Category Archives: Terrorism Risk

A world without TRIA: premiums skyrocket following 9/11

Below is an abstract from the I.I.I. database citing a Wall Street Journal article from October 8, 2001. It describes the sharp increase in insurance rates immediately following the terrorist attacks of 9/11 2001.

The abstract is part of our series covering the Terrorism Risk Insurance Act of 2002 (TRIA). The act made public and private sharing of insured losses from acts of terrorism in the United States possible.

I.I.I.’s report, A World Without TRIA: Incalculable Risk, describes the function of the federal  terrorism backstop.

Wedding Tractor Trailers to the Internet of Things: What Could Possibly Go Wrong?

“We went out again. We got maybe six steps before lights blared in our faces. It had crept up, big wheels barely turning on the gravel. It had been lying in wait and now it leaped at us, electric headlamps glowing in savage circles, the huge chrome grill seeming to snarl.”

Transportation and logistics companies are now among the top-targeted industries by computer hackers

When Stephen King wrote Trucks – a tale of big rigs, pickups, and earth movers coming suddenly to life and terrorizing people they had trapped in a diner – he didn’t speculate about how or why they’d been incited to malevolence. Aliens? The Soviets? Who cared? It was the 1970s, and all he needed to do was deliver a solid horror yarn.

I loved that story when I read it in high school – mainly because it scared the daylights out of me and yet I knew for sure it couldn’t happen. Could it? Nah!

Today I read an article about “platooning”, in which “a lead vehicle wirelessly assumes control over the throttle and braking of one, two, or more vehicles following along behind it. In many scenarios, the drivers in a platoon continue to steer their vehicles and can disengage from the convoy at any time, but the first vehicle determines the speed and braking maneuvers of the entire platoon. Because the follower trucks maintain constant communication with the lead vehicle and have synchronized acceleration and braking, platooning trucks can maintain much shorter distances between themselves as they travel.”

Bam! I was right back in that 1970s diner inside Stephen King’s warped, brilliant, and quite possibly prophetic brain.

From there I time traveled forward to Bastille Day 2017 in Nice, France, where 84 people were killed when a radicalized individual plowed a 20-ton truck into a crowd waiting to watch a fireworks display. The previous December, CNN reminded me, 12 people were left dead and 48 injured when a tractor trailer was driven into a Berlin Christmas market.

“Platooning, which is based on vehicle-to-vehicle (V2V) communications, has been shown to increase the fuel efficiency of both the lead and following vehicles, saving fleet operators money and reducing carbon dioxide emissions,” the article in Verisk’s Visualize insurance news and thought leadership site tells me comfortingly. It cites a German pilot program in which truck platooning generated fuel savings of 3 to 4 percent. Platooning could lead to huge cost savings for businesses and consumers.

Who doesn’t love fuel efficiency?

And then I read an article in Today’s Trucking that began:

“When Harold Sumerford’s phone rang at 2:30 a.m. on April 2, he knew the news couldn’t be good. But he figured it was probably the safety department – not the CFO telling him the company’s entire computer system was down from a ransomware attack.”

Sumerford is CEO of J&M Tank Lines. According to the article, it took four days for his company to begin functioning after the attack, “and during those four days, they weren’t able to bill any customers or enter anything into the system.”

Granted, this is a far cry from having the entire fleet go on a murderous rampage, but the Internet of Things is still young.

J&M’s experience, according to Today’s Trucking, was “just one example of a rapidly growing problem with cybersecurity in the trucking industry. Transportation and logistics companies are now among the top-targeted industries by computer hackers.”

According to an article in ZDNet published just a few weeks ago, “Hackers are deploying previously unknown tools in a cyberattack campaign targeting shipping and transport organisations with custom trojan malware. Identified and detailed by researchers at Palo Alto Networks’ Unit 42 threat intelligence division, the campaign has been active since at least May 2019 and focuses on transportation and shipping firms operating out of Kuwait in the Persian Gulf.”

This as everyone I know seems to be panting with enthusiastic anticipation for vehicles that drive themselves!

Look, I’m no Luddite. I appreciate the benefits offered by and realized through interconnectivity.

