American Property Casualty Insurance Association Issues Public Comment to Homeland Security

TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact MYRON STRUCK, editor, [email protected], Springfield, Virginia; 703/304-1897; https://targetednews.com

WASHINGTON, Nov. 24 -- The American Property Casualty Insurance Association, Chicago, Illinois, has issued a public comment to the U.S. Department of Homeland Security. The comment was written on Nov. 14, 2022, and posted on Nov. 15, 2022.

The comment, on Docket No. CISA-2022-0010, was sent to Jennie M. Easterly, director of the Cybersecurity and Infrastructure Security Agency.

* * *

The American Property Casualty Insurance Association (APCIA) appreciates the opportunity to submit comments to the Cybersecurity and Information Security Agency (CISA) in response to the Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). APCIA is the primary national trade association for home, auto, and business insurers. Our mission is to promote and protect the viability of private competition for the benefit of consumers and insurers. Our members represent all sizes, structures, and regions--protecting families, communities, and businesses in the U.S. and internationally.

The business community, including property and casualty insurers, and government have parallel interests in encouraging stronger cybersecurity and preventing cyber-attacks and cybercrime. Cyber threats pose a societal risk that we must combat together. APCIA continues to constructively engage with Congress and the Administration to share our perspective on legislative and regulatory proposals. As CISA works to develop its proposed rulemaking, APCIA urges the agency to carefully consider the statute and congressional intent to right-size both the covered entities subject to the future regulations and the types of cyber incidents that should be reported. This approach can avoid unintended consequences that would prevent the improvements to our nation's cybersecurity that Congress intended. In short, we encourage CISA to avoid broad inclusion of businesses that are not truly critical for the purposes of this Act, which would divert limited resources away from cyber deterrence and response; and to avoid reporting of low-value cyber incidents.

Definition of "covered entity"

Congress directed CISA to prepare the proposed rule in consultation with the Sector Risk Management Agencies (SRMA) and the Department of Justice (DOJ) and CISA must provide a clear description of the types of entities that constitute covered entities from among critical infrastructure sectors, as included in PPD-21. The insurance industry is part of a critical infrastructure sector - financial services - and as such satisfies this criterion. Insurance companies face cyber risks and are responsible for safeguarding their operations against those threats. Insurers offer essential services to help policyholders transfer risk, adjudicate claims, and recover after catastrophes.

However, for good reason, Congress recognized that not every entity in a critical infrastructure sector should be a "covered entity" and CIRCIA further outlines additional elements CISA must consider when defining a "covered entity" in the regulations. Based on these additional elements, APCIA strongly urges CISA to exclude the insurance industry from the definition of a "covered entity." We provide the following analysis to support our request for a clear exclusion.

Section 2242 (c)(1) of the CIRCIA states that a clear description of the types of entities that constitute covered entities must be based on "(A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety; (B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and (C) the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure."

The insurance industry, like every industry, is susceptible to cyber-attacks and as such employs risk-based resiliency measures to safeguard their operations and customer information. Our industry appreciates the resources, tools, collaboration, and partnership that CISA provides to enhance our resiliency and we look forward to continued engagement.

While susceptible to cyber-attacks, the insurance industry is distinct from many other industries that are considered to be critical infrastructure, and it is also unique among other businesses in the financial services sector. The nature of the insurance transaction is very different from the nature of other industries in the financial services sector. For instance, insurance companies collect premiums and accumulate capital for the purpose of paying covered claims in the future. Additionally, those claim payments occur after investigations and analysis of the circumstances and policies at issue. For context, the United States property and casualty insurance market premiums in 2021 totaled approximately $800B, with insurers holding approximately $1.1 trillion in policyholder surplus./1

By comparison, the four largest U.S. banks held more assets individually than the entire property and casualty insurance industry./2

As a matter of function and scale, we believe that the property and casualty insurance industry does not rise to the level of "covered entity" for purposes of this regulation.

Current experience has shown that insurers impacted by cybersecurity events have not incurred significant detrimental damage. In those limited situations, insurers were able to process premium receipts and pay claims. Any delays in those processes did not result in serious harm to their customers or claimants. Therefore, even if a property and casualty insurer suffered a cyber incident that led to disruption of its operations, delays of a few hours or days would not significantly impact an insurer providing those services to policyholders. For the property and casualty insurance industry, such delays constitute an inconvenience at most, and would not result in impacts to the national security, economic security, or public health and safety, as described in CIRCIA.

