TRIA Cyber Risk Study (GAO)

© Centers for Better Insurance, LLC 2020 Version 1.0
Centers for Better Insurance (CBI) is an independent organization focused on supporting the insurance industry to optimize the value it delivers to all
stakeholders (including policyholders, employees and society at large). CBI does so by making available unbiased analysis and insights about key regulatory
issues facing the industry for use by insurance professionals, regulators and policymakers.
THE MATERIAL AS WELL AS ANY OTHER INFORMATION PROVIDED BY CBI IS PROVIDED ON AN "AS IS" AND "AS AVAILABLE" BASIS. CBI does not
guarantee, the accuracy or completeness of this material or any other information and may add, remove, discontinue, change, improve, or update this material
or any other information without notice. Under no circumstances shall CBI be liable for any loss, damage, liability or expense claimed to result from use of this
material or any other information.
Centers for
Better Insurance
Policyholders
Employees
Shareholders
Society
Supporting value creation for all stakeholders through
beneficial purpose, sound governance and effective controls
www.betterins.org
A Framework for Conducting the GAO Cyber Risk Study
Terrorism Risk Insurance Act
CBI
CBI-TRIA-20-02

© Centers for Better Insurance, LLC 2020 Version 1.0 2www.betterins.org
Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyStatutory Mandate
GAO Cyber Risk Study
The Terrorism Risk Insurance Program Reauthorization Act of 2019 requires the Government Accountability Office (GAO) to conduct an
assessment and make recommendations “how Congress could amend the Terrorism Risk Insurance Act of 2002 to meet the next generation of
cyber threats.” This analysis includes “whether the current risk-share system under the Terrorism Risk Insurance Act of 2002 is appropriate
for a cyber-terrorism event.” The GAO report is due in late June 2020.
The GAO report will likely serve as a jumping off point for a broad-based debate whether the current cyber insurance market is adequate to
address the risk transfer needs of individuals, businesses, nonprofits and local governments with respect to a range of cyber threats including
cyber-terrorism. If the market is found to be unable to meet those needs, the discussion will include whether and under what circumstances
the federal government may be able to support the further development of affordable and effective cyber insurance products.
Section 501(c)(2) of the Further Consolidated Appropriations Act, 2020 provides:
Study and report on cyber terrorism.—Not later than the expiration of the 180-day period beginning on the date of the enactment of this Act,
the Comptroller General of the United States shall conduct a study and report to the Committee on Financial Services of the House of
Representatives and the Committee on Banking, Housing, and Urban Affairs of the Senate, which shall—
(1) analyze and address—
(A) overall vulnerabilities and potential costs of cyber attacks to the United States public and private
infrastructure that could result in physical or digital damage;
(B) whether State-defined cyber liability under a property and casualty line of insurance is adequate coverage for an act of cyber
terrorism;
(C) whether such risks can be adequately priced by the private market; and
(D) whether the current risk-share system under the Terrorism Risk Insurance Act of 2002 (15 U.S.C. 6701 note) is
appropriate for a cyber terrorism event; and
(2) set forth recommendations on how Congress could amend the Terrorism Risk Insurance Act of 2002 (15 U.S.C. 6701 note) to meet
the next generation of cyber threats.

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyTRIA’s Careful Balance
Following the implicit guidance from Congress, GAO will effectively start with an assumption any significant shortcoming in the current cyber
insurance market would be addressed by the federal government (if at all) through amendments to the Terrorism Risk Insurance Act. Given
this constraint, GAO should consider approaching its study with the understanding that the architects of TRIA originally struck and have
sought to maintain over time a careful balance in the rights and obligations of insurers and policyholders under the program.
TRIA has worked well for the terrorism risk because the program has never had to do anything other than exist. Several serious challenges
within the program have remained largely invisible because terrorism insurance is typically sold as a small element of a much larger package
of coverages and, fortunately, the program has never seen a claim. In contrast, the cyber market is developing as a stand-alone product with a
high claim volume. Accordingly, an expansion of TRIA to cover a broad range of cyber risks threatens to upend the program’s current balance.
Certification
Criteria
Make Available Federal Backstop
The certification criteria defines the effective
scope of TRIA by acting as the gatekeeper to the
other two elements of the program. That is, the
certification criteria define those events for which
(a) policyholders have the right to availability of
insurance coverage; and (b) insurers have the right
to reimbursement from the backstop.
Why it works: The certification criteria has
proven to be extremely narrow. Indeed, over the
17-year history of the program Treasury has not
certified a single act of terrorism and there is no
evidence that it has ever come under serious
pressure to do so.
The make available requirement defines the obligation of
insurers to offer policyholders full coverage for certified acts of
terrorism in standard insurance policies.
Why it works: Because terrorism coverage typically makes up only
2.5% of a standard insurance policy’s overall premium, insurers can
absorb conventional terrorism risk and the competitive disparities
caused by the program as a manageable cost of doing business.
The federal backstop defines the right of an insurer to
request Treasury to reimburse 80% its covered losses resulting
from certified acts of terrorism above a deductible amount.
Why it works: The federal backstop has been dormant for the
entire life of the program. Treasury has never received a
request for reimbursement and therefore has never paid out a
dime under TRIA.

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyThree-Part Analytical Framework
GAO is tasked to assess whether TRIA is appropriate to address cyber events and recommend how the program could be amended to
encompass emerging cyber risks. This assessment may be broken down into three fundamental questions: (a) what kind of cyber events
should TRIA or some other federal program address; (b) what insurance benefits should policyholders be able to purchase under such a
program; and (c) to what extent should the federal government financially participate in cyber losses.
After a review of the current cyber insurance market, this paper approaches GAO’s task by proposing a three-part framework based on the
elements underlying the success of the Terrorism Risk Insurance Act in stabilizing insurance market for the conventional terrorism insurance
risk. Each section takes an in-depth look how the program operates today for the conventional terrorism risk and the stresses to these
respective elements likely to arise if the program were extended to encompass a broader range of cyber risks.
Certification
Criteria
Which events should a
cyber program respond to?
What cyber benefits should
insurers be made to offer?
When should the government
assume some part of a cyber loss?
US Cyber Insurance Market

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyUS Cyber Insurance Market
Certification
Criteria

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyPractical Definition of Cyber Risk
The term cyber risk (or simply “cyber”) is shorthand for the unique risks or amplification of traditional risks that arise from the use, storage
and transmission of data or information in an electronic format. Cyber encompasses all nature of information existing in electronic format
including computer code, financial data, intellectual property, emails, photographs and personal data.
These categories are not exclusive of each other. That is, one or more categories of cyber risk may materialize within a single cyber event (e.g.,
electronic data may be both made inaccessible to an authorized user and copied by an unauthorized party). Cyber risks may be triggered
unintentionally (e.g., poor design or human error), intentionally (maliciousness, theft, extortion, as a protest or political statement, espionage
or warfare) or by a combination of both.
Cyber risks fall within three broad categories:
Unauthorized Processing of
Electronic Data
Loss of Electronic Data
Malperformance of
Electronic Data
The risk electronic data no longer
exists or cannot be used either
permanently or temporarily.
For example, a data loss occurs where
electronic data is deleted, destroyed,
corrupted, inaccessible or unable to
be transmitted.
The risk electronic data is accessed,
transmitted or otherwise used
without appropriate authorization.
For example, unauthorized access of
data occurs where electronic data is
read, copied, or transmitted by an
unauthorized third party or outside of
the authority of an authorized user.
The risk electronic data is or has
been rendered defective for its
intended purpose resulting in an
unintended or otherwise adverse
outcome from the use of that data.
For example, malperformance of data
occurs where data in the form of code
is manipulated, replaced or added in
such a way as to instruct a system to
communicate with another system
without system owner’s knowledge.
The risk that we cannot
use electronic data.
The risk that someone else gets
ahold of our electronic data.
The risk that electronic data
does not do what we expect it to.

