Cyberattack Questions Emerging in TRIA Reauthorization Bill Debate

By Alexei Alexis  

July 15 --Cyberterrorism, a growing national security threat, isn't specifically addressed in the Terrorism Risk Insurance Act (TRIA) reauthorization bills moving through Congress, prompting concerns that U.S. businesses may be left with no backstop for damages from such attacks, including claims for business interruption and financial losses.

The Senate is scheduled to take up a TRIA reauthorization measure (S. 2244) on July 17 without provisions on cyberterrorism, although the matter was addressed in a bill report from the Senate Committee on Banking, Housing, and Urban Affairs. A version (H.R. 4871) that is expected to be considered in the House soon also lacks cyberterrorism language.

Some stakeholders say that amending TRIA to clarify cyberterrorism issues would bring legal certainty in this area at a time when the marketplace urgently needs it. However, such a move could be seen as an expansion of the program, which might be a tough sell on Capitol Hill.

“If we had a scenario such as the power grid being brought down, without causing damage to machinery or equipment, there would, in general, be no coverage forthcoming from a terrorism policy. That might surprise some people.”
Robert Hartwig, Insurance Information Institute

With the law set to expire on Dec. 31, other players are focused on making sure that a reauthorization bill gets to the White House as soon as possible.

“We're not interested in derailing the process by asking more questions,” Kevin McKechnie, senior vice president of the American Bankers Insurance Association, told Bloomberg BNA. “If we think there needs to be clarification we will, perhaps, ask for it at some future date.”

Defining Terrorist Attacks.

The Senate bill, approved unanimously by the Banking Committee last month, would extend TRIA for seven years with minor adjustments. A more controversial version pending in the House (H.R. 4871) would renew the law for five years, with tougher changes designed to put a greater share of responsibility on the private sector.

TRIA provides a government financial backstop when the property insurance industry incurs more than $100 million in claims for a single terrorist attack. It was first enacted in 2002 in the wake of the Sept. 11, 2001, terrorist strikes, to jump-start the property insurance industry, which incurred almost $32 billion in losses from the 2001 attacks. Congress renewed the law in 2005 and again in 2007.

TRIA leaves it up to the Department of Treasury to certify events as “acts of terrorism,” based on a set of statutory criteria. For example, the event must have been “violent,” or “dangerous” to human life, property or infrastructure, and it must have been committed by individuals on behalf of a foreign person or foreign interest, “as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion.”

The fact that the law doesn't specifically mention cyberterrorism is potentially a huge liability problem for the U.S. business community, according to Brian Finch, a partner at Pillsbury Winthrop Shaw Pittman LLP.

“There are some strong arguments that cyberattacks resulting in physical damage should be covered under TRIA as it exists, but there is nothing definitive to that effect,” Finch told Bloomberg BNA. “It would be good if it were clearer whether TRIA covers losses from such attacks, including claims for business interruption, financial losses and other types of liability.”

Without adequate coverage, “companies could be in grave financial danger if a significant cyber event occurs,” he said.

'Industry Confusion' Seen.

The legal uncertainty is especially problematic in light of the fact that cyberterrorism is increasingly being seen as a major national security threat, according to Douglas Holtz-Eakin, president of the American Action Forum, a Washington think tank.

“The science fiction aspects of this are over,” Holtz-Eakin told Bloomberg BNA, adding that cyber-related issues under TRIA have been “exceedingly unclear.”

Larry Clinton, president of the Internet Security Alliance, a Washington trade group representing stakeholders such as Verizon Communications Inc., General Electric Co., Boeing Co., Lockheed Martin Corp. and Wells Fargo & Co., said that TRIA probably needs to be updated in light of evolving cyberterrorism concerns, although his group hasn't been lobbying on the issue.

“There is certainly industry confusion here,” Clinton told Bloomberg BNA.

Tom Santos, vice president of federal affairs at the American Insurance Association, said his group is comfortable with approaching cyberterrorism under the existing legal framework.


“We don't think there's any need for clarification from Congress.”  
Tom Santos, American Insurance Association

“We don't think there's any need for clarification from Congress,” he said in a Bloomberg BNA interview. “Our view is that it's better to address these issues under the policy terms. Once you try to define it statutorily, you open up a whole can of worms.”

One alternative option, if some stakeholders insist on having more legal clarity, might be for the Treasury Department to issue a “frequently asked questions” document or some other form of guidance on the matter, he said.

Congressional Action Urged.

Peter Beshar, executive vice president and general counsel for Marsh & McLennan Cos., a leading insurance brokerage firm, urged Congress to intervene, in testimony provided to the Senate Banking Committee in September 2013.

