Tag Archives: terrorism exclusions

TRIA Non-Renewal: Your Next Steps

Two days after Congress adjourned for the year without reauthorizing the Terrorism Risk Insurance Program Reauthorization Act of 2014 (TRIPRA), many organizations are working to understand the impact on their insurance programs when the federal insurance backstop expires on Dec. 31, 2014.

Most experts had expected Congress to reauthorize the law in some form. The failure to do so has implications for insureds with TRIPRA terrorism coverage in most any line, with particular concerns for property, primary and excess liability, workers’ compensation and captive programs.

Organizations that purchased terrorism coverage as part of their insurance programs (and not as a standalone program) may be affected. Potential solutions will depend on individual programs and needs but may include:

  1. Re-approaching insurers to see if they will not invoke sunset clauses or conditional terrorism exclusions, and provide stop-gap coverage until either Congress renews TRIPRA or the policy expires.
  2. Looking to the global standalone terrorism insurance markets for stop-gap coverage. The standalone market has large but limited capacity — it will not be able to fill all requests.
  3. Canceling and rewriting insurance programs with new markets that are able to offer terrorism limits (without sunsets).
  4. Seeking agreement from markets without sunsets to assume terrorism risk from sun-setting markets on the same risks.

It must be noted that these options may come with additional premium charges. Also, organizations should explore any loan, lease or other contracts or covenants that may require them to purchase terrorism coverage.

Congress is set to reconvene on Jan. 6, 2015. It is unclear how congressional leadership will deal with the issue, although some have already been quoted in the media as saying TRIPRA will be a top priority for the new Congress. Among the possible scenarios are:

  1. Immediately after reconvening, Congress could pass a short-term reauthorization to allow the new Congress to formulate a long-term reauthorization bill, which could be materially different than the 2014 version.
  2. Alternatively, both the House and Senate could immediately reintroduce new legislation mirroring the 2014 bill and pass it on an expedited basis.

For more information from the Marsh TRIPRA Update Center, click here. 

Am I Covered For Cyber-Terrorism?

Are you covered for cyber-terrorism? If you have not purchased Cyberliability insurance, the answer is likely no. A General Liability policy needs bodily injury, property damage or possibly an advertising injury to respond. Property insurers don't view data as tangible property, and a property policy needs a peril like wind, fire or hail to respond to a loss. Crime policies cover embezzlement by employees. In the event of a cyber-terrorism loss, you can look to all of these policies for coverage, but there is only one policy that is designed specifically for this type of exposure — Cyberliability.

The next question is, what constitutes cyber-terrorism? When you think of activities committed by a terrorist, your first thoughts might be actions that lead to death or destruction of property. There are other ways terrorists can inflict harm, including through electronic means.

Below are scenarios that might be covered by a properly structured Cyberliability policy:

Sadly, the array of bad things for a terrorist to try extends far beyond the items listed above. They are out there working on ways to cause mayhem without leaving the comfort of wherever they may call home.

  1. Hackers funded by a foreign government get into your insured's network and cause private information to be leaked into the public domain.
  2. Hackers funded by a hostile party hijack an insured's network and computers and use them to cause a denial of service attack against other third parties, who then sue the insured for not preventing such an event.
  3. Unnamed hackers from a foreign nation deliver a virus to an insured's network and wipe out 30,000 company laptops causing a business interruption loss.
  4. Foreign-sponsored hackers launch denial of service attacks at everyone in the insured's industry in retaliation for some action taken by our own government. The business interruption may be covered, as well as a security breach arising from the attack.
  5. Hackers penetrate the control system for a manufacturing client's assembly line and prevent them from producing their product.
  6. Hackers replace a client's website with offensive or politically motivated content that causes people to sue for emotional distress, libel or slander.
  7. Hackers penetrate an insured's network and threaten to release private records or intellectual property.

To most insurers, it won't matter who is behind the security breach. The hackers can be foreign-sponsored, the kid next door, a disgruntled former employee or an organized crime gang. Coverage should apply regardless of who funded the attack. Cyberliability insurance policies are there to respond to liability claims arising from a security breach as well as some first-party expenses. There are also policies that include coverage for data restoration expenses and business interruption losses.

You probably won't see a policy that states, “You are covered for cyber-terrorism;” however, you should look for any definition of what constitutes a hacker. We have yet to see any definition that differentiates between prankster hackers, criminal hackers, political hackers, organized crime hackers or any other group. It is in the policyholder's favor that the definition isn't limited by a detailed description.

Most policies will be silent regarding the origin of the network attack; it remains your responsibility to be vigilant for any terrorism exclusion as well as acts of war exclusions. If you have been reading the newspapers lately, you have seen articles alleging that other nations have sponsored network attacks against companies and defense contractors in the United States. Some of those alleged foreign nations include Iran, China and North Korea. Our government hasn't classified those as acts of war, but at some point those actions could be deemed a precursor to war. A declaration of war usually requires a vote by Congress, which could take months, meaning that an insurer would likely have to wait to respond until the point a formal declaration of war is made. Insurers aren't intending to cover an aspect of war between two countries, but if an insured's computer network is collateral damage, they should provide coverage for the damages and liability.

A commonly asked Cyberliability question concerns the theft of intellectual property by a foreign nation, company or other party. Unfortunately that first-party loss is not contemplated in current Cyberliability insurance policies. There are intellectual property policies out there designed to defend and enforce patents, but it can be challenging to prove who took the information and how to find them. Those policies usually respond to claims once a competing product with the same or similar design(s) is sold on the open market. The theft of digital blueprints may not be enough to trigger these policies. There are also issues regarding the enforceability of intellectual property rights outside the United States.

A quick search of our major metropolitan newspapers shows that a number of industries are in the sights of a variety of hacker groups. The current list of primary targets includes financial institutions, power companies and defense contractors. In light of these ongoing activities of terrorists and state-sponsored hackers, it remains a good time to look at Cyberliability insurance. Your clients may not specifically be targeted by cyber-terrorists, but their network could suffer collateral damage or be used to inflict damage upon others.