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyEconomic Costs of Cyber Risk
Every business, nonprofit and governmental organization that relies on electronic data faces economic costs associated with cyber risk. Those
costs begin with efforts to understand and secure the environment in which the electronic data is stored, used and transferred. In the event of
an actual or suspected cyber event, these economic costs can rapidly expand.
First-Party LossRisk Mitigation Expense Third-Party Liability
Expenses incurred to reduce
probability or severity of a cyber event
Losses sustained from a cyber event
Liabilities incurred as a
result of a cyber event
Interruption of Operations
Ransom / Extortion Payment
Legal Defense
Data and Hardware Restoration
Liability for Damages because of:
• Breach of contract
• Misuse of data
• Inadequate security
• Invasion of privacy
• Negligent provision of
professional services
• Bodily injury or death
• Property damage
• Loss of data
Restoration of Operations
Loss of Intellectual Property
Loss of Data
Loss of Hardware
Cyber Risk Assessment
Employee Training
Executive and Board Briefing
Penetration and Other Testing
Security Program Benchmarking
Security Program Implementation
Threat Monitoring and Analysis
Incident Response Planning
Investigation Notification to Affected Parties
Credit Monitoring / MitigationCrisis Response / Public Relations
Civil and Administrative Penalties
Expenses incurred in response to a cyber event

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyCyber Risk Framework
For the purposes of assessing or designing an insurance program, it is helpful to think of the cyber risk as manifesting through four successive
stages: (1) the trigger which consists of the circumstances in which the cyber threat originates; (2) the modality through which the cyber
threat is put into action; (3) the event during which electronic data is compromised; and (4) the economic consequences resulting from the
compromise of electronic data.
This four-phase analysis is useful in comparing different cyber risk sub-types from the standpoint of coverage under insurance products. For
example, insurers have traditionally insured losses or liabilities arising from certain triggers (e.g., negligence). Insurers and their products are
less familiar with other elements in this chain such as electronic data events (e.g., ransomware).
Event
The event is where the
electronic data is lost,
accessed without
authorization or corrupted.
Example events:
• Website defacement
• Fraudulent transfer of
funds
• Encryption of data
• Exfiltration of confidential
information
• Unauthorized access
Trigger
The trigger consists of the
circumstances in which a
threat to electronic data
originates.
Example triggers:
• Negligence
• Organized crime
• Disgruntled
employee
• Espionage
• Undetermined
Modality
Example modalities:
• Denial of service attack
• Phishing attack
• Physical entry and theft
• Virus
• Unauthorized access
The modality is the means
through which the threat
to electronic data is put
into action.
Consequences
The consequences are the
economic losses resulting from
the loss, unauthorized
processing or malperformance
of electronic data.
Example consequences:
• Cessation of operations
• Physical damage to
equipment
• Loss of reputation
• Invasion of privacy
• Identity theft

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyCyber Insurance Products
Insurance is an important tool to assist businesses, nonprofits and local governments to manage a range of risks including cyber risk. Cyber
risks may be covered (expressly or otherwise) to a certain extent within traditional insurance products. In recent years, a significant market
has developed for “stand-alone” cyber products which are designed to cover only cyber risks.
Cyber coverages are evolving both within traditional insurance products as well as through cyber-only stand-alone insurance products. In
general, available cyber-specific limits and terms of coverage are less generous than limits and terms for non-cyber exposures. However,
cyber-specific coverages may provide certain benefits uniquely applicable to cyber exposures.
First-Party Products Third-Party Products
Stand-Alone Cyber Policy
Commercial Property Insurance
Crime
Fidelity
Directors and Officers Liability (D&O)
Professional Liability (E&O)
Products Liability
Kidnap and Ransom
Commercial General Liability
Coverage for
Cyber Risks
When a traditional insurance product covers cyber
risks without explicitly mentioning cyber, that
coverage is sometimes called “silent cyber.”
The trend in traditional products has been to
completely exclude most cyber risks and then
provide options to “buy back” some level of cyber
coverage subject to specific conditions.
Stand-alone cyber products often contain both first-
and third-party coverages as well as response
expense coverages and even risk mitigation services.

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyTraditional Commercial Property Insurance
Commercial property insurance policies typically exclude electronic data from the definition of covered property. Limited coverage for
electronic data (subject to a reduced limit of liability and other restrictive terms) is then given back through an additional coverage sometimes
at an additional premium cost.
The policyholder is often provided a small amount of separate and narrow “additional” cyber coverage without a separate charge. The
policyholder may opt to buy increased limits for this additional coverage. Although it is often called an “additional coverage”, cyber coverage in
traditional property insurance policies only exists because of the cyber exclusion such that the “additional coverage” provided through the
policy acts as a sort of narrow exception to that exclusion.
$10,000 limits for data loss and business
interruption are typically included without
additional charge with the ability to elect higher
limits for an additional premium charge.
Broad grant of coverage Specific exclusion from
the grant of coverage
Limited coverage
buy-back options

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyCommercial General Liability Insurance
Commercial general liability policies likewise typically exclude coverage for liability for damages because of loss of electronic data. In addition,
general liability policies often exclude coverage for liability for damages because of access or disclosure to nonpublic information. A
policyholder may be offered the option to “buy-back” these coverages subject to lower limits and additional conditions.
While the mechanics may be different for commercial general liability policies, the practical implication for cyber-terrorism is the same as for
commercial property products. Cyber is excluded from the main coverages and limits. The policyholder may be offered options to buy-back a
narrow range of cyber coverages at reduced limits.
Buy-back options, which may include:
• Claims-made coverage
• Special limit of liability where the loss arises
from physical damage to tangible property
• Elimination of exclusion of liability for access
to or disclosure to nonpublic information
Broad grant of coverage Specific exclusion from
the grant of coverage
Limited coverage
buy-back options

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyCyber-Only Stand-Alone Coverage
Stand-alone policies covering cyber insurance can vary considerably in terms of coverages and limits. For example, a stand-alone policy may
include both first-party (property) coverages as well a third-party (liability) coverages. These coverages may include reimbursement of
response costs such as crisis management or public relations expenses. In some cases, a stand-alone policy may include pre-event cyber risk
evaluation or similar services.
Stand-alone cyber insurance policies are typically useful where the policyholder has very limited or no cyber coverage in its other insurance
policies or where the policyholder seeks specialized insurance benefits for cyber risks.
First-Party Coverage Third-Party Coverage
Response Costs Coverage

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyGrowth of US Cyber Insurance Market
The National Association of Insurance Commissioners (NAIC) developed a cyber insurance reporting template in 2015. The NAIC’s analysis of
those reports shows a significant increase in cyber insurance writings year over year.
US cyber insurance is now a $3.6 billion market. While an impressive figure, it represents only about 1% of commercial property and casualty
insurance premium overall. In addition to cyber insurance, the NAIC reports annual premiums of about $225 million for identity theft
coverages with an average cost of coverage of $10 - $40 per policy
2000
2500
3000
3500
4000
2016 2017 2018
Cyber Direct Written Premiums (in millions)
Source: NAIC Report on Cybersecurity Insurance Coverage Supplement (2019)

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyMovement toward the Stand-Alone / Non-Admitted Marketplace
The NAIC’s analysis breaks down the market by stand-alone and packaged products in the admitted and surplus lines. Admitted insurers are
“admitted” or licensed in the states in which their products are sold. Surplus lines (non-admitted) insurers are not licensed in the state in
which their products are sold. This alternative market is not subject to state insurance regulatory approval of contract wording or pricing.
While the overall cyber market has grown in nearly all dimensions, the greatest growth is occurring in the surplus lines and for stand-alone
products. This trend suggests the cyber market has yet to embrace standardized coverage wordings and operates to a large extent outside of
the transparency and consumer protection associated with state regulatory oversight of coverage design and pricing models.
0 200 400 600 800 1000 1200 1400
2016
2017
2018
Cyber Direct Written Premiums (in millions)
Surplus Package
Surplus Stand-Alone
Admitted Package
Admitted Stand-Alone

