Prior to September 11, 2001, terrorist coverage was included in most commercial real estate policies as a "silent" danger ̵
TRIA requires insurance companies to make terrorist coverage available to commercial policyholders but does not require policyholders to purchase it. Originally created as a three-year program that allows the federal government to share losses due to terrorist attacks with insurance companies, it has been renewed four times: 2005, 2007, 2015 and 2019.
A risk that develops
The terrorist threat has developed in complexity and scale, and some in the national security world have compared American cyber security preparedness today with its preparedness for terrorist acts two decades ago.
"To me, the cyber landscape looks a lot like the terrorism landscape did before 9/11," said historian and journalist Garrett Graff at a recent Home Security Committee event in which researchers and former 9/11 commissioners called on lawmakers to increase funding for Cybersecurity and Infrastructure. The Security Agency (CISA) and other federal agencies focused on preventing attacks.
Cyber is more complicated, says Amy Zegart, co-director of the Stanford University Center for International Security and Cooperation, p.g.a. the role of the private sector ”as both a victim and a threat vector. There are more people in the United States who protect our national parks than there are in CISA who protect our critical infrastructure. Cyberattacks like the one on the Colonial Pipeline underscore this reality.
When TRIA was re-approved in 2019, a crucial component was the mandate of the Government Accountability Office (GAO) to make recommendations to Congress on amending the law to deal with cyber threats. The trillion-dollar infrastructure bill now being debated in Congress proposes $ 1.9 billion for cybersecurity, with more than half set aside for state, local and tribal governments. It would set up a Cyber Response and Recovery Fund for the use of CISA.
Like terrorism before 9/11, very cyber risk is silent. Silent cyber – also known as "non-affirmative cyber" – refers to potential losses arising from policies that are not intended to cover cyber-related dangers. If silent cyber is not addressed, the insurer's solvency may be affected and ultimately damage the policyholders.
The UK regulator in 2019 sent a letter to all UK insurance companies saying they must have "action plans to reduce accidental exposure" to non-affirmative action cybercrimes. Later that year, Lloyd's issued a bulletin demanding clarity on all policies on whether cyber risk is covered. This led many insurance companies to exclude cyber or include it and price the risk accordingly.
"Other regulators and credit rating agencies have been less vocal about the issue," writes Willis Towers Watson, "and until recently, efforts to address silent cyber have been limited." Some insurers – particularly in the mutual specialty sector – updated their policies in the mid-2010s to provide clarity on cyber. But until recently, movement elsewhere has been sporadic, Willis writes. diversification, secondary line-to become a primary insurance purchase. Unfortunately, while insurance is available, many policyholders still incorrectly expect to be covered by their property and liability insurance. Confusion over IT coverage can lead to unexpected gaps.
"At best, a cyber incident can trigger multi-policy coverage and increase the total available limit to respond to a covered event," said Adam Lantrip, CAC Specialty & # 39 ;s Cyber Practice Manager. "In a more common scenario, multiple insurances can be triggered but not coordinated with each other, and the policyholder spends more on legal fees than the cost of having purchased stand-alone cyber insurance in the first place."
Cyber risk will only grow in importance, complexity and cost as the world becomes more wired and interdependent. The costs of cyberattacks are potentially huge and must be reduced in advance.
From the Triple-I Blog
Emerging Cyber Terrorism Threats and the Federal Terrorism Risk Insurance Act
A World Without TRIA: Forming a Federal Terrorism Insurance Backstop  Brokers, policyholders need more clarity on cyber coverage
Cyber risk becomes real, requires new approaches
Companies large and small need to be cyber-resistant in a covid-19 world
victims twice? Companies that pay cybercrime can risk US penalties
From Risk & Insurance (a subsidiary of the institutes and sister organization to Triple-I)
Silent cyber will sabotage your insurance Policy if you do not look up. Here's what risk managers should think about