Tag Archives: tria

Rethinking Risk Management in a COVID-19 World

If there was ever a moment for risk managers to shine, this is it. In many companies, risk managers have won kudos because backup plans have made the transition to telework smoother than it easily could have been (though I feel awful for those working in restaurants, hotels and other businesses who have been furloughed or fired because their jobs simply can’t be done at a distance.) Even when there have been unanticipated problems–and so very many companies face problems that go well beyond any telework issues–no one can play down the importance of risk management in a world turned upside-side so suddenly by the COVID-19 health crisis and the economic chaos that has followed.

Last week’s “Future of Risk” conference, held by The Institutes, hit some risk-management themes that I think will be key as we all prepare for the new normal, and I’ll highlight the boldest one I heard. It came during the opening session, a panel moderated by The Institutes’ CEO Peter Miller.

Markham McKnight, CEO of BXS Insurance, said the U.S. needs a national risk strategy, rather than the current piecemeal approach–one bit of legislation providing flood insurance, one addressing terrorism, etc., with much of the work being done through emergency legislation crafted in the middle of the crisis that a virus, a hurricane or a wave of wildfires produces. A robust national strategy would provide an overarching framework for assessing all the risks and for funding ways to reduce those risks, as well as to pay for redress when the inevitable occurs.

“The absence of a national program leaves us just kicking the can down the road,” McKnight said. “Legislation gets renewed, but only so we can keep doing business.”

He said there should be a national risk pool in the U.S. that would take a comprehensive look at exposures and suggested the insurance industry could provide leadership on how to quantify and mitigate the risks.

Tony Kuczinski, CEO of Munich Re America, agreed with the need for industry involvement, saying he had signed a letter encouraging such a plan. “It’s four or five times as expensive to fix a problem after the fact than it is to be proactive,” Kuczinski said. “You just have to have the stomach to tackle the problem up front.”

Joan Lamm-Tennant, CEO of Blue Marble Microinsurance, which operates in the developing world, said she’d “globalize those thoughts.” She said she’s “experiencing a real call to action on behalf of governments and quasi-governments and a willingness to work more with the private sector.”

She recommended a model along the lines of the Terrorism Risk Insurance Act (TRIA), enacted in the U.S. in 2002, following the 9/11 attacks. Under TRIA, insurance is provided via the private sector, but government acts as a backstop. That backstop “gradually recedes as the private markets get more data and get stronger,” Lamm-Tennant said. Such a public-private approach, she said, would let us avoid setting up “some new government agency”–a goal that I’m sure we all applaud.

Perhaps I’m jaded from decades of watching inaction in Washington, but I doubt Congress will get as far as a national risk plan. I imagine most risks will still be treated piecemeal. I do think that, as long as people are throwing trillions of dollars around, considerable resources could be brought to bear. Legislators, like generals, tend to fight the last war, so the focus will surely start with public health, but other risks could win attention if a compelling enough argument is made.

I like this one: The U.S. spends north of $700 billion a year on the military as a sort of insurance policy against the chance that Russia will lob a bunch of missiles on New York City; maybe it’s time to mitigate some other risks, too.

And I hope the insurance industry can lend its expertise in identifying, quantifying and managing those risks.

In the meantime, I dearly hope you all stay safe.

Cheers,

Paul Carroll

Editor-in-Chief

P.S. I was delighted to see that more insurance companies are staking a claim to the moral high ground in the pandemic. Following reports two weeks ago that some health insurers were waiving out-of-pocket costs for coronavirus patients, two auto insurers said Monday that they are rebating premiums to customers, as long as driving has dropped so much. Allstate said it is rebating $600 million, and American Family Insurance, $200 million. As I wrote a week ago, I hope the entire industry will do whatever it can for customers during what will surely be a defining stretch. So far, so good.

Actuaries Beware: Pricing Cyber Risk Is a Different Ballgame

Growth in the cyber insurance market has recently occurred at warp speed, with more than 60 companies writing in the U.S. alone and with market premiums amounting to approximately $2.5 billion annually. The impressive year-over-year growth is expected to continue into the foreseeable future, with a variety of estimates placing market premium between $7.5 billion and $20 billion by the end of 2020.

