P&C

What About Cyberterrorism?

Acts of cyberterrorism are covered under the Terrorism Risk Insurance Program (TRIP) should the economic losses trigger the threshold required for federal assistance.
By Rob Boyce Posted on May 2, 2019

The possibility of this outcome raises the question: how have insurers treated alleged state-sponsored cyberattacks that could arguably fall under the umbrella of cyberterrorism and thus, be included in the Terrorism Risk Insurance Program (TRIP)?

Acts of cyberterrorism are covered under the Terrorism Risk Insurance Program (TRIP) should the economic losses trigger the threshold required for federal assistance. In a guidance issued by the Treasury Department at the end of December 2016, the Treasury made clear that cyber coverage “written in TRIP-eligible lines of insurance” is covered by TRIP.

Generally speaking, insurers seem inclined to modify the war exclusion in cyber policies to omit cyberterrorism. There have been a number of state-sponsored cyberattacks recently—including WannaCry, often attributed to the North Korean government—and there has been no high-profile denial of coverage by insurers under the war exclusion like this most recent one from Zurich. Likely, insurers will see that pursuing coverage denials too aggressively would result in lost customers. Thus, insurers have been willing to cover damages from fallout like the one seen in NotPetya, WannaCry, etc. without much pushback.

Acts of cyberterrorism are covered under the Terrorism Risk Insurance Program (TRIP) should the economic losses trigger the threshold required for federal assistance. In a guidance issued by the Treasury Department at the end of December 2016, the Treasury made clear that cyber coverage “written in TRIP-eligible lines of insurance” is covered by TRIP. Additionally, cyber liability policies defined as “stand-alone comprehensive coverage for liability arising out of claims related to unauthorized access to or use of personally identifiable or sensitive information due to events including but not limited to viruses, malicious attacks or system errors or omissions” that may “also include expense coverage for business interruption, breach management and/or mitigation services” are definitively included in the definition of “property and casualty” insurance covered by TRIP. It is expected that should TRIP be authorized in December 2020, much will stay the same.

Though the court battle between Mondelēz and Zurich is being fought in the context of a property policy, it carries major implications for cyber insurance in the future, as many cyber insurance policies do have war risks exclusions. A broad ruling in favor of Zurich could make it that much more difficult to mitigate cyber risk with insurance policies, considering the recent increase in state-sponsored cybercrime. Whatever the outcome may be, the case illustrates that brokers and risk managers, as well as their clients, must be vigilant, seek clarity and assurances to minimize the possible risk of coverage denial in the event a state actor is involved in a triggering event, and become intimately familiar with cyber policy terms, conditions and exclusions.

However, in regards to TRIP, where an event has never triggered the thresholds required for federal assistance, there is much more ambiguity, especially when it comes to covering a cyber-event defined as terrorism.

Rob Boyce Director, Market Intelligence & Insights Read More

More in P&C

The Results Are In: Commercial P/C Market Survey Q4 2020
P&C The Results Are In: Commercial P/C Market Survey Q4 2020
Get the highlights of The Council's latest survey in under 90 seconds.
P&C Taming the Casualty Industry
Q&A with Robert Reville, CEO, Praedicat
Congress Considers Infrastructure Package
P&C Congress Considers Infrastructure Package
Without bipartisan support, what alternatives are there for rebuilding, and wher...
Capacity with a Different View
P&C Capacity with a Different View
Q&A with Mario Vitale, President, Resilience Insurance
Sponsored By Resilience
Rethinking the Supply Chain
P&C Rethinking the Supply Chain
Indie Source avoids global supply chain bottlenecks with sma...
The Last Mile
P&C The Last Mile
Now that we have COVID-19 vaccines, what will it take to ens...