July 15 --Cyberterrorism, a growing national security threat, isn't specifically addressed in the Terrorism Risk Insurance Act (TRIA) reauthorization bills moving through Congress, prompting concerns that U.S. businesses may be left with no backstop for damages from such attacks, including claims for business interruption and financial losses.
The Senate is scheduled to take up a TRIA reauthorization measure (S. 2244) on July 17 without provisions on cyberterrorism, although the matter was addressed in a bill report from the Senate Committee on Banking, Housing, and Urban Affairs. A version (H.R. 4871) that is expected to be considered in the House soon also lacks cyberterrorism language.
Some stakeholders say that amending TRIA to clarify cyberterrorism issues would bring legal certainty in this area at a time when the marketplace urgently needs it. However, such a move could be seen as an expansion of the program, which might be a tough sell on Capitol Hill.
With the law set to expire on Dec. 31, other players are focused on making sure that a reauthorization bill gets to the White House as soon as possible.
“We're not interested in derailing the process by asking more questions,” Kevin McKechnie, senior vice president of the American Bankers Insurance Association, told Bloomberg BNA. “If we think there needs to be clarification we will, perhaps, ask for it at some future date.”
The Senate bill, approved unanimously by the Banking Committee last month, would extend TRIA for seven years with minor adjustments. A more controversial version pending in the House (H.R. 4871) would renew the law for five years, with tougher changes designed to put a greater share of responsibility on the private sector.
TRIA provides a government financial backstop when the property insurance industry incurs more than $100 million in claims for a single terrorist attack. It was first enacted in 2002 in the wake of the Sept. 11, 2001, terrorist strikes, to jump-start the property insurance industry, which incurred almost $32 billion in losses from the 2001 attacks. Congress renewed the law in 2005 and again in 2007.
TRIA leaves it up to the Department of Treasury to certify events as “acts of terrorism,” based on a set of statutory criteria. For example, the event must have been “violent,” or “dangerous” to human life, property or infrastructure, and it must have been committed by individuals on behalf of a foreign person or foreign interest, “as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion.”
The fact that the law doesn't specifically mention cyberterrorism is potentially a huge liability problem for the U.S. business community, according to Brian Finch, a partner at Pillsbury Winthrop Shaw Pittman LLP.
“There are some strong arguments that cyberattacks resulting in physical damage should be covered under TRIA as it exists, but there is nothing definitive to that effect,” Finch told Bloomberg BNA. “It would be good if it were clearer whether TRIA covers losses from such attacks, including claims for business interruption, financial losses and other types of liability.”
Without adequate coverage, “companies could be in grave financial danger if a significant cyber event occurs,” he said.
The legal uncertainty is especially problematic in light of the fact that cyberterrorism is increasingly being seen as a major national security threat, according to Douglas Holtz-Eakin, president of the American Action Forum, a Washington think tank.
“The science fiction aspects of this are over,” Holtz-Eakin told Bloomberg BNA, adding that cyber-related issues under TRIA have been “exceedingly unclear.”
Larry Clinton, president of the Internet Security Alliance, a Washington trade group representing stakeholders such as Verizon Communications Inc., General Electric Co., Boeing Co., Lockheed Martin Corp. and Wells Fargo & Co., said that TRIA probably needs to be updated in light of evolving cyberterrorism concerns, although his group hasn't been lobbying on the issue.
“There is certainly industry confusion here,” Clinton told Bloomberg BNA.
Tom Santos, vice president of federal affairs at the American Insurance Association, said his group is comfortable with approaching cyberterrorism under the existing legal framework.
“We don't think there's any need for clarification from Congress,” he said in a Bloomberg BNA interview. “Our view is that it's better to address these issues under the policy terms. Once you try to define it statutorily, you open up a whole can of worms.”
One alternative option, if some stakeholders insist on having more legal clarity, might be for the Treasury Department to issue a “frequently asked questions” document or some other form of guidance on the matter, he said.
Peter Beshar, executive vice president and general counsel for Marsh & McLennan Cos., a leading insurance brokerage firm, urged Congress to intervene, in testimony provided to the Senate Banking Committee in September 2013.
