The Treasury Department is soliciting public feedback on whether it should change a terrorism risk insurance program to address cyber-related losses.
In a Federal Register notice set for publication Wednesday, Treasury seeks comment from the public for a mandatory report it must deliver to Congress this summer on the effectiveness of the terrorism risk insurance program (TRIP) created by the 2002 Terrorism Risk Insurance Act. That law arose from the Sept. 11 terror attacks and provided a federal backstop to make terrorism risk insurance more available and affordable.
Some experts have suggested that the cyber insurance industry should also get a federal backstop as the industry struggles to develop fully. With the law set to expire at the end of 2027, tying it to the reauthorization of the terrorism risk insurance law could be one way to get Congress to create such a cyber backstop.
Among the topics Treasury hopes commenters will address before it sends the report to Congress in June is the interaction between the terrorism risk insurance law and program, and cybersecurity. The agency will accept comments until May 8.
That includes: “Any potential changes to TRIA or TRIP that would encourage the take up of insurance for cyber-related losses arising from acts of terrorism as defined under TRIA, including, but not limited to the potential modification of the lines of insurance covered by TRIP and revisions to any of the current sharing mechanisms for cyber-related losses, such as, for example, the individual insurer deductible or the federal share percentage.”
In 2021, Treasury issued a rule making it clear that TRIP could cover cyber losses when written in a TRIP-eligible line of insurance. However, a Government Accountability Office report last year outlined some of the limitations there.
“Because TRIA was designed specifically as a federal backstop for losses from acts of terrorism, only losses from cyberattacks certified by Treasury as acts of terrorism would have TRIA coverage,” it states. “As a result, even large cyberattacks that result in catastrophic losses would not be covered under TRIA if they were not certified as acts of terrorism.”
Treasury said in its Federal Register notice that it wants feedback on cyber-related terrorism losses within TRIP and losses outside of it.
Cyberattacks would need to meet definitions under the terrorism risk insurance law to be certified. They need to be violent or otherwise dangerous to life, property or infrastructure, and designed to influence the U.S. population or government. Damage to U.S. organizations outside the United States still might not qualify.
Medical device maker Stryker recently suffered a wiper attack, with the pro-Palestinian, Iranian government-linked group Handala taking credit. It said the attack was in retaliation for U.S. and Israel military strikes against Iran, specifically a U.S. missile strike on a school that killed 175 people, according to Iran’s government.
Facts Only
Treasury Department is soliciting public feedback
Terrorism Risk Insurance Program (TRIP) created by the 2002 Terrorism Risk Insurance Act
Program provides federal backstop for terrorism risk insurance
Law set to expire at the end of 2027
Comments accepted until May 8
Topics for comments include interaction between terrorism risk insurance law and program, and cybersecurity
Executive Summary
Full Take
The article discusses the possibility of expanding the Terrorism Risk Insurance Program to include cyber-related losses. This suggestion comes amidst struggles in the cyber insurance industry to fully develop. The potential link between the reauthorization of the terrorism risk insurance law and the creation of a cyber backstop is highlighted. The article also mentions the limitations of the current program in covering cyberattacks certified as acts of terrorism.
Patterns detected: ARC-0024 Ambiguity (the article suggests a potential link between the reauthorization of the terrorism risk insurance law and the creation of a cyber backstop, but it is not explicitly stated that this is the intention)
The expansion of the Terrorism Risk Insurance Program to include cyber-related losses raises questions about the definition of acts of terrorism in the digital realm and the potential impact on the cyber insurance industry. It also brings up broader questions about the role of the government in providing insurance backstops and the balance between public safety and private sector autonomy.
Bridge questions: How should the definition of acts of terrorism be expanded to include cyberattacks? What implications would the expansion of the Terrorism Risk Insurance Program to include cyber-related losses have for the cyber insurance industry and the government's role in providing insurance backstops?
Sentinel — Human
This article is likely human-written, as it exhibits complex sentence structures, varying sentence lengths, and a personal voice. However, it's important to note that AI-assisted writing tools might have been used to help in the drafting process.