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyCyber Products in the Admitted Market
Within the admitted market, the NAIC’s analysis of 2018 writings show the top ten writers of stand-alone cyber products and packaged cyber
products represent 82% and 72% cumulative market share, respectively. By comparison, the top ten writers of commercial multi-peril
insurance products have a cumulative market share of 47%, other liability of 46% and commercial auto and workers compensation of 44%
each. Accordingly, the cyber market is considerably more concentrated than the main commercial property and casualty lines.
Yet, the cyber market appears fragmented with roughly equal proportions in the admitted market and the surplus lines. Likewise the product
design is split between stand-alone and package products. When looking at individual competitors, it would appear the largest player have
committed to either stand-alone or packaged solutions while smaller players straddle both product formulations. Further, it appears some
large commercial property and casualty insurers remain close to entirely on the sidelines of the cyber market.
0 50 100 150 200 250 300 350
Liberty
BCS
AXIS
CNA
Beazley
Travelers
AIG
AXA
Chubb
2018 Cyber Direct Written Premiums (in millions) in Admitted Market
Stand-Alone
Package

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyTake-Up Rates for Cyber Insurance
Take-up rate refers to the frequency with which policyholders elect to purchase a specific optional coverage. Only about 1 in 3 businesses
currently purchase cyber insurance coverage which is an increase from about 1:4 five years ago
These relatively low take-up rates suggest most businesses retain the cyber insurance risk or rely on limited “no additional cost” additional
coverages included within their core property and casualty insurance policies.
0%
10%
20%
30%
40%
50%
2H15 1H16 2H16 1H17 2H17 1H18 2H18
Cyber Take-Up Rates
Source: The Council of Insurance Agents & Brokers Cyber Insurance Market Watch Survey (2015-2018)

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyCyber Claims Count
The number of cyber claims has steadily increased over the last several years. Nevertheless, reported loss ratios range from the mid-20% to
mid 30% as a percentage of premium.
A continuation of this claims trend may eventually put pressure on cyber insurance pricing. However, so far it appears pricing has remained
generally stable over the last several years.
0
5,000
10,000
15,000
2015 2016 2017 2018
Number of Cyber Claims
Source: AM Best Market Segment Report (June 17, 2019)

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyKey Observations – US Cyber Market
By all accounts, the US cyber market is in its infancy. While projections span a wide range, the most optimistic see a cyber insurance market
five times its current size within the next half decade even before considering the impact of a potential federal cyber program.
GAO is assessing a market in motion. Available market data is of mixed credibility, through improving, and offers insight into a very limited
history. State insurance regulators are getting their arms around cyber insurance products, pricing and distribution but a growing portion of
the market is largely outside of their reach. Whatever the objective of any federal intervention in this market may be, it is clear that an
expansion of TRIA would have a profound effect – for better or worse – on the future of cyber insurance.
As it currently stands, the cyber insurance market is characterized by:
1. A Developing Product Set – It is still a toss-up whether over the long-term cyber will be packaged within traditional lines of
insurance or evolve into a separate and discrete line of insurance. Right now it is doing both. Insurers have made considerable
progress in eliminating broad terms and significant limits for “silent cyber” in their traditional products. Many now offer a range of
buy-back options through which a policyholder can select limited amounts of cyber coverage as an add-on to a basic property or
liability policy. At the same time, a dynamic stand-alone cyber insurance market has emerged offering diverse and specialized pre-
and post-event benefits separate and apart from traditional property and liability policies.
2. Limited Consumer Protection – Much of the innovation and growth in the cyber insurance space is taking place in the non-
admitted market and outside of state regulatory oversight especially with respect to consumer protection and rate and form
approval. Further, variability in policy wording (i.e., forms) within the cyber insurance market make it difficult for policyholders to
easily compare coverages among competing product options. While always a trailing form of consumer protection. judicial opinions
interpreting cyber insurance contract wording have limited precedential value in the absence of standardization.
3. Uneven Market Participation - While profitable overall so far, the cyber market is still just a small corner of the overall
property and casualty insurance industry. As one would expect in a niche market, any individual insurer’s market share in cyber
differs - sometimes considerably - from its market share in major commercial property and casualty lines. Further, low take-up
rates suggest that most policyholders do not see value in current cyber offerings or cannot find a compelling reason to divert funds
into a cyber policy. In short, cyber operates on the margins of both the supply and demand sides of the insurance market.

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyCertification Criteria
Certification
Criteria

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyTRIA’s Certification Criteria
Under TRIA an “act of terrorism” means any act that is certified by the Secretary of Treasury, in consultation with the Secretary of Homeland
Security and the Attorney General: (a) to be a violent act or an act that is dangerous to human life, property or infrastructure; (b) to have
resulted in damage within the United States; and (c) to have been committed by an individual or individuals, as part of an effort to coerce the
civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion.
No event has been certified over the program’s 17 years history. Indeed, it is unclear whether Treasury has ever seriously considered an event
for potential certification.
In general, the damage
must occur in the US
Insured losses under covered
lines must exceed $5 million
The act must be part of a scheme intended
to coercively influence public opinion or
the policy of the US government
TheCriteriaTheProcess
Treasury must consult with
Justice and Homeland Security
Secretary of Treasury alone makes
the final certification decision
The certification decision is unappealable
and not subject to judicial review

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyTRIA’s Current Inclusion of Cyber
TRIA’s definition of “act of terrorism” has always encompassed a cyber event to the extent that event meets the program’s certification criteria
and successfully proceeds through the certification process. With the significant exception of professional liability policies, most commercial
and property insurance products with cyber coverages and stand-alone cyber products are within the scope of the program.
TRIA already covers cyber-terrorism to the same extent as any other type of terrorism. Accordingly, a cyber-terrorism event generating more
than $5 million of insured loss in the US is eligible for certification.
Congressional intent is clear that a cyber attack meeting the criteria for
certification would fall within the program. Specifically, the law’s
reference to “damage to infrastructure” encompasses loss or
destruction of cyber assets.
Dangerous to Property or Infrastructure
Because cyber insurance is an evolving business, there has been some
confusion as to whether certain policies covering cyber exposures come
within the scope of the program. The general understanding of cyber
coverage configurations subject to TRIA is as follows:
Covered Lines of Insurance
H.R. 3210, Conference Report (Nov. 13, 2002)
S. 2244, Conference Report (June 26, 2014)
Cyber Coverages in or Endorsements to
Commercial Property or General
Liability Products
Cyber Product Configuration Within Scope of TRIA
Yes
Stand-Alone Cyber First Party (Property)
Policy Yes
Stand-Alone Cyber Third Party
(Liability) Policy
Yes*
Cyber Coverages in or Endorsements to
a Professional Liability Policy
No
*Treasury Guidance, 81 FR 95312

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyMany Cyber Events, No Certifications under TRIA
Information regarding insured losses from cyber attacks is difficult to come by. However, it is reasonable to conclude each of the following
high-profile hacks resulted in more than $5 million of insured loss. Nevertheless, none appear to have been even considered for certification
under TRIA.
Cyber–terrorism is covered by TRIA and US companies have experienced significant attacks likely associated with state-sponsored actors
during the life of the program. Yet, there has been no recourse to TRIA or, it would seem, serious consideration to certifying any cyber events
as an act of terrorism under the program. Therefore, some element within the certification criteria must be standing in the way.
Source: The Council of Economic Advisors, The Cost of Malicious Cyber Activity to the U.S. Economy (Feb. 2018).
Sony Pictures Entertainment Hack
Breach: November 2014
Attribution: North Korea
Attack Type: Unauthorized access and theft
Loss: $41 million remediation
Motivation: Response to release of
provocative movie
U.S. Response: Additional sanctions on North
Korea
Solar World Hack
Breach: May - September 2012
Attribution: Chinese nationals
Loss: €178 loss of market cap
Motivation: Industrial espionage
U.S. Response: Criminal prosecution
Equifax Hack
Breach: March - July 2017
Attribution: Possibly China
Loss: $2.5 billion in remediation
and claims
Motivation: Possibly espionage
U.S. Response: FTC investigation of Equifax