But I also have a front row seat observing the difficulties people who assess and quantify risk for a living experience in getting and keeping their heads around the ever-changing world of cyberrisk.  As data and “stuff” become increasingly intertwined and the risks surrounding them are less clearly defined, is it so unreasonable to suggest that pushing humans out of the driver’s seat at this moment isn’t the only or best path to traffic safety, low prices, and reducing our collective carbon footprint?

Intent and ability distinguish cyberrisk from natural perils

Cyberrisk is often compared with natural catastrophe-related threats, but a recent study by global reinsurer Guy Carpenter and analytics firm CyberCube suggests a better analogy is with terrorism.

“Probability is assessed in terms of intent and capability.”

The report – Looking Beyond the Clouds: A U.S. Cyber Insurance Industry Catastrophe Loss Study – quotes Andrew Kwon, lead cyber actuary for Zurich: “Extending the lessons learned from property cats to the cyber space is intuitive and logical, but cyber continues to be a unique force unto itself. A hurricane does not evolve to bypass defenses; an earthquake does not optimize itself for maximum damage.”

This passage resonated as I read it because a few hours earlier I’d been reading a FreightWaves article about risks posed to international shipping by digitalization and pondering the fact that the same technology that helps vessels anticipate and avoid adverse weather also subjects them – and the goods they transport – to a panoply of new risks.

The FreightWaves article quotes U.S. Navy Captain John M. Sanford – who now leads the U.S. Maritime Security Department within the National Maritime Intelligence Integration Office – describing how the NotPetya virus inflicted $10 billion of economic damage across the U.S. and Europe and hobbled company after company, including shipping giant Maersk, in 2017.

Sanford said Russian military intelligence was behind the hacker group that spread NotPetya to damage Ukraine’s economy. The virus raced beyond Ukraine to machines around the world, crippling companies and, according to an article in Wired, inflicting nine-figure costs where it struck.

“Maersk wasn’t a target,” Sanford said. “Just a bystander in a conflict between Ukraine and Russia.”

Collateral damage.

The FreightWaves article describes how supply chains, ports, and ships could be disrupted more intentionally through GPS and Electronic Chart Display and Information System (ECDIS) systems onboard ships, or even via a WiFi-connected printer: “Pirates working with hackers could potentially access a ship’s bridge controls remotely, take control of the rudder, and steer it toward a chosen location, avoiding the expense and danger of attacking a vessel on the high seas.”

The Carpenter/CyberCube report identifies parallels in the deployment of “kill chain” methodologies in both conventional and cyber terrorism: “Considering terrorism risk in terms of probability and consequence, probability is assessed in terms of intent and capability.”

As our work and personal lives become increasingly interconnected through e-commerce and smart thermostats and we look forward to self-driving cars and refrigerators that tell us when the milk is turning sour, these considerations might well give us pause.

Hurricanes, earthquakes, fires, and floods might be scary, but at least we never had to worry that they were out to get us.

 

How TRIA Would Handle Another 9/11

The Insurance Information Institute’s new white paper, “A World Without TRIA: Incalculable Risk,” shows how the market for terrorism insurance has evolved since the 2001 terrorist attacks – from the early days in which there was effectively no market (insurers avoided covering terrorism wherever they could) to today, where the market is stronger but by all accounts unable to shoulder the entire burden without government backstop.

The 9/11 attacks generated by far the most insured losses of any terrorism event. We wanted to see how the government program the Terrorism Risk Insurance Act (TRIA) created in its wake would handle financially a repeat of that awful day.

If that happened, the government’s net payout would be less than zero, as it would recover more from mandatory surcharges to insurance policies than it would reimburse insurers for a portion of their losses.

Meanwhile, the net payout by insurance companies would be nearly $20 billion. Repeating the exercise in the future, the insurer contribution would steadily grow, assuming the law was renewed with the same terms under which it is set to expire at the end of next year. The share borne by policyholders through the surcharge increases more dramatically.

These estimates come from a mathematical model created by the Reinsurance Association of America to increase understanding of how the law operates.