State-based regulation

Importantly, the insurance industry is a state regulated industry. Insurance carriers are unique in their mode of operation and function, as well as how they are regulated. It has been well established that the business of insurance is most effectively regulated at the state level. The federal government has a relatively limited role in regulating private insurance compared with its role in banking and securities. Unlike banks or securities firms, insurance companies have been chartered and regulated solely by the states for the past 150 years. The McCarran-Ferguson Act (15 U.S.C. Secs.1011 et seq.) specifically preserved the states' authority to regulate and tax insurance and granted a federal antitrust exemption to the insurance industry for "the business of insurance."

Consistent with that approach, the National Association of Insurance Commissioners (NAIC) has developed an Insurance Data Security Model Law for Insurers that has been adopted by 21 states and more adoptions are expected. The insurance industry is also subject to the New York Department of Financial Services, which already requires insurers doing business in New York to report a defined cybersecurity event, regardless of location of the event within the carrier's geographic operations. All of these laws have sections dedicated to requiring insurers to report cyber incidents, which could include a ransomware incident, to state insurance regulators. Insurers are also subject to regular cyber examinations and the NAIC has created a cybersecurity working group to coordinate with one another in the event of an industry incident.

In addition, we note that insurance carriers of a certain size, particularly those that are publicly traded, are already subject to Securities and Exchange Commission reporting requirements, which include specific data incidents including ransomware attacks. Each state also has consumer breach notification requirements that are applicable to insurers. This robust existing notification structure provides a strong framework of regulations already in place and would minimize the extent of any disruption or damage to the reliable operation of the insurance sector.

For all the reasons stated above, we believe that the insurance industry does not meet the elements established by CIRCIA for defining a "covered entity." In fact, including insurance in the CISA reporting framework could result in conflicting requirements or otherwise create compliance issues. APCIA respectfully requests a clear exclusion for the insurance industry from the definition of "covered entity."

Harmonization

The importance of harmonization in state and federal reporting requirements cannot be overstated. Harmonization allows companies to correctly focus on recovering from the incident and hardening their systems from future attack as opposed to identifying all the regulators that require notification. We strongly encourage CISA to explore meaningful ways to harmonize reporting obligations among state and federal regulators and law enforcement.

Impacted entity reports

Congressional drafters of CIRCIA recognized the mandatory reporting requirement rests with the entity who suffered the cyber incident, as they have first-hand information. CIRCIA also provides an option that a third-party may make the report on behalf of the impacted entity, but the requirement ultimately rests with the impacted entity. The statute appropriately does not impute any obligation on a property casualty insurer to report on behalf of any impacted "covered entity" that it insures. APCIA supports this approach.

Conclusion

APCIA appreciates the opportunity to comment and share our views. The insurance industry shares CISA's resiliency objectives and looks forward to continued engagement with CISA as it identifies tools and resources beneficial to the business community. APCIA appreciates CISA's efforts to gather robust input from various stakeholders ahead of a proposed rule and we look forward to the agency holding sector-specific listening sessions in the future. Thank you for your consideration of these comments.

Respectfully submitted,

Shelby Schoensee, Director, Cyber & Counsel, American Property Casualty Insurance Association

Gary P. Sullivan, CPCU, AIC, AIM, AIS, Sr. Director, Emerging Risks, American Property Casualty Insurance Association

1 Federal Insurance Office, U.S Department of the Treasury, "Annual Report on the Insurance Industry", September 2022

2 Federal Reserve Statistical Release, Large Commercial Banks June 30, 2022, https://www.federalreserve.gov/releases/lbr/current/

* * *

Original text here: https://downloads.regulations.gov/CISA-2022-0010-0064/attachment_1.pdf

TARGETED NEWS SERVICE (founded 2004) features non-partisan 'edited journalism' news briefs and information for news organizations, public policy groups and individuals; as well as 'gathered' public policy information, including news releases, reports, speeches. For more information contact MYRON STRUCK, editor, [email protected], Springfield, Virginia; 703/304-1897; https://targetednews.com