This impressive premium growth is because of several factors — perhaps most notably, reporting of the various types of cyber attacks in the news on a regular basis, driving both awareness and fear. Not surprisingly, cyber risk has become a board-level concern in today’s increasingly connected world. Additionally, recent growth of the Internet of Things has given rise to the seemingly infinite number of attack vectors affecting every industry. Individuals and entities of any size, spanning all regions of the world, are potential victims.

The apparent need for new apps and devices that link to one another without focus toward security of those apps or devices gives reason to worry. It also creates an immediate need for a suite of security analytics products that helps insurance companies write cyber insurance more confidently.

State of Data

Actuaries are creative and intelligent problem solvers, but this creativity and intelligence is tested thoroughly when pricing cyber insurance. Actuaries still need the same suite of products used within any other catastrophe-exposed lines of business, but there are many challenges and complications with respect to cyber insurance that make this a particularly difficult task. That is, we still need an underwriting tool, an individual risk-pricing tool and a catastrophe-aggregation model, but certain aspects of these tools vary significantly from what we’ve seen in the past or have grown accustomed to as actuaries.

Data lies at the center of any actuarial project, but data in this space is very limited for a number of reasons. To consider why this is the case, let’s take a step back and consider the wider context. We first want to think about both how to define the cyber peril and what types of attacks are possible.

Risks could lie anywhere between smaller attacks on individuals involving brute-force attempts to steal credentials and conduct identity theft; and state-sponsored attacks on another government entity involving both physical damage and theft of critically sensitive intelligence. We may see malware deployed on a commonly used piece of software or hardware at a massive scale; infrastructures or processes taken down using denial of service; or a breach of a popular database or platform that affects many entities simultaneously.

Many of the attack variants in this hypothetical list have never happened, and some may never happen. Even within those that have happened, information pertaining to the breach — both in terms of the attack specifics used or the actual dollar impact of the attack — is hard to come by.

Several third-party data sources are currently available, but they tend to concentrate primarily on those pieces of data or attack types that are most accessible — particularly data breach and privacy violation claims. This, naturally, is a very small subset of what we need to price for as actuaries.

Unfortunately, there is fairly loose regulation around the reporting of different types of attacks. Even within the data breach family, there exists tremendous lack of standardization across states with respect to reporting. Criteria for whether a report is required may include whether the data is encrypted, how many people were actually affected by the breach and the type of data stolen (PHI, PII, PCI, etc.).

See also: How Actuaries Can Be Faster, More Efficient  

External research can be done on public sources to find the aggregate amount of loss in some cases, but there is little to no incentive for the breached entity to provide more information than is absolutely required. Thus, while we want to price data breach events at a very granular level, it’s often difficult to obtain dollar figures at this level. For instance, a data breach will lead to several costs, both first party and third party. A breached entity, at minimum, will likely have to:

  • Notify affected customers;
  • Offer credit monitoring or identity-theft protection to those affected;
  • Work with credit card companies to issue new credit cards;
  • Foot bills associated with legal liability and regulatory fines; and
  • Endure reputational damage.

It’s impractical to assume that a breached entity would find it attractive to publicize the amount lost to each of these individual buckets.

Worse, other events that either don’t require reporting or have never happened clearly give us even less to work with. In these cases, it’s absolutely critical that we creatively use the best resources available. This approach requires a blend of insurance expertise, industry-specific knowledge and cyber security competence. While regulation will continue to grow and evolve — we may even see standardization across both insurance coverages offered and reporting requirements by state or country — we must assume that in the near future, our data will be imperfect.

Actuarial Challenges

Though many companies have entered the cyber insurance space, very few are backed by comprehensive analytics. Insurers eager to grab market share are placing too much emphasis on the possibility of recent line profitability continuing into the future.

The problem here is obvious: Cyber insurance needs to be priced at a low loss ratio because of catastrophic or aggregation risk. Once the wave of profitability ends, it could do so in dramatic fashion that proves devastating for many market participants. The risk is simply not well understood across the entirety of the market, and big data analytics is not being leveraged enough. In addition to the glaring data and standardization issues already discussed, actuaries face the following eight key challenges:

1. No Geographical Limitation

On the surface, the cyber realm poses threats vastly different from what we’ve seen in other lines of business. Take geography. We are used to thinking about the impact of geography as it pertains to policyholder concentration within a specific region. It’s well understood that, within commercial property insurance, writers should be careful with respect to how much premium they write along the coast of Florida, because a single large hurricane or tropical storm can otherwise have an absolutely devastating effect on a book of business. Within the cyber world, this relationship is a bit more blurry.

We can no longer just look at a map. We may insure an entity whose server in South Africa is linked to an office in Ireland, which, in turn, is linked to an office in San Francisco. As existing threat actors are able to both infiltrate a system and move within that system, the lines drawn on the map have less meaning. Not to say they’re not important — we could have regulatory requirements or data storage requirements that differ by geography in some meaningful way — but “concentration” takes a different meaning, and we need to pay close attention to the networks within a company.

2. Network Risk From an External Perspective

In the cyber insurance line, we need to pay attention to the networks external to an insured company. It’s well documented that Target’s data breach was conducted through an HVAC system. By examining Target’s internal systems alone, no one would have noticed the vulnerability that was exploited.

As underwriters and actuaries, we need to be well aware of the links from one company to another. Which companies does an insured do business with or contract work from? Just as we mentioned above with apps and devices that are linked, the network we are worried about is only as strong as the weakest link. Another example of this is the recent attacks on a Bangladeshi bank. Attackers were able to navigate through the SWIFT system by breaching a weaker-than-average security perimeter and carrying out attacks spanning multiple banks sharing the same financial network.

3. Significance of the Human Element

Another consideration and difference from the way we traditionally price is the addition of the human element. While human error has long been a part of other lines of business, we have rarely considered the impact of an active adversary on insurance prices. The one exception to this would be terrorism insurance, but mitigation of that risk has been largely assisted by TRIA/TRIPRA.

However, whenever we fix a problem simply by imposing limits, we aren’t really solving the larger problem. We are just shifting liability from one group to another; in this case, the liability is being shifted to the government. While we can take a similar approach with cyber insurance, that would mean ultimately shifting the responsibility from the insurers to the reinsurers or just back to the insureds themselves. The value of this, to society, is debatable.

See also: Cyber Insurance: Coming of Age in ’17?  

A predictive model becomes quite complex when you consider the different types of potential attackers, their capabilities and their motivations. It’s a constant game of cat and mouse, where black hat and white hat hackers are racing against each other. The problem here is that insurers and actuaries are typically neither white hat nor black hat hackers and don’t have the necessary cyber expertise to confidently predict loss propensity.

4. Correlation of Attacks

In attempting to model the “randomness” of attacks, it is important to think about how cyber attacks are publicized or reported in the news, about the reactions to those attacks and the implications on future attacks. In other words, we now have the issue of correlation across a number of factors. If Company A is breached by Person B, we have to ask ourselves a few questions. Will Company A be breached by Person C? Will Person B breach another company similar to or different from Company A? Will Person D steal Person B’s algorithm and use it on entirely different entity (after all, we’ve seen similar surge attacks within families such as ransomware)? If you as the reader know the answers to these questions, please email me after reading this paper.

5. Actuarial Paradox

We also have to consider the implications on the security posture of the affected entity itself. Does the attack make the perimeter of the affected company weaker, therefore creating additional vulnerability to future attacks? Or, alternatively, does the affected company enact a very strong counterpunch that makes it less prone to being breached or attacked in the future? If so, this poses an interesting actuarial dilemma.

Specifically, if a company gets breached, and that company has a very strong counterpunch, can we potentially say that a breached company is a better risk going forward? Then, the even-more-direct question, which will surely face resistance, is: Can we charge a lower actuarial premium for companies that have been breached in the past, knowing that their response to past events has actually made them safer risks? This flies directly in the face of everything we’ve done within other lines of business, but it could make intuitive sense depending on incident response efforts put forth by the company in the event of breach or attack.

6. Definition of a Cyber Catastrophe

Even something as simple as the definition of a catastrophe is in play. Within some other lines of insurance business, we’re used to thinking about an aggregate industry dollar threshold that helps determine whether an incident is categorized as a catastrophe. Within cyber, that may not work well. For instance, consider an attack on a single entity that provides a service for many other entities. It’s possible that, in the event of a breach, all of the liability falls on that single affected entity. The global economic impact as it pertains to dollars could be astronomical, but it’s not truly an aggregation event that we need to concern ourselves with from a catastrophe modeling perspective, particularly because policy limits will come into play in this scenario.