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyChallenges with the Intent Criteria
The often anonymous nature of cyber attacks makes it particularly challenging for Treasury to determine whether any one attack had “been
committed by an individual or individuals, as part of an effort to coerce the civilian population of the United States or to influence the policy or
affect the conduct of the United States Government by coercion.”
It is likely no major cyber event has been certified as an act of terrorism under TRIA because Treasury has not been able to develop sufficiently
convincing evidence of the intent behind the attack.
The motivations of the individual or
individuals executing the cyber attack are
usually not relevant.
Motivations of the Hacker
The relevant determination is more likely
the ultimate objective of the scheme in
which a cyber attack has been deployed.
Intent of the Scheme
Coercion of U.S. public opinion or
influence of federal public policy
Espionage
Ransom
Identity Theft
Vandalism
International Issue Activism
National Issue Activism
Local Issue Activism
Anti-Corporate Activism
Retaliation for Military Strikes
Undeclared Warfare
The following examples illustrate the
challenge in categorizing the intent
underlying a cyber attack.
Examples

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyTRIA’s Geographic Scope
With certain narrow exceptions, TRIA only responds to the extent an act has “resulted in damage within the United States.” In the case of a
fire, explosion, collision or chemical release or other physical event, the location of the damage is typically easy to determine. In the case of
cyber events, the location of the disabled equipment or of the corrupted, inaccessible or stolen data may be geographically distinct from the
place where the insured loss occurs.
TRIA’s geographic scope may prove inadequate to capture many cyber risks, especially as electronic data increasingly moves across
international borders in the normal course of operations.
Within the Scope of TRIA
Location of the hacker Location of the insured facility Location of the compromised server
B
C
D
A
Outside the Scope of TRIA
E
F
Outcome Unclear
The following analysis is based on a hypothetical hacking attack resulting in the corruption of critical data stored on a server and
regularly accessed by computers at the insured facility as a necessary part of daily operations.

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyComparative Claims Experience
Cyber claims have reached well over 10,000 per year and are likely to continue to grow. There has never been a claim under TRIA.
Any expansion of TRIA to cover a broader range of cyber events would require Treasury to evaluate many more events under the program
than it currently does. Because TRIA has never been called on to respond to a certified act of terrorism, the steps involved in the certification
process and subsequent data reporting and claims procedures have yet to tested through a live event.
0
5,000
10,000
15,000
2015 2016 2017 2018
Number of Claims
Source: AM Best Market Segment Report (June 17, 2019)
Cyber Claims
TRIA Claims

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyKey Observations – Certification Criteria
In setting certification criteria for cyber events, policymakers should seek to (a) limit the extent of government intervention to target a
demonstrable defect in the market for cyber insurance; (b) incentivize prudent cyber risk management on the part of businesses, nonprofits
and local governments as well as prudent management of cyber insurance portfolios by insurers; and (c) facilitate practical, timely and fair
certification decisions.
Proponents of any extension of TRIA to non-terrorism cyber events should be expected to identify specific defects in the cyber market that
could be remedied only through government intervention. Any such proposal should include safeguards to prevent externalization of the cost
of individual, industry or regulatory decisions to underinvest in or deprioritize cyber security and cyber event recovery. If there is an
expectation the program may be called on to respond to cyber events greater efforts must be made to demystify the certification process.
Target Identified Market Defects
When TRIA was first enacted, US businesses,
nonprofits and local governments faced a
significant and rapid pull back of capacity for
terrorism insurance especially in central
business districts and for other high risks.
Cyber insurance markets are experiencing the
opposite dynamic: Capacity for cyber is
expanding not retracting. In fact, over the
course of the last three years the cyber market
has eclipsed the terrorism insurance market
with no sign of leveling off.
There may be a desire by some for the higher
limits, more generous terms and lower pricing
that a government program might bring, but
there is no current crisis in the cyber market
like that facing the US after September 11. In
short, it is not clear what problem a federal
cyber program would be expected to solve.
Reinforce Good Cyber Security
TRIA can be triggered only if the attack was
intended to punish the US (as a whole) either
by intimidating the people of the US or
pressuring the US government over its policy
decisions or conduct.
Cyber attacks are often characterized as
involving financial motives, espionage, simple
maliciousness or reasons unknown. Businesses,
nonprofits and local governments have faced
such threats in the physical world for many
years almost always without government
intervention in the relevant insurance markets.
While it makes sense to socialize the costs of an
attack aimed at the US as a government or as a
people, it is far less compelling to socialize the
costs of ineffective IT security arrangements or
deliberate underinvestment in cyber defenses
that have been exploited by criminals or kids.
Promote Practical Administration
After considerable engagement with
stakeholders, Treasury has developed
theoretically workable but untested
procedures to support consideration of
certification of an act of terrorism.
Despite TRIA’s certification procedures, the
practical considerations underlying the Secretary
of Treasury’s fact-based determination of the
intent behind an attack remain opaque. A
similar challenge is likely to arise in the
administration of any motivation-based criteria
for the certification of a cyber event.
Despite statutory criteria, certification is in
practical terms a political decision influenced by
a likely parallel criminal investigation,
intelligence analysis, military response, foreign
policy or economic policy. In short, the
certification decision is inherently unpredictable.

Centers for
Better Insurance
Policyholders
Employees
Shareholders
Society
(A) CERTIFICATION.—The term ‘‘act of terrorism’’ means any act that is certified by the Secretary, in consultation with the Secretary of
Homeland Security, and the Attorney General of the United States—
(i) to be an act of terrorism;
(ii) to be a violent act or an act that is dangerous or destructive to—
(I) human life;
(II) property; or
(III) Infrastructure including electronic data stored on or in use by that infrastructure;
(iii) to have resulted in damage (including loss or loss of use of electronic data or unauthorized disclosure of or access to nonpublic
information) within the United States, or outside of the United States in the case of—
(I) an air carrier or vessel described in paragraph (5)(B); or
(II) the premises of a United States mission; and
(iv) to have been committed by an individual or individuals, as part of an effort to coerce the civilian population of the United States,
or to influence the policy or affect the conduct of the United States Government by coercion or impair the performance,
competitiveness or resiliency of the United States economy or sector thereof.
Statutory Text – Narrow Expansion
Certification is the gateway into the Terrorism Risk Insurance Program. No set of circumstances since the inception of the program in 2002
has satisfied the current certification criteria. If the program is to credibly open to encompass cyber threats, the certification criteria must be
substantially revised to (a) reinforce cyber as an event type covered by the program; (b) extend the geographic parameters of the program; and
(c) broaden the scope of intent underlying the cyber attack.
Modification of the certification criteria as outlined above would likely maintain the current balance between make available and the federal
backstop within the Terrorism Risk Insurance Act. It is rather unlikely such narrow changes would lead to a spike in certifications under the
program though it may give the Secretary of Treasury flexibility to more easily justify certification of a major cyber event.
The following amendments to the statutory text of TRIA would remove potential barriers to certification of large-scale cyber-terrorism:
Affirms destruction of electronic
data is within the scope of TRIA
Broadens geographic scope of TRIA
in the context of electronic data
Expands TRIA to include attacks intended to impair
the US economy or a specific sector of the economy

