Insurance agents and P&C carriers press CISA for CIRCIA exemption
The fight is over whether critical infrastructure means core financial plumbing or every useful business parked inside the sector.
TL;DR
Inside Cybersecurity reports that at CISA’s June 18 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) town hall, insurance agents, brokers and property-and-casualty insurers urged an explicit exclusion from covered-entity reporting rules. They argue brokers sell policies rather than underwrite, issue or pay claims, and that P&C carriers can continue core functions during cyber incidents. Contractors, MSPs and primes should watch the boundary call: CISA can define critical infrastructure by actual systemic effect or by sector membership.
Inside Cybersecurity reports that insurance agents, brokers and property-and-casualty (P&C) insurers used the Cybersecurity and Infrastructure Security Agency’s June 18 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) town hall to ask for an explicit exclusion from the agency’s forthcoming mandatory incident-reporting rule. The request is framed as burden reduction, but it is really a scope fight. CIRCIA reporting is aimed at critical infrastructure entities whose incidents could harm national security, economic security, public health or safety. The insurance speakers are telling CISA that sales intermediaries and P&C carriers do not belong in that class.
Elizabeth Goodwin, speaking for the Council of Insurance Agents and Brokers, argued that agents and brokers distribute insurance products but do not underwrite, issue policies or pay claims. Her point was functional: a broker outage could slow sales and transactions, but it would not create the kind of systemic harm CIRCIA is built around. Shelby Schoensee of the American Property Casualty Insurance Association urged CISA to exclude P&C insurance and reinsurance, avoid expanding scope through size-based thresholds, and use effects-based criteria instead. She also pressed for harmonization with state insurance regulation, National Association of Insurance Commissioners standards, New York State Department of Financial Services requirements and state breach notification laws.
The operational issue for contractors, MSPs and primes is indirect but real. Many buy coverage through brokers or depend on carriers’ claim handling after an incident. CISA’s answer here will signal whether CIRCIA coverage turns on function, such as risk-bearing or critical financial utility services, or on placement inside a designated critical infrastructure sector. If CISA goes broad, other financial-services intermediaries should expect a cold reception when they ask for their own exclusions.
For practitioners, nothing changes until CISA finalizes the rule. The boundary decision still matters because it will determine how much of CIRCIA becomes systemic incident reporting and how much becomes a sectorwide filing duty with cybersecurity attached.
Published ·Deep Fathom