“Currently, there is uncertainty if TRIA would cover an act of cyber terrorism that resulted in catastrophic loss,” he said in prepared remarks. “There is not clear language in the law that states unambiguously that cyber terrorism would fall within the scope of TRIA; we, therefore, recommend that Congress analyze the best way to address this new terrorism risk in the reauthorization of the TRIA program.”

He noted that former Homeland Security Secretary Janet Napolitano cautioned in her farewell address last year that the nation will, at some point, face a major cyber-related event that will have “a serious effect on our lives, our economy, and the everyday functioning of our society.”

The impact of a “cyber 9-11” event, Beshar told senators, “could be crippling, particularly if the attack were directed at one or several of the nation's critical infrastructures such as our telecommunications networks, food and water supplies, or health care institutions.”

During the Senate Banking Committee's consideration of S. 2244, Sen. Jack Reed (D-R.I.) said he believed it was the panel's intention that cyberattacks “would continue to fall within the scope of TRIA's covered lines, as they do today, provided that the statutory prerequisites are met.”

Reed's comment was cited in a committee report accompanying the bill. According to the report, the committee has chosen to maintain “the Treasury Secretary's existing broad discretion and authority to certify any kind or mode of terrorist attack regardless of how the attack is carried out provided that the certification criteria is met,” although the panel also acknowledges the emergence of new cyberthreats since TRIA was first enacted by Congress.

The report language, which is nonbinding, is designed to add to the legislative history of the process and express the intent of the bill, a committee aide told Bloomberg BNA.

Mixed Reactions.

The committee's position on the issue makes sense from a policy perspective, Norma Krayem, a principal at Squire Patton Boggs LLP, told Bloomberg BNA.

“Cyberattacks are considered the primary concern now, but--as the committee report acknowledges--there are also nuclear, biological, chemical and radiological threats,” she said in an e-mail. “While TRIA was created as the result of physical attacks on the U.S., an 'all-hazards' approach needs to be acknowledged within this federal backstop.”

The committee's action was welcomed by Marsh & McLennan.

“We commend the Senate Banking Committee for making clear in its report accompanying S. 2244 that TRIA would apply in the event of a large-scale cyber terrorist attack,” Beshar said in an e-mail.

Other stakeholders suggested that more work could be done on the issue.

Holtz-Eakin told Bloomberg BNA that the report language represents “a great step” toward removing any uncertainty.

“The only thing that would be more definitive would be to include cyberattacks in statutory language,” he said.

Henry Willis, director of the Homeland Security and Defense Center at RAND Corp., said the committee report language helps to clarify congressional intent, but still leaves some room for uncertainty.

“My understanding is that the business of cyberinsurance is evolving and there remains some uncertainty about which lines of insurance would be affected.”
Henry Willis,
Rand Corp. Homeland Security and Defense Center

“My understanding is that the business of cyberinsurance is evolving and there remains some uncertainty about which lines of insurance would be affected,” he told Bloomberg BNA.

The remaining uncertainty, Willis said, “involves whether cyberinsurance policies are written on property and casualty lines or on some other line of business, such as professional liability. Not all lines of insurance are covered under TRIA.”

Robert Hartwig, president of the New York-based Insurance Information Institute, said the report language is “encouraging” in that it confirms what is commonly believed to be the case with respect to cyberterrorism. However, the committee's action “does not change much,” he said.

“I don't believe there's any ambiguity where the cyberattack results in the kind of losses that are normally covered by terrorism insurance policies today,” Hartwig told Bloomberg BNA. “But it potentially arises in business interruption cases where there is no physical damage or destruction, and perhaps some other situations as well. If we had a scenario such as the power grid being brought down, without causing damage to machinery or equipment, there would, in general, be no coverage forthcoming from a terrorism policy. That might surprise some people.”

Such cyberattacks could result in serious economic damage by leaving companies temporarily unable to conduct business, according to Hartwig. At a minimum, he said, the law should specify under what conditions such situations may qualify for coverage. “It would have to get into the text of the law,” he said.

Uphill Battle Seen.

However, Hartwig conceded that the outlook is dim for getting such concerns resolved at this point in the reauthorization process.

Holtz-Eakin said that passing legislation that explicitly takes on cyberterrorism questions related to TRIA wouldn't be a bad idea, but there appears to be little appetite for it on Capitol Hill currently.

“It would be perceived as an expansion of the program, and that would be very tough,” he said.

To contact the reporter on this story: Alexei Alexis in Washington at

To contact the editor responsible for this story: Heather Rothman at