Prior to September 11, 2001, terrorist coverage was included in most commercial real estate policies as a “silent” danger – not specifically excluded, therefore covered. Subsequently, the insurance companies began to exclude terrorist acts from politics, and the US government established Terrorism Insurance Act (TRIA) to stabilize the market.
TRIA requires insurers to make terrorist coverage available to commercial policyholders but does not require policyholders to purchase it. Originally created as a three-year program that allows the federal government to share losses due to terrorist attacks with insurance companies, it has been renewed four times: i 2005, 2007, 2015, and 2019.
A risk that develops
The risk of terrorism has developed in complexity and scope, and some in the national security world have compared US cybersecurity preparedness today to its readiness for terrorist acts two decades ago.
“The cyber landscape for me looks a lot like it did against the terror landscape before 9/11,” said historian and journalist Garrett Graff during a recent Home Security Committee event in which researchers and former 9/11 commissioners called on lawmakers to increase funding for Cybersecurity and Infrastructure Security Agency (CISA) and other federal authorities focused on preventing attacks.
Cyber is more complicated, says Amy Zegart, co-director of the Stanford University Center for International Security and Cooperation, because of the role of the private sector “as both a victim and a threat vector. There are more people in the United States who protect our national parks than there are in CISA who protect our critical infrastructure. “Cyber attacks like the one on Colonial Pipeline emphasizes this reality.
When TRIA was approved again in 2019, a crucial component was the mandate of the Government Accountability Office (GAO) to make recommendations to Congress amending the law to address cyber threats. The trillion dollars infrastructure bill which is now being considered in Congress proposes $ 1.9 billion for cybersecurity, with more than half set aside for state, local and tribal governments. That would establish one Cyber Response and Recovery Fund for the use of CISA.
Like terrorism before 9/11, very cyber is silent. Silent cyber – also known as “non-affirmative cyber” – refers to potential losses arising from policies that are not intended to cover cyber-related dangers. If silent cyber is not addressed, the insurer’s solvency may be affected and ultimately damage the policyholders.
Great Britain Prudential Regulation Authority year 2019 sent a letter to all UK insurance companies that say they must have “action plans to reduce the unintentional exposure” to non-affirmative action cyber. Later that year, Lloyd’s issued a bulletin demanding clarity on all policies on whether cyber risk is covered. This led many insurance companies to exclude cyber or include it and price the risk accordingly.
“Other regulators and credit rating agencies have been less vocal about the issue” writes Willis Towers Watson, “And until recently, efforts to address silent cyber have been limited.” Some insurers – particularly in the mutual specialty sector – updated their policies in the mid-2010s to provide clarity on cyber. But until recently, movement elsewhere has been sporadic, Willis writes.
The recent proliferation of ransomware attacks that led to business disruptions has led to cyber insurance – which began as a diversifying secondary line – becoming a primary insurance purchase. Unfortunately, while insurance is available, many policyholders still incorrectly expect to be covered by their property and liability insurance. Confusion over IT coverage can lead to unexpected gaps.
“At best, a cyber incident can trigger multi-policy coverage and increase the total available limit for responding to a covered event,” said Adam Lantrip, CAC Specialty’s cyber practice manager. “In a more common scenario, multiple insurances can be triggered but not coordinated with each other, and the policyholder spends more on legal fees than the cost of having purchased stand-alone cyber insurance in the first place.”
Cyber risk will only grow in importance, complexity and cost as the world becomes more wired and interdependent. The costs of cyberattacks are potentially huge and must be reduced in advance.
From the Triple-I blog
From Risk & Insurance (another subsidiary Institutes and sister organization to Triple-I)