Insurance groups ask CISA to consider exemption from upcoming mandatory incident reporting regime

The Cybersecurity and Infrastructure Security Agency should exclude the insurance industry from its definition for a “covered entity” that will be required to report cyber incidents under the agency’s upcoming regime, according to a coalition of groups representing the insurance sector.

“Specifically, we urge CISA to further refine the NPRM criteria defining covered entities and covered incidents to avoid broad inclusion of businesses that are not truly critical for the purposes of this Act, which would divert limited resources away...