Centers for
Better Insurance
Policyholders
Employees
Shareholders
Society
(iv) to have been committed by an individual or individuals, as part of an effort to –
(I) coerce the civilian population of the United States;
(II) influence the policy or affect the conduct of the United States Government by coercion;
(III) impair the performance, competitiveness or resiliency of the United States economy or sector thereof;
(IV) obtain or deprive another of money or property through theft, extortion, or false claim of right;
(V) cause destruction of property, injury or death with malicious intent;
(VI) obtain confidential, private or nonpublic information;
(VII)influence the policy or affect the conduct of any State or subdivision thereof;
(VIII)coerce the civilian population of any State or subdivision thereof;
(IX) influence the policy or affect the conduct of any organization;
(X) coerce the members or shareholders of any organization; or
(XI) achieve some other or some undetermined objective or purpose in the discretion of the Secretary.
Statutory Text – Broad Expansion
If there is justification based on a defect in the current market and a public policy basis supporting socialization of such risks, policymakers
may consider further broadening the certification criteria to include such triggers as espionage, coercion of industries, businesses or local
governments, ransom or extortion, economic motivations, vandalism and/or unknown motivations.
Any material broadening of the certification criteria is likely to disrupt the current balance between make available and the federal backstop
within the Terrorism Risk Insurance Act. Over-extension would not only fail to produce a positive outcome for cyber insurance, but it would
threaten the currently functional program for the conventional terrorism risk. In the extreme, over-extension could imperil the broader
commercial property and casualty insurance market as insurers withdraw entirely to avoid the make available requirement.
The following amendments to the statutory text of TRIA could be used to broaden the intent trigger for certification:

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyMake Available Requirement
Certification
Criteria

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyTRIA’s Make Available Requirement
TRIA requires each participating insurer to make available in property and casualty insurance policies coverage for insured losses from
certified acts of terrorism that does not differ materially from the terms, amounts, and other coverage limitations applicable to losses arising
from events other than acts of terrorism.
Coverage for terrorism is made available when the initially offered policy covers losses from acts of terrorism on the same terms and
conditions and at the same limits as losses from other types of events.
TRIA requires an insurer to “make available” a policy of insurance without a terrorism exclusion. Once the insurer has satisfied this obligation,
the insurer may (but is not required to) offer a policy with a terrorism exclusion or limitation to the extent permitted by state law.
Insurer offers coverage without a
terrorism exclusion or limitation
1
2
Policyholder accepts
the offered policy
Policy is issued without a
terrorism exclusion or
limitations
Policyholder rejects the offered policy
Insurer has the option to offer a policy
with a terrorism exclusion or limitation
Policyholder accepts
the offered policy
Policy is issued with a
terrorism exclusion or
limitations
 
 

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyIllustration of TRIA’s Make Available Requirement
Insurance Services Office (ISO) develops standard coverage forms for the insurance industry. The following illustrates how TRIA’s make
available requirement is satisfied using an ISO Commercial Property special or “open perils” policy form.
TRIA does not require insurers to sell “coverage for acts of terrorism” Rather, TRIA requires insurers to make available coverage that does not
specifically excluded or limit coverage for acts of terrorism.
CP 10 30
CP 00 10
A typical commercial property policy covers loss to covered
property “caused by or resulting from direct physical loss
unless the loss is excluded or limited in the policy.” The
initial offer of a policy under TRIA cannot reference an act
of terrorism as an excluded or limited loss.
Initial Offer
IL 09 53
After the initial offer of the policy has been rejected, a
typical commercial property policy with a terrorism
exclusion would be endorsed to state the insurer “will not
pay for loss or damage caused directly or indirectly by [an
act of terrorism.” The insurer may (but is not required to)
offer a policy with such an endorsement if the initial offer
has been rejected.
Subsequent Offer

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyPractical Implications of the Make Available Requirement
While the terms of each policy may differ, commercial property policies cover most causes of loss that are likely to result from a conventional
terrorism attack such as fire, explosion and impact by a projectile or other object. However, nuclear, biological, chemical and radiological
(NBCR) terrorism is likely excluded due to several common, long-standing exclusions.
In applying the make available requirement to cyber-terrorism, it is necessary to first understand whether and how a typical commercial
property and casualty insurance policy covers cyber losses outside of the terrorism context.
If a policyholder accepts the coverage made available as required by
TRIA, the typical property policy would cover a wide range of causes of
loss regardless of whether those losses were triggered by an act of
terrorism. For example, explosion damage to a building caused by a
truck bomb set off by a terrorist would be covered to the same extent
that the policy would cover damage to the building caused by an
accidental tanker truck explosion.
Covered Causes of Loss
Even if a policyholder accepts the coverage made available as required
by TRIA, the typical property policy would not cover certain causes of
loss regardless of whether those causes of loss originated from an act of
terrorism. Most notably, property policies often specifically exclude (at
least to some extent) nuclear reaction, radiation, radioactive
contamination, bacteria, contamination and pollution.
Excluded Causes of Loss

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyCoverage for Cyber Losses
The analysis of cyber coverage in the context of the make available requirement is like the analysis whether NBCR terrorism is included within
the make available requirement. However, for cyber events the focus in on the property covered (or excluded) by the policy rather than the
causes of loss that are covered (or excluded).
Coverage for loss of electronic data is constrained today in terms of limits and covered causes of loss as compared with other kinds of insured
losses. Therefore, an extension of TRIA’s certification criteria to include a wide range of cyber events without adjustment to the make available
requirement would have little impact on the terms and limits insurers make available for cyber events.
A typical commercial property insurance policy covers business
personal property located at or near the covered premises. This
covered property includes tools, machinery and office equipment. It
is also likely to include computers, servers and other electronic
equipment.
Covered Business Personal Property
While the physical computers and servers may constitute covered
property, most commercial property insurance policies exclude
electronic data from the core coverages. For example, a physical floppy
disk may be covered property but the data on that disk is excluded.
Excluded Property
101001
011101
110011
Additional Coverage
Coverage for electronic data is then partially restored through an
additional coverage typically with lower coverage limits and subject to
a narrower range of covered causes of loss.
101001
011101
110011

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyIllustration of the Limitations of Cyber Make Available
TRIA’s current formulation of the make available requirement has a limited influence on the accessibility of coverage for data loss due to
cyber-terrorism. The fundamental challenge for insurers is the “cyber” in cyber-terrorism. Only once insurers become comfortable with cyber
as an insurable risk would the current approach to make available increase accessibility of coverage for cyber-terrorism.
TRIA’s make available requirement works well for conventional terrorism because insurers are willing to assume fire, explosion, projectile and
similar risks in non-terrorism contexts. It would not work well for a broad range of cyber events because insurers have a limited appetite to
assume cyber risks whether inside or outside of the terrorism context.
Impact of Make Available
on Conventional Terrorism
The Alpha Corporation maintains its offices on the 10th floor of a downtown high rise. Alpha purchases a commercial property insurance policy
with a $1 million limit for its business personal property. The policy excludes electronic data but provides an additional coverage of $25,000.
Impact of Make Available
on cyber-terrorism
Electrical fault
Cause of Loss
Coverage for
Office Equipment
$1,000,000
Terrorist bomb
attack
$1,000,000
With make available*
nil
Without make available*
*Assumes insurer would impose a terrorism exclusion in the absence of make available requirement and policyholder accepts offered coverage.
Ransomware
Cause of Loss
Coverage for
Electronic Data
$25,000
Terrorist
hacking attack
$25,000
With make available*
nil
Without make available*

