Is TRIA for Cyber Terrorism?
The insurance industry will count on the Terrorism Risk Insurance Program (Program) if there is a terrorist strike on the United States, but will the Program respond if the act of terrorism is a cyber event?
Cyber terrorism is an emerging threat to be considered as debate surrounding the modernization and reauthorization of the Program intensifies. The Terrorism Risk Insurance Act (TRIA) of 2002 established the Program, which has been reauthorized twice, most recently by the Terrorism Risk Insurance Program Reauthorization Extension Act of 2007. While the Program provides a federal backstop for catastrophic terrorism events — above $100 million in losses — many have argued that whether and the extent to which it covers cyber terrorism is not entirely clear.
Fortunately, the Program, currently scheduled to expire on Dec. 31, 2014, has never been put to the test. As former Secretary of Homeland Security, Janet Napolitano, cautioned in her recent farewell address, the U.S. will “at some point, face a major cyber event that will have a serious effect on our lives, our economy and the everyday functioning of our society.” But questions remain regarding whether the federal backstop would be implicated if a cyber attack is considered terrorism.
TRIA requires certain commercial property and casualty insurers to make terrorism coverage available on terms similar to non-terrorism coverage. As set forth in the existing iteration of TRIA, the term “act of terrorism” means any act that is certified by the Treasury Secretary, in concurrence with the Secretary of State and the Attorney General.
Cyber Terrorism
It is certainly fathomable that an act of cyber terrorism could result in losses exceeding $100 million. What is not as evident is whether cyber terrorism would fall squarely into the requirement of being an act that is dangerous to human life, property or infrastructure. An additional concern is that TRIA’s geographic limitations do not realistically address the potential impact of a cyber terrorist attack.
A conference committee report from 2002 suggests that the original version of TRIA was intended to apply to cyber terrorism coverage. But what if damage resulting from a cyber event is not covered under the primary policy? Most commercial liability policies would not respond to an act of cyber terrorism. There would be questions about whether there is coverage for damage to networks or electronic data and systems.
The cyber liability policy market is relatively new, and the scope of coverage provided is developing. To the extent a cyber event is not covered under an underlying cyber policy, TRIA may not be implicated for cyber terrorism.
Some interested parties have suggested that damages resulting from cyber acts of terrorism falling under TRIA-covered lines of insurance may be covered by the act, but the Program has gaps to the extent cyber insurance is written as professional liability or another line that is not TRIA-covered. Others contend that clarifying TRIA’s application in the event of a massive cyber attack would encourage additional capacity in the cyber insurance market.
The Federal Insurance Office (FIO), which has been tasked with assisting the Treasury Secretary in administering the Program, is aware of the threats of cyber attacks and the potential implications on the insurance industry.
FIO Director Michael McRaith participated in a recent briefing for the insurance industry on cyber security. Representatives from the Federal Bureau of Investigation and the Treasury Office of Critical Infrastructure Protection presented information on the nature of cyber attacks and initiatives within the financial services sector. The FIO is also taking a lead role in drafting the President’s Working Group on Financial Markets 2013 report on the long-term availability and affordability of terrorism risk insurance.
Both houses of Congress have held hearings on reauthorizing TRIA. The reauthorization has noticeable bipartisan support, but there is debate concerning whether the Program should be modified. A number of recommendations have been offered, ranging from providing a time frame for the certification process to changing the deductible, aggregate threshold and copay percentage. Currently, there are three TRIA reauthorization bills on the table, but none remedy the ambiguity that exists with respect to coverage for cyber terrorism.
Terrorism risks have evolved since TRIA was enacted and cyber terrorism is a real threat. The Program should not simply be reauthorized with a blanket stamp of approval, but there needs to be discussion about whether acts of cyber terrorism should be explicitly included in TRIA.