The RAA created the model around the time of the first reauthorization of TRIA in 2005. It is widely regarded as a credible look at how the federal program would react to various scenarios. It has been shown to organizations as diverse as the Federal Insurance Office, the National Association of Insurance Commissioners, the Government Accountability Office, ratings agencies and business groups with a stake in the program, like the U.S. Chamber of Commerce.

“Our intention is to be inclusive so that all of the interested groups vested in the program understand the statute,” said RAA President Frank Nutter.

At the request of the Triple-I, the RAA created four scenarios, each replicating the insurance losses stemming from 9/11. The years modeled were 2019, 2020, 2029 and 2030. Losses were adjusted using the Consumer Price Index. Insurer premium – an important input – was adjusted by a 4 percent compound rate of growth, which is close to what the Congressional Budget Office projects as the growth in nominal Gross Domestic Product over the next decade.

The original program has been modified each time Congress has reauthorized it: 2005, 2007 and 2015. The program has a number of parts, and the RAA model shows that each reauthorization has increased the burden on insurance companies and decreased the burden on the government.

The Triple-I estimates that adjusted for inflation, 9/11 this year would generate insurance losses of $45.7 billion. According to the RAA model, the government would contribute $6.6 billion. It would front another $19.3 billion but recover $27.0 billion from a mandatory surcharge that would be placed on the insurance purchased in all lines of business that the program covers. Netting all that out means the government would pay less than zero. Insurers would be responsible for $19.7 billion, or 43 percent of the total insured loss.

By 2030 9/11 would be a $58 billion event. The government would contribute nothing. It would front $29.6 billion but recover $41.5 billion from policyholders due to the recoupment and surcharge. Insurers would be responsible for $28.4 billion, or 49 percent of the total insured loss.

The main drivers of the changes:

  • Beginning in 2020, the law makes the size of the industry marketplace retention a function of insurers’ aggregate premiums, so the marketplace retention grows as the industry’s premium does.
  • Also in 2020 the government’s co-payment shrinks to 80 cents per dollar insurers pay above their deductible, down from 81 cents in 2019.
  • The amount of losses subject to policyholder surcharges grows to $29.6 billion from $19.3 billion, shrinking the federal support.

The work “is a reminder under the current statute, policyholder and company retentions go up over time,” said RAA President Nutter. “In 2020 this becomes effective in a way that changes retentions of the private sector. It also shows a vanishing federal share.”

The RAA model can show the impact of any proposed changes to the program. It also has the ability to show how the federal program would handle specific major events, including 25-ton truck bombs, chemical or biological events, industrial sabotage and port bombs, using information from two major catastrophe modeling firms, RMS and AIR. It also can tailor results to individual cities; car bombs in New York and Baltimore, for example, will generate different levels of loss.

The modeling firms’ data show “just how big some of the [nuclear, biological, chemical and radiological] events are,” said Scott Williamson, the RAA vice president who developed the model. “The workers compensation exposure is really very large.”

 

A world without TRIA: The formation of a federal terrorism insurance backstop

On September 11, 2001 terrorists hijacked commercial airliners and flew them into the World Trade Center towers and the Pentagon. The attacks remain the deadliest and most expensive terrorist incidents in U.S. history, with insurance losses totaling about $47.0 billion in 2019 dollars, according to I.I.I. estimates.

In the wake of the attacks the U.S. Congress enacted the Terrorism Risk Insurance Act of 2002 (TRIA). The act creating a federal backstop for catastrophic terrorism losses that is designed to keep terrorism risk insurance available and affordable. It was renewed in 2005, 2007 and again in 2015. The act is set to expire on December 31, 2020.

Over the next months the Triple-I Blog will run stories featuring key participants in the terrorism risk insurance market and highlight news stories from our database from the periods immediately following 9/11 (before TRIA) and 2015 (when TRIA briefly lapsed).

Below is an abstract from the I.I.I. database citing a BestWeek article from October 1, 2001. The article refers to the fact that the heaviest insured losses were absorbed by foreign and domestic reinsurers, the insurers of insurance companies. Because of the lack of public data on, or modeling of, the scope and nature of the terrorism risk, reinsurers felt unable to accurately price for such risks and largely withdrew from the market for terrorism risk insurance in the months following September 11, 2001

For more on the importance of a federal terrorism backstop read the I.I.I. report, A World Without TRIA: Incalculable Risk.

