Signed into law in the wake of Sept. 11, the Terrorism Risk Insurance Act is due to expire at the end of 2014. Its future remains cloudy and as Congress debates a possible extension, a number of key issues are certain to figure into their decision.
The Terrorism Risk Insurance Program was created in the wake of the catastrophic events of Sept. 11, 2001, in an effort to provide stability to an uncertain terrorism insurance market. Reinsurers bore the brunt of the financial impact of the 9/11 attacks, and were faced with difficulties in accurately modeling and pricing terrorism exposures. As a result, many withdrew from the terrorism insurance market. Primary insurers, unable to find reinsurance for their terrorism covers, were forced to exclude it from their policies. Consequently, businesses were unable to purchase terrorism coverage, creating issues for a commercial market in which lenders and investors required this protection for their investments.
In November 2002, Congress enacted the Terrorism Risk Insurance Act (TRIA) to provide a federal reinsurance backstop for large-scale terrorist attacks that exceed $100 million in aggregate insured losses. The act required that property and casualty insurers offer terrorism coverage to their insureds on a similar basis (including premiums) as other insured risks. TRIA covers most commercial property and casualty lines, including excess insurance, workers compensation, and directors and officers liability, but does not include several other types of insurance, such as professional liability, flood or reinsurance. The program was initially created for a period of three years but was extended by the Terrorism Risk Insurance Revision and Extension Act of 2005 for two years and the Terrorism Risk Insurance Program Reauthorization Act of 2007 (TRIPRA) for seven years.
The original act and both amendments are currently set to expire on Dec. 31, 2014.
The Extension Debate Continues
Last year, three separate Congressional extensions to the program were proposed, but none of them had enough support for any significant debate. One of the proposals—the Fostering Resilience to Terrorism Act of 2013, which would have extended the program by 10 years—was said to be a response to the Boston Marathon attacks.
An extension of the program appears to be welcomed by many in the insurance and commercial terrorism insurance-purchasing markets. Many in the industry believe that without TRIA, the private market for terrorism insurance would be minimal or nonexistent. They are concerned about the uncertainty of modeling for potential terror attacks, and the underwriting and pricing concerns created by that uncertainty.
FOR MORE ON TRIA
TRIA’s Importance to Risk Managers
Many businesses could find themselves priced out of the terrorism insurance market if TRIA is allowed to expire.
Others, however, counter that the private insurance marketplace has sufficient capacity for terrorism coverage and that a federal backstop is not necessary. They believe that the rise of catastrophe bonds and collateralized reinsurance markets provides sufficient capacity to supplement the marketplace. As a result, they argue that the government no longer needs to provide a backstop. This debate will likely heat up later in the year when Congress finally tackles a possible extension. Only about a third of the members of Congress in 2002 are still in office, however, so the fate of TRIA is in the hands of hundreds of people who may be largely unfamiliar with the reasons that it was originally deemed necessary.
The Boston Marathon Bombings and Certified Acts of Terrorism
Last year, Boston experienced an attack that shook the nation. The insured losses from the marathon bombings reportedly did not exceed the $100 million in insured losses, so TRIA was a non-issue. But if there had been more losses, would the bombings have been a TRIA event?
Under the current program, in order to trigger the federal backstop, there must be an “act of terrorism.” To be certified as such, the secretary of the Department of Treasury, in concurrence with the secretary of state and the attorney general, must certify that the act was (a) a terrorist attack; (b) a violent act or an act that is dangerous to human life, property or infrastructure; (c) resulted in damage within the United States (or in a U.S. mission or on a plane or ship that has U.S. ties); and (d) was committed by an individual(s) as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the U.S. government by coercion.
The Boston bombings present a potentially interesting scenario. Days after the attack, the police eventually captured Dzokhar Tsarnaev and he was charged with a laundry list of crimes, including use of a weapon of mass destruction and malicious destruction of property resulting in death. Many people, including President Obama and some in the media, were quick to use the “T” word and called the Tsarnaev brothers “terrorists.”
According to multiple reports, the Tsarnaev brothers were motivated by extremist Islamic beliefs but were not connected to any known terrorist groups. Does that make them terrorists? Were they trying to coerce the civilian population of the United States or influence the policy or affect the conduct of the U.S. government by coercion? We may never know their true motives. From a TRIA perspective, however, their motives are of integral importance for the certification process. If the Tsarnaev brothers did not commit an “act of terrorism,” as defined in the statute, the federal backstop would not be triggered.
Under TRIA, the secretary of the Department of Treasury must provide an initial notice to Congress within 15 days of an “act of terrorism.” The notice should state whether the secretary estimates that aggregate insured losses will exceed $100 billion, which is the program’s cap. The language regarding the 15-day notice, which was added to the statute as part of TRIPRA, does not allow for any discretion: either the secretary provides such a notice to Congress or does not. If there is no notice within 15 days, does that mean that the federal backstop won’t be triggered? What if information learned 22 days after an attack indicates that it was intended to coerce the American people? Would it then be too late for the secretary to notify Congress that the terrorist event would or would not exceed $100 billion?