We need to focus on those events that affect multiple companies at the same time and, therefore, provide potential aggregation risk across the set of insureds in a given insurance company’s portfolio. This is, ultimately, the most complicated issue we’re trying to solve. Tying together a few of the related challenges: How are the risks in our portfolio connected with each other, now that we can’t purely rely on geography? Having analytical tools available to help diagnose these correlations and the potential impacts of different types of cyber attacks will dramatically help insurers write cyber insurance effectively and confidently, while capturing the human element aspect of the threats posed.

7. Dynamic Technology Evolution

If we can be certain of one thing, it’s that technology will not stop changing. How will modelers keep up with such a dynamic line of business? The specific threats posed change each year, forcing us to ask ourselves whether annual policies even work or how frequently we can update model estimates without annoying insurers. Just as we would write an endorsement in personal auto insurance for a new driver, should we modify premium mid-term to reflect a newly discovered specific risk to an insured? Or should we have shorter policy terms? The dynamic nature of this line forces us to rethink some of the most basic elements that we’ve gotten used to over the years.

8. Silent Coverage

Still, all of the above considerations only help answer the question of what the overall economic impact will be. We also need to consider how insurance terms and conditions, as well as exclusions, apply to inform the total insurable cost by different lines of insurance. Certain types of events are more insurable, some less. We have to consider how waivers of liability will be interpreted judicially, as well as the interplay of multiple lines of business.

It’s safe to assume that insurance policy language written decades ago did not place much emphasis on cyber exposure arising from a given product. In many cases, silent coverage of these types of perils was potentially entirely accidental. Still, insurers are coming to grips with the fact that this is an ever-increasing peril that needs to be specifically addressed and that there exists significant overlap across multiple lines of business. Exclusions or specific policy language can, in some cases, be a bit sloppy, leading to confusion regarding which product a given attack may actually be covered within. This becomes the last, but not least, problem we have to answer.

Conclusion

The emerging trends in cyber insurance raise a number of unique challenges and have forced us to reconsider how we think about underwriting, pricing and aggregation risk. No longer we can pinpoint our insureds on a map and know how an incident will affect the book of business. We need to think about both internal and external connections to an insured entity and about the correlations that exist between event types, threat actors and attack victims. In cases when an entity is attacked, we need to pay particular attention to the response and counterpunch.

As the cyber insurance market continues to grow, we will be better able to determine whether loss dollars tend to fall neatly within an increasing number of standalone cyber offerings or whether insurers will push these cyber coverages into existing lines of business such as general liability, directors and officers, workers’ compensation or other lines.

Actuaries and underwriters will need to overcome the lack of quality historical data by pairing the claims data that does exist with predictive product telemetry data and expert insight spanning insurance, cyber security and industry. Over time, this effort may be assisted as legislation or widely accepted model schema move us toward a world with standardized language and coverage options. Nonetheless, the dynamic nature of the risk with new adversaries, technologies and attack vectors emerging on a regular basis will require monitored approaches.

See also: Another Reason to Consider Cyber Insurance  

In addition, those that create new technology need to realize the importance of security in the rush to get new products to market. White hat hackers will have to work diligently to outpace black hat hackers, while actuaries will use this insight to maintain up-to-date threat actor models with a need for speed unlike any seen before by the traditional insurance market.

Some of these challenges may prove easier than they appear on paper, while some may prove far more complicated. We know actuaries are good problem solvers, but this test will be a serious and very important one that needs to be solved in partnership with individuals from cyber security and insurance industries.

Is Terrorism the New Normal for Insurers?

After several mass shootings across the U.S. – in Orlando, San Bernardino, Charleston and elsewhere that, whatever the motivation, created terror – the insurance industry is responding with new “standalone terrorism” coverage.

Does this reflect a level of acceptance of such incidents, and of gun violence, as a “new normal,” something we’ll just need to live with?

I don’t think so. In fact, the responses of insurers illustrate their key role: helping individuals, businesses and other organizations deal with unforeseen harm and tragedy, and recover from it.

