Emerging cyber terrorism threats and the Federal Terrorism Risk Insurance Act

Cyber is a relatively new, evolving risk. Insurers manage their exposures, in part, by setting coverage limits and excluding events they don’t want to insure.

On December 20, 2019, President Trump signed a federal funding package that includes a seven-year extension of the Terrorism Risk Insurance Act (TRIA). TRIA provides for a federal loss-sharing program for certain insured losses resulting from a certified act of terrorism.

Passage of the act was met with resounding approval by the insurance industry. You can read more about it here.

A critical mandate of the TRIA extension is for the Government Accountability Office (GAO) to make recommendations to Congress about how to amend the statute to address emerging cyberthreats. Triple-I recently hosted an exclusive members-only webinar featuring Jason Schupp of the Centers for Better Insurance, who discussed issues likely to be addressed by the GAO report.

Schupp said the report will likely serve as a starting point for a discussion about cyber threats and how the insurance industry can better meet the needs of businesses, nonprofits and local governments for cyber insurance. It will address:

  • Vulnerabilities and potential costs of cyber-attacks to the United States;
  • Whether adequate coverage is available for cyber terrorism;
  • Whether cyber terrorism coverage can be adequately priced by the private market;
  • Whether TRIA’s current structure is appropriate for cyber terrorism events; and
  • Recommendations on how Congress could amend TRIA to meet the next generation of cyber threats.

Cyber terrorism is already covered under TRIA, but such acts don’t fit neatly into the TRIA framework. Because cyber limits and conditions are already narrow, TRIA’s current make available requirement has not been effective in providing coverage for cyber-terrorism events at the same limits and conditions as non-cyber events.

Schupp proposes that the requirement be amended so the coverage doesn’t exclude insured losses specific to the loss of use, corruption or destruction of electronic data or the unauthorized disclosure of or access to nonpublic information.

But expanding the requirement carries considerable risk. If insurers are required to make more coverage available for cyber events than they are comfortable with the result could be a pullback in property and liability insurance generally – not just for cyber events. Any expansion must be balanced with the terms of the backstop.

Schupp concluded that the GAO’s investigation and report (which is required to be completed by June 2020) is likely to kick off a multi-year debate that could substantially redefine U.S. cyber insurance markets. Insurers, policyholders and other stakeholders should engage accordingly.

To learn about how to become a member of Triple-I visit iiimembership.org.

Leave a Reply

Your email address will not be published. Required fields are marked *