The federal insurance backstop for terrorism losses is not meant to cover cyber terrorism.
During an Advisen webinar focusing on some of the current hot topics within cyber risk, Lockton’s Ben Beeson said US lawmakers in Washington have “no interest” in including cyber terrorism within the current Terrorism Risk Insurance Program Reauthorization Act.
“When we as an industry were in conversations about the creation of the NIST (National Institute for Standards and Technology ) framework, we certainly asked for that,” Beeson, vice president of cyber security and privacy at Lockton, said during the call.
“We said we’d love a backstop where cyber was covered under TRIA to help us drive the evolution of the market to address these new areas of cyber threats, and the answer that came was, ‘Don’t get your hopes up,’” Beeson continued.
TRIPRA, the most recent reincarnation of the Terrorism Risk Insurance Act (TRIA), is current stalled in Congress as lawmakers take August off. TRIA first enacted in 2002 following 9/11 and reauthorized in 2005 and 2007 but it is set to expire at the end of this year. Separate Senate and House bills need to be reconciled in order for the backstop to survive and each reauthorization proposal modifies the program in different ways.
Under the current law, the federal government has no obligation to pay losses from a terrorist attack until damages reach a trigger of $100 million in insured losses. While it is fathomable that an act of cyber terrorism could reach this threshold, the industry remains unclear whether a certified act of cyber terrorism falls under TRIA.
Former Secretary of Homeland Security Michael Chertoff, a keynote speaker last year at the Property Casualty Insurers of America’s annual meeting in Boston, said it was better for lawmakers to clarify the issue now rather than wait until the legislation is tested. Chertoff, now head of the Chertoff Group, a risk and security consulting firm, said then that he’d “hate to find out in post-event litigation”
Many popular cyber forms today have evolved to “become silent on [terrorism],” added Willis’ Tom Srail during the Advisen webinar.
“Most of [policies] do not exclude it—do not mention TRIA,” said Srail, executive vice president and Technology, Media and Telecom Industry leader at Willis North America. He said the policies do not differentiate a hacker from a cyber terrorist. “Even though TRIA may not come to the rescue…we still have pretty decent coverage to date,” Srail said.
***
Download webinar: Beyond the headlines: the 2014 cyber wave hits Washington