I.I.I. report contemplates a world without TRIA

Terrorism, by design, is unpredictable, hugely destructive, and to date uninsurable through private market methods alone.

Few events demonstrate this better than the 9/11 attacks, in which terrorists hijacked commercial airliners and flew them into the World Trade Center towers and the Pentagon. The attacks remain the deadliest and most expensive terrorist incidents in U.S. history, with insurance losses totaling about $47.0 billion in 2019 dollars, according to I.I.I. estimates.

U.S. and international insurers were able to pay virtually all the claims from the 9/11 attacks and their aftermath. But insurers also made it clear that they could not, on their own, cover future losses caused intentionally by people acting strategically to attack select targets intentionally. In response to these concerns, the U.S. Congress enacted the Terrorism Risk Insurance Act of 2002 (TRIA), creating a federal backstop for catastrophic terrorism losses that is designed to keep terrorism risk insurance available and affordable. Renewed in 2005, 2007 and again in 2015, the act is set to expire on December 31, 2020.

Although the expiration is still more than a year away, U.S. commercial insurers are preparing for the possibility that the federal backstop might expire, and federal financial assistance is unavailable for a catastrophic terrorist event.

A new I.I.I. report, A World Without TRIA: Incalculable Risk, concludes that the terrorism insurance market is more robust than in the immediate aftermath of 9/11, but – similar to the situation in 2015 – does not appear to have the ability to bear all terrorism risk.

In this context, the report offers a historical overview of TRIA – why it exists and how it functions – to inform the discussion about the potential consequences should the program disappear. The report discusses:

  • Commercial terrorism risk insurance before the 9/1 1 attacks
  • How the attacks changed the terrorism risk insurance marketplace
  • The enactment of the federal Terrorism Risk Insurance Act and the program’s structure
  • What happened when the program briefly expired in 2015
  • How a failure to reauthorize the program in 2020 could affect terrorism risk insurance

Over the next months the Triple-I Blog will run stories featuring key participants in the terrorism risk insurance market and highlight news stories from our database from the periods immediately following 9/11 (before TRIA) and 2015 (when TRIA briefly lapsed). You can follow the topic here.

 

 

 

Business Insurance Coverage: Terrorism Insurance

On Tuesday, October 31, a man plowed a pickup truck into a crowded bike path in lower Manhattan. Eight people were killed and 11 more injured. A note found near the truck indicate the driver’s affiliation with the Islamic State, but no evidence of a wider plot or direct ties between the driver and ISIS has been found, and the incident is another in a growing list of “inspired” attacks, according to counterterrorism experts.

Although New York City mayor Bill de Blasio and other politicians have called the attack an act of terror, policyholders with terrorism insurance are only covered by that policy if the U.S. Department of the Treasury officially certifies an event as an act of terrorism. This requires that the act be violent and driven by the desire of an individual or individuals to coerce U.S. civilians or government. The act must also cause over $5 million in property and casualty losses.

Since the attacks on September 11, none of the attacks on the U.S., including the Boston Marathon bombing, have been certified as terrorist acts by the Treasury. In the absence of that certification, business owners can file claims under their standard property casualty policies.

Counter-terrorism efforts key to estimating risk post-9/11

Today marks the 16-year anniversary of 9/11, and as we remember those who perished and honor first responders on that day, it’s worth noting that we have not had a large-scale terrorist attack on U.S. soil since then.

From a recent discussion by property underwriters Gedion Amesias and Jeri Xu at the Swiss Re Open Minds blog:

“Since 9/11, the U.S. government and four of its allies (Five Eyes alliance) have been spending tens of billions of dollars each year on counter-terrorism. Even though it’s hard to accurately estimate, there are experts that approximate the U.S. spends around $100 billion a year on counter-terrorism efforts. Successful attacks since 9/11 have been carried out by either a lone wolf or a duo, for example the 2016 cargo truck attack in Nice by one driver, and 2013 Boston Marathon bombing by a pair of brothers. Plots that involve more people are more likely to be discovered through the surveillance of their communications, so organized large-scale plots are less likely to occur.”