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyCyber Coverage Challenges
In the context of conventional terrorism, insurers had to come to terms with a new trigger but had vast experience with many of the associated
risks and resulting losses. In the context of the cyber threat, the risks are (by definition) the product of digitalization and the resulting
economic losses can be as complex and varied as technology itself. Describing what insurers should “make available” under a TRIA-like
structure for cyber would require substantial consultation with experts and stakeholders before meaningful legislative text could be developed.
TRIA reacted to a negative market: Insurers had begun to exclude the trigger of terrorism from traditional products. TRIA had the simple task
of putting the terrorism trigger back into those products. Any cyber insurance program’s make available requirement must contemplate
effective limits and appropriate terms to cover policyholders for an ever-unfolding array of triggers, modalities, risks and economic losses.
Trigger Risk Economic Losses
Building burns and collapses
injuring and killings occupants
Accident
• Workers compensation benefits
• Liability for bodily injury and death
• Building reconstruction
• Business interruption
• Debris removal
Terrorism
Sensitive electronic
customer data is deleted
after a copy is transmitted
to an unknown recipient
• Investigation and crisis management
• Customer notification and monitoring
• Suspension of business operations
• Restoration of deleted data
• Liability for breach of privacy rights
• Administrative fine for poor security
Unknown
Traditional
Event
Terrorist
Event
Cyber
Event
Modality
Explosion
Computer
virus

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyComparative Take-Up Rates
Terrorism coverage take-up rates dropped from effectively 100% prior to September 11, 2001 to 27% in 2003. Over the following three years
take-up rates reached 60% later to stabilize around 75%. Cyber insurance take-up rates seem to have stabilized around 35%.
TRIA take-up rates largely reflect coverage for conventional acts of terrorism at the same limits and on the same terms as for other loss events.
Cyber take-up rates reflect the purchase of coverage at some lower limit and typically more restrictive terms than available for non-cyber
losses. Accordingly, cyber insurance take-up rates at “full” limits and terms is likely very small or even nil.
0%
20%
40%
60%
80%
100%
2H15 1H16 2H16 1H17 2H17 1H18 2H18
Source: The Council of Insurance Agents & Brokers Cyber Insurance Market Watch Survey (2015-2018); US Treasury, Report on the
Effectiveness of the Terrorism Risk Insurance Program (June 2018).
Terrorism Take-Up Rates
Cyber Take-Up Rates

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyComparative Surplus Lines Market Share
Surplus lines insurance makes up about 17% of commercial property and casualty insurance. In contrast, surplus lines insurers write nearly
half of all cyber insurance policies with the market trend clearly favoring increased migration into surplus lines.
Surplus lines insurance operates largely outside of the consumer protections on which insurance purchasers in the admitted market can rely.
Accordingly, cyber insurance is much more lightly regulated from a consumer protection standpoint than the broader commercial property
and casualty market.
0%
10%
20%
30%
40%
50%
2016 2017 2018
Source: Insurance Information Institute; NAIC Report on Cybersecurity Insurance Coverage Supplement (2019).
Commercial P&C
Cyber

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyKey Observations – Make Available Requirement
In setting the parameters for a mandatory availability requirement of cyber coverage, policymakers should promote (a) certainty of the
insurance benefits for policyholder and liabilities of the insurer in the event of a cyber attack; (b) an offer of adequately broad terms and
conditions for insurance coverage to respond to the expected needs of businesses, nonprofits and local governments following a cyber attack;
and (c) sufficient limits of insurance coverage at accessible pricing in order to support rapid recovery of the economy following an attack.
TRIA’s make available requirement has been highly effective in increasing the availability and affordability of high quality, well-regulated
coverage for conventional terrorism because insurers already offered high quality, well-regulated coverage for fires, explosions and other
conventional perils. Cyber starts from a very different point with terms of coverage, available limits and the degree of state insurance
regulation particularly constrained.
Certainty of Benefits and Liabilities
TRIA’s make available pre-defines benefits a
policyholder will receive in the event of a
terrorist attack and the cost of those benefits
while insurers understand in advance their
obligations in the claim settlement process.
The extension of TRIA’s make available
requirement to a broader set of cyber events
would bring the advantage of pre-defining
post-event benefits for affected businesses,
nonprofits and local governments. Further,
the cost of those benefits (other than that
portion socialized through the backstop)
would be expressed through risk-based
pricing.
Insurers would understand in advance their
obligations in terms of liability to
policyholders as well as the necessary claims
investigation and settlement capabilities.
Adequate Coverages
TRIA’s make available leverages the contract
wording the policyholder and insurer have
agreed with respect to non-terrorism events
including the consumer protections afforded
by state insurance regulation.
TRIA exclusively relies on state insurance
regulation to protect policyholders and
claimants. However, nearly half of all US cyber
insurance is written outside of state insurance
conduct regulation with most stand-alone
cyber policies placed in the surplus lines
market suggesting a high degree of variation in
products, little transparency and minimal
regulatory oversight of rates and forms.
The current make-available formulation in an
expansion of TRIA to cyber would come with
little confidence the program backs effective,
transparent and well-regulated products.
Sufficient Limits
TRIA’s make available leverages the coverage
limits of liability for terrorism events the
policyholder and insurer have agreed with
respect to non-terrorism events ensuring the
policyholder has available sufficient limits.
TRIA tied the make available requirement to the
core coverages in property and casualty
insurance products ensuring full limits were
made available. Coverage limits for cyber
(whether as part of a package or stand-alone) are
typically much lower than limits for the core
coverages (such as for building and contents
damaged by fire or explosion).
A make available requirement tied to general
cyber limits is unlikely alone to increase
currently available limits. Instead, higher limit
offerings would have to be coaxed out of the
industry through a robust backstop.

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyBroad Cyber Make Available Requirement
In order to increase accessible limits and scope of coverage for cyber-terrorism losses through a make available requirement, TRIA would have
to be amended to introduce separate cyber-terrorism language.
Such an aggressive expansion of the make available requirement carries considerable risk. If insurers are required to make available more
coverage for cyber events than they are comfortable with policyholders may witness a pullback in property and liability insurance generally –
not just for cyber events. The degree of expansion of make available must be balanced with a similar degree of expansion of the backstop.
(c) AVAILABILITY.—
During each calendar year, each entity that meets the definition of an insurer under section 102—
(1) shall make available, in all of its property and casualty insurance policies, coverage for insured losses; and
(2) shall make available property and casualty insurance coverage for insured losses that does not differ materially from the terms,
amounts, and other coverage limitations applicable to losses arising from events other than acts of terrorism except that the coverage
made available shall not include an exclusion or limitation of coverage for insured losses specific to the loss of use, corruption or
destruction of electronic data or the unauthorized disclosure of or access to nonpublic information.
The following amendments to the statutory text of TRIA could be used to bring cyber limits and coverage terms to the same level as core
property and casualty coverages:
Overrides exclusions, limitations, sub-limits and other coverage restrictions of all
property and casualty insurance policies with respect to certified cyber events.

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyThe Federal Backstop
Certification
Criteria

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyTRIA’s Backstop Structure
The federal backstop reimburses 80% of insured losses paid by a participating insurer that has met its insurer deductible for the
relevant calendar year. The insurer deductible is calculated as 20% of the insurer’s prior year direct earned premium for commercial property
and casualty insurance.
As a practical matter, there are hundreds of backstops – one for each insurer or insurer group. While the backstop formula is the same for
each participant the economic implications of the backstop for each participant can be vastly different.
Insurer Deductible
InsurerCo-Share
Federal Backstop
Certification Threshold
Program Trigger
Liability Cap Mandatory
Recoupment
Discretionary
Recoupment
Calendar year deductible equal to
20% of the insurer group’s prior
year direct earned premium
$200 million calendar year industry
loss trigger to access the back-stop
$5 million per event industry loss
threshold for certification
$100 billion calendar year industry
loss (including federal share) cap
20% of insured loss exceeding the
insurer deductible
140% of the difference between the
3-year average industry aggregate
deductible and the annual losses
retained by the industry (though the
deductible and co-share)
Discretionary recoupment of 100% of
the remaining federal payments as
determined by Treasury
Mandatory and discretionary recoupments are
funded through policy surcharges on all commercial
property and casualty insurance policyholders.

