There are three Bills in the House of Representatives that would extend TRIA: H.R. 2146; H.R. 508; and H.R. 1945. Ten year extensions through December 31,2024 would occur under H.R. 2146 and H.R. 1945; five years to December 31, 2019 under H.R. 508. H.R. 2146 is the most recent Bill and has many of the same sponsors as 508, so it is likely more viable. H.R. 1945 currently has only one cosponsor. H.R. 2146 is essentially an extension of the term of the current law (hereinafter, TRIA and all its extensions are referred to as “TRIA”). It remains to be seen if the Financial Services Committee will permit amendments for budgetary or other reasons such as indexation of caps, deductibles, aggregate retentions, and as in H.R. 508, recoupment, over the 10 year extension.

An “act of terrorism” has to be certified by Treasury, in coordination with the Secretary of State and the Attorney General. H.R. 1945 would limit certification to Homeland Security in concurrence with Treasury, rather than visa-versa. The House Financial Services Committee would be stripped of jurisdiction over future TRIA renewals under this Bill. Given that the TRIPA extension eliminated the requirement that the terrorism act needed to be committed on behalf of a foreign person or interest it might seem logical to delete concurrence by the Secretary of State. The replacement of the Attorney General could be more problemmatic. It would imply certification without having the capability of civil prosecution, either because of jurisdictional or evidenciary difficulties, or because military tribunals would be hearing the case. There is a risk of politicalization of certification, as it is easier to declare and certify an “act of terrorism” than to prove it. Biological and chemical weapons, agents or vectors, can be more difficult to prove. The initial anthrax event in Washington, D.C. brought numerous government declarations that it was a terrorist event, which declarations were modified over time. There were only 5 deaths and really no economic costs so TRIA was unaffected. A $5 million insured certified loss event could create coverage uncertainty if after certification the event is not considered terrorism. TRIA has no provision for withdrawal of certification, so the government would likely be prudently silent and not certify such an event until it could be proven. Insurers may to avoid bad faith cover bodily injury and business interruption losses given the government’s silence. Subsequent adjustments would then have to be made should the event be certified.

The definition of “Act of Terrorism” under TRIA does not expressly refer to NBCR, cyber-terrorism, or cyber-war. It is:

(a). an act of terrorism,
(b). which is a violent act, or an act dangerous to human life, property or infrastructure;
(c). which is part of an effort to coerce U.S. civilian population or influence U.S. policy,
(d). which causes damage in the U.S. or to a U.S. airline or mission, and
(e). which act is certified as an act of terrorism by Treasury, in coordination with Secretary of State and Attorney General.

It is the “act” and not the effect of the act of terrorism that controls this circular definition. As written, it is singular; although insurers and reinsurers will consider it in the context of broader “occurrence” language. It may be difficult to assign a biologic or cyber act to which $5 million of aggregated insured losses are attributable, particularly if the viral infiltration is self-replicating. Would disruptive, but not “dangerous” cyber-terrorism attacks be covered? What does “act of terrorism” mean in “(a)” above such that it is qualified by “(b)” and “(c)” in order to be certified? TRIA as likely be broader in practice than the verbiage. The government will control the evidence, and what is “certified” will be an “Act of Terrorism”. Nonetheless, the “Act of Terrorism” definition would benefit from broader regulatory interpretation and if legislatively feasible, amendment.

Certification by the Federal government is a principle benefit of TRIA. In the quest for property coverage it is often overlooked when renewal is questioned. Nuclear, biological, chemical and radiological (“NBCR”) are not defined in TRIA. Imperfect NBCR definitions in other Federal statutes and international treaties are not referenced in TRIA. Certification does not require a declaration that the event is an NBCR event. Such certification below the $5 million threshold might be useful to avoid disputes for smaller NBCR events. NBCR as a matter of insurance contract will otherwise be defined and determined under state law(s).

After 9/11 and before TRIA, terrorism and in particular NBCR were excluded by reinsurers and insurers. Subjective determination of coverage of terrorism or NBCR was based on the issuer’s assumption about the event as if it would be as self-evident as 9/11. Cyber-terrorism was not a concern. Biological terrorism was not as self-evident chemical, nuclear, or radiological. After 9/11 I successfully negotiated a unique NBCR exclusion. It was tied to objective NBCR related Federal definitions and required a Federal indictment in order for the event to be considered terrorism. The concern then, as now, was that the government might not reveal the evidence it had to the public, so reinsurer and insurer “assumptions” might be wrong. Rational arbitration would be a challenge. Economic reasons aside, TRIA needs to be reinstated because Federal certification avoids unsupportable subjectivity.

Biological and cyber-terrorism and cyber-war will likely be substantial terrorist risks over the next 10 years. Each can be developed and executed by a lone wolf, but with asymmetrical consequences. The U.S. recognizes that its defenses to each are substantially lacking. In the case of biological terrorism, its facility to replace Plum Island will not be operational until 2020-21. Biologic agents, vectors and diseases can be self-replicating, developed synthetically, and are subject to plausible deniability as public health events, allowing the terrorist time to escape detection and the U.S.. Ricin is easy to produce; H5N1 has been modified by scientists so that it is now transmittable by humans; variants of small pox are being created. The technology is moving faster than our preparations and the law, as with cyber-terrorism, is lagging.

The exposure from a one day cyber-terrorism caused internet blackout will not be small. However, it pales against other exposures. The 2008 financial crisis caused an estimated 20% drop in U.S. GDP. According to Ted Lewis, Executive Director of the Center for Homeland Defense and Security (see, the average impact on U.S. GDP from the following events, are:

Earthquake: 0.48%
Hurricanes: 0.25%
1993 Eastern Storm: 0.11%
Oakland California Fire: 0.10%
2003 Blackout: 0.10%
Flood: 0.9%
Tornados: 0.9%
One Day Internet Blackout: 0.5%
Mount St. Helen’s Eruption: 0.4%

These numbers are imprecise. They reflect only a part of the exposure. Strategically important infrastructure and businesses have their own networks. State sponsored cyber-espionage has penetrated these; so have non-State actors. The cyber-related business or contingent business interruption exposure is growing. Concentration of hubs (so-called “peers”) and of bandwidth (mostly all controlled from outside the U.S.) make broad attacks more feasible (and protectable). In the case of state sponsored cyber-espionage, the line between theft, terrorism and war can be blurred. Here Secretary of State participation in certification, is as or more important than Homeland Security. Perhaps TRIA should be amended to require Homeland Security coordination as well. If cyber-war is to be covered under TRIA, the restriction of TRIA war coverage to workers compensation is anachronistic and needs to change.

Getting anything through this Congress is a chore. Obtaining only an extension of TRIA may be the path of least resistance. Unfortunately, it ignores TRIA deficiencies and what are likely to be real exposures during the extension period.

As always, your thoughts and questions are most welcome.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s