And:

“Terrorism insurance is effectively insurance against the failure of counter-terrorism. Because counter-terrorism efforts have increased so much post 9/11, a reasonable assumption to make is that the frequency and severity of loss from terrorism have decreased significantly.”

They conclude that underwriters need to think about how terrorists will behave going forward and how governments around the world will counteract terrorism in order to predict where and to what extent future losses may occur.

Willis Towers Watson offers insight into how insurers are responding to meet the evolving nature of terrorism.

The I.I.I. has resources on terrorism risk and insurance here.

UK terrorism reinsurance pool will respond to any claims arising from Manchester attack

UK terrorism reinsurance mutual Pool Re stands ready to respond to any claims arising from last night’s horrific attack at a major concert venue in the city of Manchester.

At least 22 people were killed and more than 50 injured in the bombing as they left the Manchester Arena at the end of an Ariana Grande concert.

“Pool Re will work with its Members in resolving any claim arising from the attack as quickly as possible. We will make a further statement as more information becomes available.”

Most insurers providing commercial property and business interruption insurance in the UK (including many overseas companies and Lloyd’s syndicates) participate in Pool Re.

The government formed the mutual reinsurance pool for terrorist coverage in 1993, following acts of terrorism by the Irish Republican Army.

Last night’s attack comes 21 years after a bombing in Manchester’s main shopping district injured more than 200 people and caused an insured property loss of $966 million (in 2015 dollars). The 1996 Manchester bombing still ranks as the third costliest terrorist attack by insured property damage, according to the I.I.I.

Pool Re is one among a number of public/private risk-sharing schemes around the world that provide terrorism coverage, as discussed in a recent report by Marsh:

Here’s how the Pool Re scheme works:

  • Member insurers pay premiums at rates set by the pool. There are two geographic zones, one for major cities, with an adjustment for a “target risk,” and the other for the remainder of the country.
  • The primary insurer pays the entire claim for terrorist damage but is reimbursed by the pool for losses in excess of a certain amount per event and per year, based on its share of the total market.
  • The maximum industry retention increases annually per event and per year.
  • The government acts as the reinsurer of last resort, guaranteeing payments above the industry retention.
  • Only terrorism losses arising from damage to commercial property are covered by the pool. Coverage does not extend to life or personal injury.

The Definition And Risk Of Terrorism Is Shifting

A man drives a car into pedestrians on Westminster Bridge, keeps driving, crashes the car outside the Houses of Parliament, then tries to enter the complex armed with a knife. Four people are dead, including a policeman and the assailant, and at least 40 injured.

The investigation into yesterday’s terrorist attack in the heart of London is ongoing, as Westminster bridge reopens and Parliament gets back to work.

Small group and “lone wolf” terrorist attacks are seen as indicative of the shifting nature of terrorism, according to experts (here and here).

In the U.S. such attacks have yet to meet the $5 million damage certification threshold required to trigger the government-backed terrorism risk insurance program (the Terrorism Risk Insurance Program Reauthorization Act of 2015).

Broker Marsh reports that while recent attacks may have resulted in little direct physical damage and losses, they still have the potential for significant business disruption costs and contingency losses, for example if a city is put under curfew, or travelers cancel reservations, travel is disrupted, and business activity levels are diminished.

To address these evolving threats, insurers have adapted coverage to consider: active shooter situations; extra expense for evacuating people due to threat; contingent interruption of operations; canceled reservations; loss of attraction.

Policies can be structured to include nonphysical damage scenarios such as damage resulting from a cyber event, and nuclear, biological, chemical, and radiological (NBCR) risks.

Terrorism preparedness is evolving too as businesses adapt to the changing threat (see active shooter prevention and response steps).

The last major terrorist attack in the UK in July 2005 targeted the public transportation system during rush hour and left 52 people dead.

Insurance Information Institute facts and statistics on terrorism risk available here.

This chart, via the New York Times, shows that with the exception of the 9/11 and Oklahoma City attacks, there is no year since 1970 when terrorism killed more than 50 people in the United States: