CBI’s Comments on Treasury’s Request for Comment on Cyberterrorism Events
Last month U.S. Treasury published a Notice of Proposed Rulemaking and Request for Comments with respect to the Terrorism Risk Insurance Program.
The Advisory Committee on Risk-Sharing Mechanisms (ACRSM) suggested Treasury consider whether “cyber incidents that occur outside the U.S. with damage outside the U.S., but with impacts both inside and outside the U.S.” could be eligible for certification under the Program. Treasury seeks public comment:
- Whether cyber events outside the United States can inflict cyber-related losses within the United States that qualify as “damage within the United States” for purposes of TRIA;
- To the extent such cyber events can be said to inflict losses that qualify as “damage within the United States,” whether such losses may also be subject to compensation under the terrorism risk insurance pools or arrangements of other jurisdictions; and
- How Treasury could evaluate such losses representing “damage within the United States” from a certification standpoint, particularly if the causative cyber events in question take place outside the United States.
CBI has filed comments with respect to the ACRSM’s inquiry and urges Treasury to limit its response to the ACRSM to avoid any perception Treasury is weighing in on the merits of the more than 200,000 COVID-19 business income claims where the “damage” trigger remains hotly contested.
On the surface, the answer to ACRSM’s inquiry is straight-forward. If damage takes place only “outside of the United States” then damage does not take place “within the United States” as required by the statute to support a certification under the Program. If all that take place in the United States are non-damage “impacts”, the Secretary could not possibly make a certification even if those non-damage “impacts” are insured.
The ACRSM’s question may really be whether purely economic impacts experienced in the United States and covered by insurance amount to “damage” for the purposes of the Program. For example, a cyberterrorism attack damages production machinery outside of the United States resulting in a suspension of shipment of vital components parts to U.S. factories. Could this act be certified as an “act of terrorism” under the program? The answer is clearly “no”.
Close examination of the statutory text reveals a distinction between the “damage” necessary to trigger the program (the damage to production machinery) and the loss to which the program responds (business interruption). The trigger and loss are two separate concepts, though under TRIA both must have occurred in the United States for the Program to respond.
Herein sits the potential connection to COVID-19 business interruption claims. There is usually little dispute that a lockdown order has forced the policyholder to suspend operations resulting in a business income loss. The difference of opinion is whether this lockdown order is a sufficient trigger for business income coverage.
The insurance industry generally argues the damage trigger requires “structural alteration” whereas policyholders argue it is adequate to show a temporary inability to use the property for the purposes for which it was insured. One way or another, the courts will eventually sort out these arguments. It behooves Treasury, the Program, insurers, and policyholders for Treasury to hold off on any public examination of the Program’s damage trigger (whether in the context of cyberterrorism or a biological attack) until these COVID-19 claims are appropriately resolved through the judicial process.