Terrorism insuranceTerrorism insurance should cover cyberterrorism: industry
The Terrorism Risk Insurance Act(TRIA) is a federal backstop designed to protect insurers in the event an act of terrorism results in losses above $100 million. Industry officials question whether cyber terrorism is covered by the program, which is administered by the Treasury Department. Industry insiders note that terrorism risks have evolved since TRIA was enacted and cyberterrorism is now a real threat. TRIA should thus not simply be reauthorized with a blanket stamp of approval; instead there should be a discussion about whether acts of cyberterrorism should be explicitly included in TRIA.
Insurers seek protection under TRIA // Source: bigstockphoto.com
The Terrorism Risk Insurance Act (TRIA) is a federal backstop designed to protect insurers in the event an act of terrorism results in losses above $100 million. Industry officials question whether cyber terrorism is covered by the program, which is administered by the Treasury Department.
Molly Lang and John Mullen write in the Insurance Journal that the reality of cyberthreats which might cause damage exceeding $100 million, and the relationship of such damages to TRIA, should be discussed as the reauthorization of TRIA nears. The program was established in 2002, and has been reauthorized twice, most recently by the Terrorism Risk Insurance Program Reauthorization Extension Act of 2007.
TRIA is scheduled to expire on 17 December 2014, and the need to consider cyber threats in the reauthorization of the program was reinforced by former Secretary of Homeland Security Janet Napolitano in her farewell address. She said that the United States will “at some point, face a major cyber event that will have a serious effect on our lives, our economy and the everyday functioning of our society.”
For the purpose of TRIA coverage, an act of terrorism must be certified as such by the Treasury Secretary, in agreement with the Secretary of State and the Attorney General.
Experts say that acts of cyber terrorism could result in losses exceeding $100 million, but the insurance industry questions whether cyberterrorism would be considered, under TRIA, as an act dangerous to human life, property, or infrastructure. The insurance industry is also concerned that the geographic limits placed on TRIA do not accurately address the potential impact of cyber terrorism. The Insurance Journal notes that a 2002 insurance industry conference report, for example, suggested that the original version of TRIA was intended to cover cyber terrorism, but primary policy coverage may not cover damages from cyberattacks.
The insurance industry is exploring the relatively new market of cyber liability and many in the industry are pushing for clarification of the application of the TRIA program to cyberterrorism.
The Federal Insurance Office (FIO), tasked with assisting the Treasury Department in administering TRIA, is aware of cyberterrorism risks and their implications for the insurance industry. The FIO, FBI, and Treasury Office of Critical Infrastructure Protection have been studying cyberattacks and their likely effects within the financial sector.
Congress has held hearings on reauthorizing TRIA, and while the act has bipartisan support, there is a debate about whether the program should be modified. The proposed modifications to the act include providing a timeframe for the certification process to changing the deductible, aggregate threshold, and copay percentage. The three TRIA reauthorization bills did not address the issue of cyberterrorism.
“Terrorism risks have evolved since TRIA was enacted and cyber terrorism is a real threat,” Lang and Mullen note. “The Program should not simply be reauthorized with a blanket stamp of approval, but there needs to be discussion about whether acts of cyber terrorism should be explicitly included in TRIA.”