“Currently, there is uncertainty if TRIA would cover an act of cyber terrorism that resulted in catastrophic loss,” he said in prepared remarks. “There is not clear language in the law that states unambiguously that cyber terrorism would fall within the scope of TRIA; we, therefore, recommend that Congress analyze the best way to address this new terrorism risk in the reauthorization of the TRIA program.”
He noted that former Homeland Security Secretary Janet Napolitano cautioned in her farewell address last year that the nation will, at some point, face a major cyber-related event that will have “a serious effect on our lives, our economy, and the everyday functioning of our society.”
The impact of a “cyber 9-11” event, Beshar told senators, “could be crippling, particularly if the attack were directed at one or several of the nation's critical infrastructures such as our telecommunications networks, food and water supplies, or health care institutions.”
During the Senate Banking Committee's consideration of S. 2244, Sen. Jack Reed (D-R.I.) said he believed it was the panel's intention that cyberattacks “would continue to fall within the scope of TRIA's covered lines, as they do today, provided that the statutory prerequisites are met.”
Reed's comment was cited in a committee report accompanying the bill. According to the report, the committee has chosen to maintain “the Treasury Secretary's existing broad discretion and authority to certify any kind or mode of terrorist attack regardless of how the attack is carried out provided that the certification criteria is met,” although the panel also acknowledges the emergence of new cyberthreats since TRIA was first enacted by Congress.
The report language, which is nonbinding, is designed to add to the legislative history of the process and express the intent of the bill, a committee aide told Bloomberg BNA.
The committee's position on the issue makes sense from a policy perspective, Norma Krayem, a principal at Squire Patton Boggs LLP, told Bloomberg BNA.
“Cyberattacks are considered the primary concern now, but--as the committee report acknowledges--there are also nuclear, biological, chemical and radiological threats,” she said in an e-mail. “While TRIA was created as the result of physical attacks on the U.S., an 'all-hazards' approach needs to be acknowledged within this federal backstop.”
The committee's action was welcomed by Marsh & McLennan.
“We commend the Senate Banking Committee for making clear in its report accompanying S. 2244 that TRIA would apply in the event of a large-scale cyber terrorist attack,” Beshar said in an e-mail.
Other stakeholders suggested that more work could be done on the issue.
Holtz-Eakin told Bloomberg BNA that the report language represents “a great step” toward removing any uncertainty.
“The only thing that would be more definitive would be to include cyberattacks in statutory language,” he said.
Henry Willis, director of the Homeland Security and Defense Center at RAND Corp., said the committee report language helps to clarify congressional intent, but still leaves some room for uncertainty.
“My understanding is that the business of cyberinsurance is evolving and there remains some uncertainty about which lines of insurance would be affected,” he told Bloomberg BNA.
The remaining uncertainty, Willis said, “involves whether cyberinsurance policies are written on property and casualty lines or on some other line of business, such as professional liability. Not all lines of insurance are covered under TRIA.”
Robert Hartwig, president of the New York-based Insurance Information Institute, said the report language is “encouraging” in that it confirms what is commonly believed to be the case with respect to cyberterrorism. However, the committee's action “does not change much,” he said.
“I don't believe there's any ambiguity where the cyberattack results in the kind of losses that are normally covered by terrorism insurance policies today,” Hartwig told Bloomberg BNA. “But it potentially arises in business interruption cases where there is no physical damage or destruction, and perhaps some other situations as well. If we had a scenario such as the power grid being brought down, without causing damage to machinery or equipment, there would, in general, be no coverage forthcoming from a terrorism policy. That might surprise some people.”
Such cyberattacks could result in serious economic damage by leaving companies temporarily unable to conduct business, according to Hartwig. At a minimum, he said, the law should specify under what conditions such situations may qualify for coverage. “It would have to get into the text of the law,” he said.
However, Hartwig conceded that the outlook is dim for getting such concerns resolved at this point in the reauthorization process.
Holtz-Eakin said that passing legislation that explicitly takes on cyberterrorism questions related to TRIA wouldn't be a bad idea, but there appears to be little appetite for it on Capitol Hill currently.
“It would be perceived as an expansion of the program, and that would be very tough,” he said.
To contact the reporter on this story: Alexei Alexis in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Heather Rothman at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)