While the provision’s intent is to notify both Congress and the industry whether the total insured losses would exceed the maximum amount of the program, it is unclear whether there would be ramifications if such notice is not provided within the timeline. Congress should address this in a possible renewal.
Cyberterrorism and TRIA
Over the past decade, the concept of a cyberterrorist attack has gone from science fiction to reality. Malware like Stuxnet and Flame demonstrate that cyberattacks can cause physical damage. Many believe that a cyberattack on U.S. infrastructure is a matter of “when,” not “if.” The current TRIA statute does not explicitly state whether the program would apply to a cyberattack, but there is no explicit exclusion, leaving room for debate as to whether the backstop would be available.
A cyberattack could be dangerous to infrastructure, result in damage within the United States and be committed as part of an effort to coerce U.S. civilians or influence the U.S. government by coercion, meeting several of the required prongs of the statutory language. In order to trigger TRIA, however, a key issue appears to be whether the triumvirate of the secretary of the treasury, secretary of state and attorney general certify the cyberattack as an act of terrorism. If a large-scale cyberterrorism attack causes physical damage to properties within the United States, there might be political pressure for them to do so.
When TRIA was initially enacted 12 years ago, the primary concern was another attack like 9/11 and the drafters did not address the possibility of a cyberattack. Even when the program was extended in 2005 and 2007, we were living in a pre-Stuxnet world where cyberattacks were not considered significant threats.
Times have changed. It was just last year that the Pentagon accused China’s military of mounting attacks on the computer systems of the U.S. government and defense contractors. Not until 2011 did McAfee first publicly report on Operation Shady RAT, which involved state-sponsored cyberattacks on at least 72 government and private organizations. These included the United Nations, the International Olympic Committee and defense contractors in 14 countries.
While the five-year operation is rumored to have been conducted by the Chinese military, that has never been proven definitively. It does, however, offer evidence that complex cyberattacks are entirely possible. While we have seen commentary from the Department of Homeland Security stating that the commercial market should not expect the federal government to be the insurer of “last resort” in the event of a catastrophic cyberattack, those comments may not have been referring specifically to TRIA. (Notably, the Department of Homeland Security is not currently involved in any aspect of TRIA, but the Fostering Resilience to Terrorism Act of 2013 called for including the secretary of homeland security in the certification process.)
Additionally, TRIA requires that property/casualty insurers identify the amount of terrorism risk insurance premiums they receive. Since the current statute does not explicitly state that cyberinsurance policies fall under the scope of the program, many insurers are likely not reporting their cyber premiums as TRIA premiums. Therefore, if a cyberterrorist attack does take place, some insurers might have precluded themselves from participating in the program. This should create an impetus for Congress to specifically address the cybersecurity threat when debating an extension. The uncertainty is not good for anyone in the market.
Other Issues to Consider
Other important issues need to be addressed if the program is continued. First, for how many years should the program be extended? TRIA was initially enacted in the wake of 9/11 as a temporary measure to ensure there would be capacity for terrorism insurance in the marketplace. Now, 12 years later, if authorities deem that the program is still necessary, should it be made permanent to keep this debate from being repeated in three, five or 10 years? Or is an extension of several years a sufficient timeframe to develop the necessary capacity in the terrorism market?
In addition, should the threshold for triggering aid under the program be changed? Before TRIPRA was passed in 2007, several Congressional proposals called for lowering the per occurrence retention from $100 million to $50 million.
Another question is whether the program should be changed to also require insurers to offer coverage for nuclear, biological, chemical and radiological (NBCR) attacks? NBCR inclusion was debated in 2007 and Congress did not add it then. Perhaps cybersecurity has eclipsed NBCR as a more realistic threat today, but the risk of an NBCR attack remains.
Finally, should the program include group life coverage? This has been debated in the past and Congress has not added it to the program. If there were a large-scale terrorist attack resulting in a large number of deaths, there is likely to be a significant impact on the life (re)insurance market. Some believe extending the federal backstop is necessary to protect this market, just as it protects the property/casualty market.
We will surely see more discussion over the coming months in Congress about the need for a TRIA extension. Insurers have issued, and are continuing to issue, policies that extend beyond the program’s expiration at the end of the year. They are also including conditional language for the post-Dec. 31 period in which TRIA may not exist, or may not exist on its current terms. But some insurers are not offering post-Dec. 31 terrorism coverage at all. Coming to a resolution about a TRIA extension sooner rather than later would help clear up any confusion in the marketplace.