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyInsurer Deductible for Major Cyber Insurers
Because an insurer’s deductible for purposes of the backstop is a proportion of its prior year direct earned premium relating to its portfolio of
covered commercial property and property insurance, larger and more diversified insurance companies have greater deductibles while smaller
and less diversified companies have lesser deductibles. Because the cyber market shares deviate significantly from overall commercial
property and casualty market shares, close competitors in the cyber market can have very different insurer deductibles under the program.
Approximate TRIA Backstop Deductibles and Cyber Market Share of Largest Writers of US Cyber Insurance
Source for Approximate Deductible Computation: NAIC 2018 Market Share Reports
Source for Cyber Insurance Market Share: AM Best Market Segment Report (June 17, 2019)
Chubb
$2.7 billion
AXA
$810 million
Travelers
$2.7 billion
Liberty
$2.5 billion
AIG
$2.3 billion
CNA
$1.7 billion
$271 million
Beazley
$55 million $32 million
BCS
AXIS
16% 13% 11% 7% 6% 4% 4% 3% 3%
Approximate 2019 backstop
deductible under TRIA
2018 cyber market share as measured
by reported direct written premium

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyComparative Annual Premium
Annual direct premiums for TRIA-related coverages has stabilized at about $2.6 billion. Cyber insurance premiums approach $3.6 billion and
appear on an upward trajectory.
Cyber insurance has the potential to mature into a market many multiples of the terrorism insurance market.
Source: NAIC Report on Cybersecurity Insurance Coverage Supplement (2019); US Treasury, Report on the Effectiveness of the
Terrorism Risk Insurance Program (June 2018).
2000
2500
3000
3500
4000
2016 2017 2018
Premium (in millions)
Cyber Insurance
TRIA

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyComparative Product Configurations
Coverage under TRIA is nearly always sold as part of a broader policy of insurance, typically representing about 2.5% of overall policy
premium. Coverage for cyber is predominately sold as a separate policy with cyber representing 100% of the overall policy premium.
Because coverage for conventional terrorism is almost always sold embedded within a broader policy and represents just a small fraction of
the cost of that policy, competitive disparities caused by TRIA generally “washout.” In contrast, cyber is predominately sold as a stand-alone
product so that any competitive disparities created by a government program would become pronounced.
0% 20% 40% 60% 80% 100% 120%
TRIA
Cyber
By Direct Premium (Excluding Captives)
Package StandAlone
Source: AM Best Market Segment Report (2018); ); US Treasury, Report on the Effectiveness of the Terrorism Risk Insurance Program (June 2018).

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyAnnual Cyber Insurance Premium as Proportion of TRIA Deductible
Cyber insurance premiums contribute only about 1.5% to the aggregate of all insurer deductibles under TRIA yet, if the program were
expanded, could be the riskiest business backstopped under the program. Because cyber coverages contribute such a small portion of an
insurer’s backstop calculation, competitive distortions are significantly amplified for cyber as compared to other coverages.
This data suggests it would take Travelers 20 years to earn enough direct written premium from its cyber portfolio to satisfy its deductible
whereas Beazley, with a similar sized cyber portfolio, would require merely 6 months. By that basic metric, the backstop provides a 40x
advantage to one competitor over another in writing cyber-terrorism risks.
Source for Cyber Premiums: AM Best Market Segment Report (June 17, 2019)
Annual Cyber Premium Written as Percentage of Backstop Deductible
Chubb
12%
AXA
31%
Travelers
5%
Liberty
3%
AIG
10%
CNA
5%
28%
Beazley
200% 218%
BCS
AXIS

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyThe Outsized Role of Captive Insurers in the Backstop
A captive is an insurance company owned by the business which it insures. As a licensed insurance company, US domiciled captive insurers
participate in TRIA. Hundreds of captives formed in the years after TRIA was enacted in order to tap into the program for the benefit of their
corporate parents.
While captive insurance plays a small role in the overall property and casualty insurance industry, Treasury’s loss modeling reveals that these
single policyholder insurance companies are by far the largest beneficiaries of the backstop. Any extension of TRIA to include cyber events is
certain to attract similar arrangements specializing in extracting maximum value from the program.
• Captives make up only 4% of commercial property and casualty
insurance but 32% of terrorism insurance under TRIA.
• 337 terrorism-only captive policies make up 24% of the entire
US terrorism insurance market
0% 10% 20% 30% 40%
2017 Captive Insurer Market Share
Terrorism Commerical P&C
Industrywide
terrorism market
share controlled by
just 337 stand-
alone terrorism
policies
0% 20% 40% 60% 80%
Losses Reimbursed by Backstop
Captives Other Insurers
Chicago
New York
• Treasury’s modeled loss from a truck bomb attack in Chicago
revealed that the federal backstop would pay 75% of losses incurred
by captives compared to 2% of losses incurred by other insurers.
• A similar modeled loss from a truck bomb attack in New York City
showed that captives would recover 86% of their losses from the
backstop compared to 44% for other insurers.
Source: US Treasury, Report on the Effectiveness of the Terrorism Risk Insurance Program (June 2018).

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyHow TRIA Captives Work
Because it has only one customer, a captive typically earns very little direct earned premium and, therefore, maintains a low backstop
deductible. As a result, a captive can provide very large terrorism limits and generous coverages at far below market rates. Over 500 captives
participate in TRIA insuring some of the largest and most profitable US and foreign corporations.
Through often opaque financial engineering, large corporations shift tens of billions of dollars of risk into the backstop. Ultimately, Treasury
will recover up to 140% of resulting reimbursements by levying policy surcharges on small businesses, nonprofits and local governments.
$2.14 billion
policy limit
Barclays Bank PLC
Barclays Group US, Inc.
Barclays Insurance US, Inc.
85% Federal Share
$100,000
deductible
15%QuotaShare
Insurance contract
transferring $1.8
billion of risk into
the backstop
~$500,000
premium
Source: NY DFS Examination Report (Feb. 5, 2016)
$1.2 billion
policy limit
New York Times Company
NYT Capital, Inc.
Midtown Insurance Co.
85% Federal Share
$8.5 million
deductible
15%QuotaShare
~$42 million
premium
Source: NY DFS Examination Report (Dec. 31, 2012)
Insurance contract
transferring $1.0
billion of risk into
the backstop

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyLoss Amplification under TRIA
TRIA is an extremely efficient program so long as there is never a loss. Through the post-funding mechanism, policyholders do not pay any
premium for that part of their terrorism insurance that may later be reimbursed by the backstop. However, if there is a loss event Treasury
will impose surcharges on all policyholders nationally (whether those policyholders ever purchased terrorism insurance or not) calculated to
recoup up to 140% of the amount paid out by the backstop.
For all but the most extreme events, TRIA amplifies overall economic loss through these mandatory surcharges. Moreover, the backstop
distributes those amplified losses to commercial policyholders nationwide even if they did not purchase coverage available under the program.
To a large extent, the program marks up and then shifts losses from large corporates which could afford to set up their own personal insurance
companies onto the small businesses, nonprofits and local governments that must rely on traditional insurance.
Treasury is required to recoup 140% of its backstop payments to the extent retained losses (i.e., losses not reimbursed by the backstop) do not
exceed the industry marketplace aggregate retention amount. For 2020, this amount is $40,878,630,900.
New York Truck Bomb
0
5
10
15
20
Insurer Share Federal Share
Lossesinbillions
Chicago Truck Bombs
0
5
10
15
20
Insurer Share Federal Share
Lossesinbillions
Based on Treasury’s Modeled Loss Scenarios
Treasury must recover 140% of its $18.5 billion outlay or
$25.9 billion through surcharges on all commercial property
and casualty policyholders nationwide. Through this markup
TRIA creates $7.4 billion of additional economic loss.
Treasury must recover 140% of its $2.1 billion outlay or $2.9
billion through surcharges on all commercial property and
casualty policyholders nationwide. Through this markup
TRIA creates $800 million of additional economic loss.

