adding that the proposal has not been submitted or considered by multiple committees competent for CISA or the insurance business in the United States. the House or the Senate.
The new reporting requirements require insurers to “re-equip systems” and add resources to “gather detailed, granular information about a policyholder’s cyber incident that may be buried in forensic or other IT reports beyond the insurer’s control.” In addition, insurers can get stuck between paying valid claims and failing to report to the new OCS.
“An insurance company should not be asked or required to provide information about their customers’ sensitive data to the federal government,” the group wrote.
As financial institutions, the change could make insurers bigger targets for hackers. Not to mention that the proposal could potentially add another layer of federal regulation to an industry already subject to reporting mandates from the states, CISA and the Securities & Exchange Commission, they said.