As cited by Carrier Management in August, the FBI’s “Study of Active Shooter Incidents Between 2000 and 2013” reported that 70% of incidents took place in either a commerce/business or educational environment. The findings establish an increasing frequency of incidents, the report said.

Until this year, insurance didn’t respond to “lone wolf” shooting incidents because of two factors. One is the parameters set forth by the Terrorism Risk and Insurance Act (TRIA). Staggered by the massive losses from the 9/11 attacks, Congress passed legislation that provided for similar, large events. To qualify for coverage through the act, losses from a terrorist event must total at least $5 million – far exceeding the property damages that have resulted from shootings and similar attacks.

See also: How to Develop Plan on Terrorism Risks  

The other factor is the lack of clarity regarding what’s covered by commercial general liability insurance. In the same article, John Powter, president of GDP Advisors in McKinney, Texas, says the general liability part of a commercial policy doesn’t clearly cover or exclude active shooter incidents. “There is a concern, or gray area, with the general liability policy – in reality, it was never designed to cover an active shooter incident,” he said.

The shift in the nature of terror

Earlier this year, Insurance Business reported on research by KPMG that noted that the changing nature of ideologically motivated crime has yet to be addressed by insurance coverages.

“There is a shift in the nature of terror,” the publication quoted KPMG partner Paul Merrey as saying. “In the 1990s, it was about property damage. The incidents we’re seeing now are about maximizing casualties. There is a gap between what insurers are providing cover for and what customers actually want.”

He added that the gap will “go from a gray area to excluded,” as was the case with cyber risks – which, in turn, led to entirely new cyberrisk insurance.

In a similar response, insurers introduced new standalone terrorism insurance earlier this year.

Bermuda-based insurer XL Catlin introduced an “active assailant” policy in February. The policy provides “time element” coverage, which includes business interruption and extra expense coverage.

Ben Tucker, head of U.S. terrorism and political violence insurance for the company, told Insurance Business that “the level of awareness is increasing quite dramatically, and it’s not limited to large-risk management types of exposures.” The company has received inquiries about the coverage from agents and brokers representing school districts, public buildings and small hospitality firms.

The policy, the publication reported, is triggered when an event involving a handheld weapon affects three or more people. In this policy, “affects” has a broad definition: a person affected could simply be a witness to such an event.

GDP Advisors in February introduced an Active Shooter Insurance Program underwritten through Lloyd’s of London. Powter told Carrier Management that the coverage originally was intended for educational institutions, but soon after it was launched GDP received inquiries from banks, hotels, sports venues, amusement parks and other businesses.

The real value: preventing injuries and losses

Powter added that the “real value of the policy” is in its provision of risk management and crisis response services. Those are important, he said, because many businesses and educational institutions are now learning how to best respond if an incident occurs at their facility.

And that’s perhaps the most important response by insurers. When they insure any organizations, insurers take steps — risk management services — to help prevent losses from occurring.

Those services are especially valuable to businesses and other entities that have purchased active assailant coverage. Students and teachers at schools where shootings have occurred said that the safety drills and procedures they practiced helped to minimize injuries and losses and, perhaps, save lives.

Does coverage for such attacks imply an acceptance of them? Only in the same sense that other types of insurance imply an acceptance of fires, storms or other natural disasters. They’re incidents that could happen, and require specific safeguards, preparation and insurance.

See also: How to Find Coverage for Terrorism Risks

Society must address the threat of terrorism, whether via large attacks or the actions of one individual. Anyone who follows the news is familiar with the many options being discussed and debated by policymakers.

But as those threats persist, insurers must deliver both preventive measures and coverage for damages, whether to property or the psyches of survivors and witnesses. That’s the type of response we expect from insurance companies.

Has an International Cyber War Begun?

Cyber attacks were once on the periphery of American business consciousness. That mindset changed over the past two years. A series of devastating events, including the 2014 cyber attack against Sony, catapulted cyber liability concerns from an IT department issue to a major priority for boardrooms across America. As U.S. government officials concluded that North Korea was behind the attack, many C-suite executives suddenly found themselves asking questions. Is this the start of a cyber war? Could we be the next victim? If we are, how will it affect our operations and our bottom line? Do our insurance policies cover any of these costs?

g1

Today, many insurance buyers look to their cyber insurance policies to fill coverage gaps that often exist in other policies. For example, a property policy may respond to physical damage from a named peril, but it will likely exclude loss for non-tangible assets as a result of a cyber attack. Similarly, a commercial general liability policy will likely provide liability coverage for causing bodily injury because of negligence but exclude coverage for liability because of a failure to secure sensitive data from hackers.