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyKey Observations – The Backstop
In setting the parameters for government participation in cyber losses, policymakers should ensure (a) the private cyber market retains ample
room for natural growth free from threat of crowding out by government-sponsored capacity; (b) affordability for policyholders so businesses,
nonprofits and local governments can purchase sufficient limits of high-quality cyber coverage; and (c) a fair and level competitive playing
field among providers of cyber insurance.
TRIA’s backstop is a success because it addresses a small corner of the overall market that insurers fled after September 11 and the backstop
has never been called on to pay a single claim since. In contrast, cyber events are a daily occurrence in the US with several very large events
each year. Further, cyber is a competitive and rapidly expanding product. Accordingly, the serious flaws in TRIA’s backstop structure which
have remained hidden while the program is limited to terrorism would be fully exposed if expanded to encompass broader cyber events.
Avoid Crowding Out
TRIA is not based on an aggregate industry
deductible but on individual company
deductibles which range from more than $2
billion to less than $100,000.
Clearly there is private reinsurance capacity
available for small and medium terrorism
events. TRIA removes federal capacity from
the smallest of these events through the $200
million program trigger.
The US cyber market manages losses of 2-3
times the TRIA program trigger every year
and does so with a mere 25% loss ratio –
roughly half of the commercial property and
casualty insurance average. Accordingly, it
appears the cyber market could manage with a
program trigger much larger than the current
$200 million level.
Level Competitive Field
TRIA’s use of a broad range of commercial
property and casualty insurance premium to
define the backstop deductible penalizes
diversification which is otherwise regarded
as a source of prudential strength.
While TRIA skews the competitive playing field
by favoring insurers that avoid risk
diversification, the pricing advantage typically
washes out because terrorism coverage is almost
always sold as part of a much larger package of
coverages and the terrorism premium represents
only about 2.5% of the total cost.
Cyber is shaping up to take a very different
approach with product configurations clearly
moving toward a stand-alone purchasing
decision. Further, there is aggressive competition
for cyber market on the assumption cyber
represents the insurable exposure of the future.
Affordability
While TRIA leaves rates for terrorism
insurance entirely to state insurance
regulation, federal law requires insurers to
disclose the cost of terrorism coverage as a
separate line item.
Terrorism coverage take-up rates went from
effectively 100% prior to September 11 to as low
as 25% before leveling out at around 75%. That
is, despite the make available requirement and a
“free” federal backstop 1 out of 4 policyholders
still do not see value in terrorism coverage.
Currently, 3 out of 4 policyholders do not see
value in cyber coverage at the current terms,
limits and rates. A generous backstop could
lower the cost of cyber coverage for those that
purchase it but would shift disproportionate
costs to all policyholders through post-event
surcharges.

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyBackstop Improvement
In order to prevent crowding out private capacity, provide meaningful catastrophic loss coverage and mitigate gaming of the system, the
backstop could be restructured to ensure small and medium cyber losses remain entirely with the industry while allocating backstop
reimbursements for large cyber events on an equitable basis.
Any government program assuming cyber risks raises the prospect of businesses, nonprofits and local governments transferring the cost of
poor decision making with respect to investment in, oversight of and commitment to IT security, employee training and adequate controls
onto the backs of taxpayers or, in the case of the backstop, those policyholders who did make prudent decisions about their cyber exposures.
The following amendments to the statutory text of TRIA could be used to restructure the backstop:
Reduces the diversification penalty and offsets cost to
insurers of an expanded cyber make available requirement
(7) INSURER DEDUCTIBLE.—The term ‘‘insurer deductible’’ means—
(A) the value of an insurer’s direct earned premiums during the immediately preceding calendar year, multiplied by 20 10 percent . . . .
***
(B) PROGRAM TRIGGER.—In the case of certified acts of terrorism occurring after January 1, [202X], no compensation shall be paid by the
Secretary under subsection (a), unless the aggregate industry insured losses resulting from such certified act of terrorism exceed— ***
$200,000,000 $2,000,000,000, with respect to such insured losses occurring in calendar year [202X] and any calendar year thereafter.
Ensures industry works through reinsurance, pooling, securitizations
and other tools to develop healthy capacity while discouraging the use
of low deductible captives or other vehicles to leverage the backstop

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyConclusion
Certification
Criteria

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyTRIA Works for Conventional Terrorism
TRIA has achieved and has so far maintained a balance between the rights and obligations of insurers and policyholders. While there may be
specific exceptions, policyholders are able to obtain adequate coverage for certified acts of terrorism at acceptable pricing. Insurers can offer
those coverages, limits and prices while remaining within their respective risk tolerances in reliance on the promise of the backstop.
Underneath these positive headlines, TRIA is supported by powerful shock absorbers that have kept the sharp edges of the program in check.
TRIA is a laser focused solution born at a time of national solidarity in the face of a new and terrifying threat to the American way of life. Since
that time, US businesses have enjoyed only the advantages of TRIA – mandated offers of coverage from their insurers without charge for the
value of the backstop. There may be a very different sentiment should the cost of TRIA ever come due through large-scale policyholder
surcharges fueled by billions in risk transferred from captives that had been quietly set up by large US and foreign corporates.
Certification
Criteria
TRIA’s scope has proven very narrow. As
a result, the program’s more controversial
elements have never been tested.
Mandatory Offer of Coverage of
Certified Acts of Terrorism
Reimbursement above Deductible
Funded through Policyholder Surcharges
• Almost always sold as an embedded
coverage within a standard product
• Cost of coverage is a small
proportion of overall product cost
• Vast majority of relevant products
sold within the admitted market and
subject to standard terms
• Clear state regulatory responsibility
for rate, form and consumer
protection oversight
• Accepted as a valid response to an
attack on the US, the losses from which
should be socialized broadly
• Never has been called upon to fund
reimbursements or pass on losses
through policyholder surcharges
• Competitive distortions muted by
product structure and low cost
• Aggressive captive strategies largely go
unnoticed by policymakers and public

Centers for
Better Insurance
Policyholders
Employees
Shareholders
SocietyExpanding TRIA to Cyber would Imperil the Program
Expansion of TRIA to include a broader range of cyber events would create a serious risk of damaging a largely successful program while
transforming the vibrant and expanding cyber insurance market into a ward of the federal government. The cyber market is surely
experiencing growing pains, but it is the primary role of the States to offer a guiding hand if one is necessary. If there is a specific problem
where only the federal government could step in, state insurance regulators, the insurance industry and policyholders must first point it out.
TRIA is a good starting point for a discussion of a potential federal role in the cyber market, but it would be a terrible ending point. There is
much that can be learned by understanding the program, its history and how the terrorism exposure and terrorism insurance market differ
from the cyber exposure and cyber insurance market. Ultimately, this analysis will lead to an answer for cyber different than that for
terrorism. As an added advantage of this approach, along the journey a few potential improvements to the TRIA program may emerge.
TRIA’s scope would broaden
thereby vastly increasing the
probability of a certification
Mandatory Offer of Cyber Coverage
Reimbursement above Deductible
Funded through Policyholder Surcharges
• Market developing toward stand-
alone products
• Cost of cyber main driver for
purchase decision
• Increasing majority of cyber
products sold through surplus lines
with varied policy wordings
• Limited state regulatory authority
and capability to oversee rate, form
and consumer protection
• Unlikely public acceptance of
socialization of losses seen to result
from poor IT security programs
• High probability of backstop
reimbursement leading to
amplification of loss through
policyholder surcharges
• Heavily skewed competitive playing
field due to diversification penalty
• Aggressive captive strategies likely to
become visible to the public
Certification
Criteria

TRIA Cyber Risk Study (GAO)

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a TRIA Cyber Risk Study (GAO)

Semelhante a TRIA Cyber Risk Study (GAO) (20)

Mais de JasonSchupp1

Mais de JasonSchupp1 (20)

Último

Último (20)

TRIA Cyber Risk Study (GAO)