Now that Congress chose to adjourn without reauthorizing the Terrorism Risk Insurance Act, is there room to revisit the issue of cyber terrorism when it returns?
Expiry of the federal terrorism insurance backstop, set for January 1, 2015, could leave businesses affected by a major terrorist attack without cover.
Read our report: Congress ends session without renewing TRIA; insurance industry ‘reeling’
The insurance industry said the availability of private-market terrorism coverage would plummet without the assurance of a federal backstop in the event of a truly catastrophic terrorist attack but many think–or hope–Congress will make TRIA reauthorization its top priority in January.
But Congress will look different then, with many new members to be briefed on the legislation. Would it be pushing it to attempt to include a mention of cyber terrorism in TRIA?
Several reports and/or studies have included cyber terrorism as a premier threat during the year ahead. The possibility of an attack on critical infrastructure is real and it is easy to imagine a scenario in which damages exceed TRIA’s thresholds. But is cyber covered?
For an interpretation, Advisen contacted the National Association of Mutual Insurance Cos.
“If the event is cyber related, is certified as a terrorism event, and the underlying [primary] policy covers cyber (or whatever the loss cause is) then Treasury’s interpretation is that the program does cover it. The bill does not specifically mention cyber either way,” NAMIC told Advisen in an email. For clarification, the Treasury administers the program.
Jennifer Rubin, national underwriting leader for war, terrorism and political violence for Hiscox, said TRIA is silent on the issue of cyber. The word or a form of the word is not mentioned. She said terrorism coverage therefore depends on individual markets, but Hiscox implements a “hard exclusion” on terrorism and so do many other carriers.
Robert Hartwig, president of the Insurance Information Institute, said that if a cyber terrorism event “caused the type of damage covered under TRIA, then coverage would be forthcoming.”
For example, under TRIA, coverage should be available for an event in which a hacker caused a computer malfunction that blew up a utility, causing explosion, fire and/or smoke damage, as well as workers’ compensation losses.
That looks to settle it, but in August we spoke to Lockton’s Ben Beeson on this topic. He said federal lawmakers had “no interest” in including cyber terrorism in TRIA.
TRIA mandates that insurers offer terrorism coverage. Could defining cyber terrorism within the law “drive the evolution” (borrowing another phrase from Beeson) of this marketplace?
I was at a large insurance trade association conference late in 2013 in which former Secretary of Homeland Security Michael Chertoff told the audience it was better for lawmakers to clarify the issue now rather than wait until the legislation is tested. Chertoff, head of the Chertoff Group, a risk and security consulting firm, said he would “hate to find out in post-event litigation” whether cyber terrorism was included in the law.
Luckily TRIA has not been tested in any capacity. Right now, that is a moot point since there will be no TRIA as of January 1 and its future is uncertain.
But considering the ominous predictions regarding the role of cyber terrorism in the near future, there seems to have been a missed opportunity to explicitly reference the risk within the legislation rather than deal with uncertainties, cloudiness and holes in the measure when something happens.
Ambiguity can stall recovery. TRIA was put in place (and I still think lawmakers will eventually get it right although it’s a terrible gamble in the meantime) to prevent a stall in recovery.