Many policyholders may be unaware that some, though not all, of these cyber policies contain specific terrorism and war exclusions. As a result, gaps in cyber insurance coverage can exist in cases like the Sony breach, where government agencies, like the FBI, conclude that a foreign government or terrorist organization is responsible for the attack.

Is a Cyber Attack “Terrorism” or “War”?

Immediately following the Sony attack, President Obama referred to it by saying, “I don’t think it was an act of war . . . but cyber vandalism.” Then, on April 1, 2015, President Obama signed the Executive Order on Cybersecurity with the goal of protecting the private sector against hackers and thereby bolstering national security. The order seeks to identify and punish individuals behind attacks, but it could also lead some to categorize an apparent hacking event or act of cyber terrorism as an “act of war.”

Changes in government definitions trickle down into coverage disputes because many policies that exclude or include “war,” “terrorism” or “cyber terrorism” either fail to define those terms or define them by referring to standard government definitions.

Government Definitions of Terrorism, Cyber Terrorism and War

THE TERRORISM RISK INSURANCE ACT (TRIA)

“Act of terrorism” is defined as any act certified by the secretary of the Treasury in concurrence with the secretary of State and the attorney general of the U.S. to be:

» an act of terrorism

» a violent act or an act that is dangerous to human life, property or infrastructure

» an act resulting in damage within the United States or Outside (on a U.S.-flagged vessel, aircraft or U.S. mission)

» an act committed by an individual or individuals acting on behalf of any foreign person or foreign interest, as part of an effort to coerce the civilian population, U.S. policy or the U.S. government.

The secretary of the Treasury may not delegate his certification authority, and his decision to certify an act or not is not subject to judicial review.

DEPARTMENT OF DEFENSE (DOD)

The DOD defines “terrorism” as “the unlawful use of violence or threat of violence, often motivated by religious, political or other ideological beliefs, to instill fear and coerce governments or societies in pursuit of goals that are usually political.” The term “act of war” is understood to mean “a use of force [that may] invoke a state’s inherent right to lawful self-defense.”

DEPARTMENT OF JUSTICE (DOJ)/FEDERAL BUREAU OF INVESTIGATION (FBI)

The FBI defines “cyber terrorism” as “the premeditated, politically motivated attack against information, computer systems, computer programs and data [that] results in violence against non-combatant targets by subnational groups or clandestine agents.”

DEPARTMENT OF HOMELAND SECURITY (DHS)

The National Infrastructure Protection Center (NIPC), (formally a branch of DHS), defines “cyber terrorism” as “a criminal act perpetrated through computers resulting in violence, death and/or destruction and creating terror for the purpose of coercing a government to change its policies.”

Cyber Terrorism and the ‘Act of War’ Exclusion

Cyber policies are relatively new and manuscript products; as such, the wording varies significantly. Many policies contain a standard exclusion for “war, invasion, acts of foreign enemies, hostilities (whether war is declared or not), civil war, rebellion, revolution, insurrection, military or usurped power, confiscation, nationalization, requisition, or destruction of, or damage to, property by or under the order of any government, public or local authority…” An attack by the Taliban, for example, would probably fit within the exclusion as an act sponsored by a “public or local authority.”

Traditionally, war exclusions were relatively narrow; they required an actual war or, at the very least, “warlike operations”; “for there to be a ‘war,’ a sovereign or quasi-sovereign must engage in hostilities.” Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 505 F.2d 989, 1005 (2d Cir. 1974) (finding that a Jordanian terrorist group that hijacked a plane was not a de facto government for the purposes of applying the war exception).

However, the events of Sept. 11, 2001, changed the way certain events and groups were perceived and classified, ultimately leading many to label the 2014 cyber attack on Sony an “act of war.”

