Before Sept. 11, 2001, terrorism coverage was included in most commercial property policies as a “silent” peril – not specifically excluded, therefore covered. Afterward, insurers began excluding terrorist acts from policies, and the U.S. government established the Terrorism Risk Insurance Act (TRIA) to stabilize the market.
TRIA requires insurers to make terrorism coverage available to commercial policyholders but doesn’t require policyholders to buy it. Originally created as three-year program allowing the federal government to share losses due to terrorist attacks with insurers, it has been renewed four times: in 2005, 2007, 2015, and 2019.
An evolving risk
Terrorism risk has evolved in complexity and scope, and some in the national security world have compared U.S. cybersecurity preparedness today to its readiness for terrorist acts two decades ago.
“The cyber landscape to me looks a lot like the counterterrorism landscape did before 9/11,” historian and journalist Garrett Graff said during a recent Homeland Security Committee event at which scholars and former 9/11 Commission members urged lawmakers to increase funding for the Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies focused on preventing attacks.
Cyber is more complicated, said Amy Zegart, co-director of Stanford University’s Center for International Security and Cooperation, due to the private sector’s role “as both a victim and a threat vector. There are more people in the U.S. protecting our national parks than there are in CISA protecting our critical infrastructure.” Cyberattacks like the one on the Colonial Pipeline underscore this reality.
When TRIA was reauthorized in 2019, a crucial component was the mandate for the Government Accountability Office (GAO) to make recommendations to Congress on amending the act to address cyberthreats. The trillion-dollar infrastructure bill now being considered in Congress proposes $1.9 billion for cybersecurity, with more than half set aside for state, local, and tribal governments. It would establish a Cyber Response and Recovery Fund for use by CISA.
Like terrorism before 9/11, much cyber risk remains silent. Silent cyber – also called “non-affirmative cyber” – refers to potential losses stemming from policies not designed to cover cyber-related hazards. If silent cyber isn’t addressed, insurer solvency could be affected, ultimately hurting policyholders.
The United Kingdom’s Prudential Regulation Authority in 2019 sent a letter to all U.K. insurers saying they must have “action plans to reduce the unintended exposure” to non-affirmative cyber. Later that year, Lloyd’s issued a bulletin mandating clarity on all policies as to whether cyber risk is covered. This led many insurers to exclude cyber or include it and price the risk accordingly.
“Other regulators and the rating agencies have been less vocal about the issue” writes Willis Towers Watson, “and, until recently, efforts to address silent cyber have been limited.” Some insurers – most notably in the specialty mutual sector – updated their policies in the mid-2010s to provide clarity on cyber. But, until recently, movement elsewhere has been sporadic, Willis writes.
The recent proliferation of ransomware attacks leading to business interruption has led to cyber insurance – which began as a diversifying, secondary line – becoming a primary insurance-purchasing consideration. Unfortunately, while policies are available, many policyholders still incorrectly expect to be covered under their property and liability policies. Confusion around cyber coverage can lead to unexpected gaps.
“In a best-case scenario, a cyber incident may trigger coverage under multiple policies and increase the available total limit to respond to a covered event,” said Adam Lantrip, CAC Specialty’s cyber practice leader. “In a more common scenario, multiple policies may be triggered but not coordinate with one another, and the policyholder spends more on legal fees than the cost of having purchased standalone cyber insurance in the first place.”
Cyber risk will only grow in significance, complexity, and cost as the world becomes more wired and interdependent. The costs of cyberattacks are potentially massive and need to be mitigated in advance.
From the Triple-I blog