Skip to content Skip to navigation

15 Days of Cyber Insurance: Terrorism

After 9/11, reinsurers balked at supporting insurers who didn’t specifically exclude terrorism from their coverage. The massive and unpredictable losses of terrorist attacks were a shock to the reinsurers, who absorbed much of the cost. However, with exclusions for terrorism coverage, construction of skyscrapers or public utilities was being held up over financial concern. Thus, in 2002, the US signed into law TRIA, or the Terrorism Risk Insurance Act, which established a system of federal cost-sharing for insured losses resulting from terrorism. The act was extended twice, and in 2015 the Terrorism Risk Insurance Program Reauthorization Act extended the act through 2020. (I suppose technically it’s now TRIPRA, but let’s stick with calling it TRIA.) The act provides reinsurance coverage for losses related to an act of terrorism (something that must be defined cooperatively by the Secretary of the Treasury, the Secretary of State, and the Attorney General) that are greater than $100M, after a 20% deductible. The insurance industry as a whole must cover $27.5B in losses before federal assistance is available, and federal assistance is capped at $100B per year. In exchange, insurers must offer terrorism insurance. A number of other countries offer terrorism insurance, and the UK and Spain do not cap governmental assistance, while India and Austria do not provide government assistance but provide private-sector cost sharing. Interestingly, while TRIA does not allow insurers to recover losses from terrorists’ assets, a recent Supreme Court judgment may allow victims to do so separately.

While TRIA was motivated by 9/11, the concept of cyberterrorism has been around since 1998, and because TRIA does not strictly define terrorism as excluding cyberterrorism, an act of cyberterror might fall under its purview. One obstacle is what can be declared cyberterrorism. While the hack of Sony Pictures was considered a threat to critical infrastructure, was it cyberterrorism? Is a denial of service attack by the “Syrian Electronic Army”, as experienced by the New York Times, Twitter, and the Huffington Post in 2013, an act of cyberterrorism? Losses for outages are usually small, particularly for news sites that, unlike e-commerce sites, have a hard time proving lost revenue. Additionally, terrorism is usually required to pose a threat to human life, and not being able to access Twitter doesn’t count. TRIA isn’t designed to provide coverage for losses like data breach fines and reputation restoration; its scope is primarily property loss or damage and casualty coverage. However, cyber attacks targeting physical infrastructure, like chemical plants, utilities, or uranium enrichment facilities in Natanz have the potential to cause these types of damages. If TRIA is determined to cover these losses, it may encourage insurers to offer more, or more types of, cyber insurance coverage, particularly to industries where cyber attacks could pose direct dangers, like transportation or manufacturing.

Another sticky issue is who the government considers a terrorist organization. Governments aren’t considered terrorist organizations, so a hack officially sponsored by North Korea would be more akin to an act of war than an act of terrorism. On the other hand, attribution of cyber attacks is notoriously difficult, and it’s possible that a group orchestrating a cyber attack would be newly formed, or would not consider itself a coherent group. Would an organization tautologically be defined as a terrorist organization because of the act of terrorism it committed, before the group could be identified? Another potential sticking point is terrorist-on-terrorist violence; Anonymous calls the KKK terrorists, and Fox News calls Anonymous terrorists. If a cyber conflict between the two groups were to threaten human life, would it be considered an act of domestic terrorism, or of gang violence?

What most reinsurers were worried about post-9/11 was — and maybe still is — a clear-cut case of terrorism in a public place, like the Westgate shopping mall attack in Nairobi, Kenya. Kenya did not have a government terrorism insurance backstop, but several insurers had banded together to share risk; even so, premiums for terrorism insurance jumped 20% in the five months after the attack, and total claims were approximately 10B Kenyan Shillings, or $99M in current US dollars. The Westgate mall attack couldn’t have been executed by cyber attackers, but perhaps if drone and robotic capabilities increase, we could see cyber terrorists sending armed bots to do their bidding. In this imagined amalgam of cyber- and conventional terrorism, TRIA may come into play.

-Allison Berke

Join the conversation on Medium