Screen Shot 2015-12-22 at 1.53.07 PM

Litigation surrounding the Sept. 11 attacks led directly to an expanded view of the war exclusion. For one thing, the Second Circuit Court of Appeals ruled that the attacks were an “act of war.” In re Sept. 11 Litig., 931 F. Supp. 2d 496, 512 (S.D.N.Y. 2013), an owner of a building near the site of the World Trade Center attacks sought to recover cleanup and abatement expenses for removing pulverized dust that infiltrated into the owner’s building after the collapse of the Twin Towers. He sued under the Comprehensive Environmental Response, Compensation, and Liability Act [CERCLA], which allows strict liability claims in pollution cases, but the court applied CERCLA’s “act of war” exception to strict liability.

In concluding that the attacks were an act of war, the court commented that “Al Qaeda’s leadership declared war on the United States, and organized a sophisticated, coordinated, and well-financed set of attacks intended to bring down the leading commercial and political institutions of the United States,” id. at 509, and that “as we learned in the twentieth century, and as has been true throughout history, war can take on a formal structure of armies in contrasting uniforms confronting each other on battlefields, and war can persist for years, fought by irregular, insurgent forces and capable of causing extraordinary damage,” id. at 511.

This expansion of the legal definition of “act of war” to include acts by “irregular, insurgent forces and capable of causing extraordinary damage” could lead to attacks by hacktivist groups or foreign intelligence services being considered acts of war and therefore excluded from cyber policies.

Cyber Insurance and TRIA

The Terrorism Risk Insurance Act (TRIA) is a government program designed to provide a backstop for reinsurers in the event of large terrorism-related losses (more than $100 million). There is debate over whether TRIA applies to cyber policies at all. TRIA applies to commercial property and casualty insurance coverage, but some cyber policies are written as another line of coverage, such as professional liability, which is not included in TRIA.

Even assuming that TRIA would apply to cyber insurance, for TRIA coverage to be in effect, (1) there must be losses, resulting from property damage, exceeding $100 million; and (2) they must be caused by a certified terrorism event:

(1) Property Damage: For TRIA to apply, physical property damage must occur, and what constitutes “physical damage” in the context of a cyber attack remains an open question. What we do know is that TRIA will probably not cover business interruption or reductions in business income absent some physical loss or property damage. Many cyber attacks do not involve any physical damage, which would exclude TRIA coverage.

(2) A Certified Terrorism Event: For TRIA to apply to any event, the event would need to be certified as an act of terrorism. This onerous and political certification process requires the secretary of the Treasury, secretary of State and attorney general to agree that an incident was an “act of terrorism.” Many political and economic issues factor into certifying a terrorism event, which can lead to counterintuitive results. For instance, as of the date of this publication, the April 2013 Boston Marathon bombing has not been certified as a terrorist act.

Conclusion

To ensure coverage for cyber terrorism and cyber warfare, buyers of cyber insurance will need to seek out a cyber risk insurance policy that explicitly includes this coverage in the broadest terms possible. As more insurance carriers enter the cyber insurance market, one must be wary that policy terms will vary from one policy form to the next, and some will have coverage terms superior to others.

The Painstaking Saga Behind NARAB

On Jan. 9, I had the pleasure of sharing spontaneous drinks and dinner with José Andrés, Washington’s first and only international celebrity chef.

He had just launched China Chilcano, the latest in his burgeoning empire of restaurants, only three days old at the time, and was only a month away from opening yet another concept. He asked how I was doing, and I told him I’d had a great week—that a bill I’d been working on for literally 23 years at the Council (NARAB, attached to the TRIA extension), was passed by the Senate just the day before.

About then, another well-wisher approached José and congratulated him on his latest achievement. “Meet my friend Joel,” he says to the guy. “He’s either the best lobbyist I’ve ever met—or he’s the [worst].”

Rightly or wrongly, I’ve been majorly associated with NARAB (“National Association of Registered Agents and Brokers”) in its multiple iterations since the early 1990s. It’s not the biggest thing I’ve worked on by any stretch—the Terrorism Risk Insurance Act, the Affordable Care Act and Dodd-Frank are all far more important to the nation, our member firms and your clients. But NARAB has been the most painstaking.

We’ve snatched defeat out of the jaws of victory on so many occasions that it almost seemed preordained we’d lose again when TRIA failed in December. Facing implacable opposition to NARAB from retiring Sen. Tom Coburn, R-Okla., then-Majority Leader Harry Reid, D-Nev., pulled the plug on TRIA and adjourned the Senate for the year—astonishing all of us who’d worked so hard on the legislation.

Much of the blame at the time went to Coburn, as he was the only announced senator down the stretch with a “hold” on the TRIA/NARAB legislation, but the truth is more complicated, as there was considerable liberal discontent with the legislation. That’s all water under the bridge now.

Within a couple days of the disaster, House Speaker John Boehner, R-Ohio, and incoming Senate Majority Leader Mitch McConnell, R-Ky., both released strong statements saying they would put TRIA passage on the “early” priority list for January. Both kept their word.

Congress convened Jan. 6. The House bill passed in December was re-enacted Jan. 7, and the identical bill cleared the Senate Jan. 8. President Obama signed the bill into law Jan. 12. This followed critical leadership on the issue from Chairman Jeb Hensarling, R-Texas, of the House Financial Services Committee, and Sen. Richard Shelby, R-Ala., the new chairman of the Senate Banking Committee.

Now the work can begin to actually create NARAB—an interstate licensure clearinghouse for nonresident producer licensure. Decades of compromises to get the legislation to the finish line will now become complications you’ll hear about in the coming months. The governance of the body will come principally from state insurance commissioners and the National Association of Insurance Commissioners. Funding problems will emerge because no federal dollars or borrowing will be allowed. And there will be disagreements about the standards for NARAB membership.

The basic deal is this: Any producer first has to be properly licensed in his or her own state. Then on a purely optional basis, he or she can apply for membership in NARAB and meet whatever requirements are established. The applicant can then check off the states in which he or she needs a nonresident licensure, paying the applicable state fees. That all sounds really simple, but we’re sure in practice it will be akin to giving birth to a live squirrel.

The protracted lobbying effort initiated in 1992 by the Council’s forerunner organizations (the National Association of Casualty and Surety Agents and the National Association of Insurance Brokers) seems disproportionate. At its core, NARAB is simply an administrative mechanism to facilitate nonresident producer licensure. But since its inception NARAB has been caught up in the push and pull of the broader debates over federal-vs.-state insurance regulation. Many colleagues of mine are putting their children through college in this continuing war of attrition.

My own children, meanwhile, are nonplussed by the history of NARAB, but here it is anyway. First it was a purely federal option, as a part of now-retired Rep. John Dingell’s, D-Mich., insurer solvency legislation, which would have created an Optional Federal Charter for insurers. That went nowhere. Then we spun it off as a stand-alone and waged a lonely battle for years, culminating in the “NARAB 1” title of the Gramm-Leach-Bliley Act of 1999. To sneak it through Congress over the opposition of then-Sen. Phil Gramm (for months, my colleagues referred to me as “Dead Man Walking” on the assumption that Gramm would prevail), we had to dumb down the provision. If a majority of states passed reciprocal licensing laws, there would be no NARAB. So a majority of states did so, which was welcome. But it wasn’t enough.

In the past decade, the coalition of NARAB supporters has grown substantially, with other producer organizations and the NAIC itself moving from a position of opposition to strong support over the years. In that decade, NARAB passed the House on at least six occasions (I lose count), both as a stand-alone measure and as part of other reforms.

As we now move to implementation issues, I will pause to give thanks for the many in Congress who made this happen. Most recently, our champions and authors were Rep. Randy Neugebauer, R-Texas, Rep. David Scott, D-Ga., Sen. Jon Tester, D-Mont., and now-retired Sen. Mike Johanns, R-Neb. We can’t thank them enough. And I think back to the 1999 Gramm-Leach-Bliley debate, when Rep. Sue Kelly, R-N.Y., and the late Sen. Rod Grams, R-Minn., fought so hard for NARAB.

I guess it’s easier to be gracious in victory, but we wish all the best for Sen. Coburn, who did everything he could to beat NARAB. I regarded him as an obstinate SOB for many months, but he always acted out of his own federalism principles. He retired from the Senate when his cancer recurred, and we have high hopes he can beat it. Because he’s just that obstinate.

This article first appeared in Leader’s Edge magazine.