Cyberterrorism Daunting Challenge for TRIA
Complex determinations and conflicts of interest present serious risks to program effectiveness.
These comments respond to Treasury’s Notice appearing at 87 FR 18473 (March 30, 2022) seeking comments in advance of its 2022 Report on the Effectiveness of the Terrorism Risk Insurance Program with a focus on issues presented by cyber-related losses.
Question 6 of the Request for Comments inquires as to terrorism risk insurance issues presented by cyber-related losses, and the impact of TRIP in connection with such exposures, including views on cyber-related terrorism losses that are included within TRIP and those losses outside of TRIP.
At a high-level, the Program has long been understood to encompass acts of “cyberterrorism”.[1] As Treasury’s question suggests, the practicalities of applying the Program to a cyber event is not necessarily straight-forward.
These comments focus on three of the most apparent risks to the efficient and fair administration of the Program in the context of cyber events:
- Attribution of motivation;
- Determination of the occurrence and situs of “damage”; and
- Determination of the nature and situs of “loss.”
A. Attribution of Motivation
Before FIO can activate the Program in response to a cyber-event, the Secretary of Treasury must certify that the cyber-event is an “act of terrorism.” In order to certify an act of terrorism, the Secretary must conclude, inter alia, that the cyber-event had been perpetrated “as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion.”
The first challenge facing the Secretary is determining whether a cyber-event is a cyberattack or an accidental hardware or software malfunction. Presumably, the Program has access to law enforcement, intelligence, and other governmental and private resources able to promptly assess and determine the general nature of a cyber-event. Out of concern for the protection of investigatory, security, and proprietary information, the Secretary may not be in the position to share details of that analysis or may find it prudent to delay a determination.
Once the Secretary has determined that a cyber-event is a cyberattack, a potentially more difficult task is to determine the motivation behind the attack. Nothing in the statute suggests that the Secretary must identify the attacker. However, the Secretary cannot certify a cyberattack as act of terrorism unless the Secretary first concludes the attack had been “committed … as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States Government by coercion.”[2]
In considering certification, the Secretary must consult with the Secretary of Homeland Security, and the Attorney General of the United States. As part of the law enforcement community, these executives have access to a wide range of information to assist in the certification decision. However, they may be concerned that a determination on certification by the Treasury Secretary may be seen to reflect the Federal Bureau of Investigation and Homeland Security’s potentially unannounced or caveated conclusions on attribution and motivation. Further, the Secretary may be limited to sharing relevant information only with staff holding the requisite level of security clearance (which may or may not include FIO staff charged to assist the Secretary in making the certification decision).
Moreover, facts may develop over time through intelligence gathering and other sources that cause the Secretary to possibly refine, revisit, or reverse earlier conclusions as to motivation. The Program is equipped with no tools to manage the subsequent development of information bearing on the certification criteria after the certification has been made.
As an illustration of these challenges, consider that a cyber-event has disabled a petroleum pipeline in the Northeast United States:
- Accident vs. Attack — The Secretary first gathers information from the pipeline company, law enforcement, and intelligence agencies to determine whether the event is a cyberattack or an accident. If an accident, the inquiry stops.
- Financial vs. Political — The Secretary next gathers information from law enforcement, military, and intelligence agencies as to the motivation behind the cyberattack including an assessment of the credibility of any claims of responsibility. If the motivation is financial, the inquiry stops. If the motivation is political (i.e., directed at public policy or public opinion) further parsing is required. It appears certification cannot be based on an attempt to influence public policy of or public opinion regarding state or local governments, private companies, or non-governmental organizations. Rather, certification is limited to efforts to influence public policy or public opinion on matters of national or international relevance. It is entirely foreseeable that the motivation (even if known) is ambiguous (e.g., anarchists, hacktivists, or revenge-seekers) or mixed (e.g., ransomware producing income designed to evade sanctions).
While the challenges associated with determining motivation behind an event are not limited to cyber-events, the intangible nature of the attack methodology, the physical separation between actor and act, ease of anonymity, and range of capable actors associated with cyberattacks accentuates these complexities in the Program as a practical matter.
Stepping back to look at the big picture, there is an even more significant challenge. The impact of a cyber-event on U.S. businesses, nonprofits, local governments, and U.S. economy is the same whether the underlying event is an accident or intentional, or financially or politically motivated. However, the Secretary’s determination on this tangential point (as regards the U.S. economy) would drive whether a $100 billion relief program can be brought to bear on the resulting economic disruption.
While Congressional action is likely necessary to mitigate the challenges in applying the Program in the context of a cyber-event, FIO’s Effectiveness Report should highlight these risks with regard to the determination of motivation.
B. Situs of Damage
The Secretary may certify an act as an “act of terrorism” if the act “resulted in damage in the United States.”[3] The term “damage” is not defined in the statute or in Treasury’s regulations.
The statute offers two clues as to the meaning of this term. First, the act that results in damage must be “dangerous to human life, property, or infrastructure.” The Secretary may very well conclude that danger to property or infrastructure encompasses the danger of loss of access to, loss of utility of, or loss of performance of equipment, data, or computer programs caused directly by the act.
Second, the statute draws a distinction between “damage” and “loss.” The term damage is used in reference to the impact of an act on property or infrastructure.[4] The term loss is used in reference to that which is covered under an insurance policy.[5] Accordingly, it would seem the Secretary’s determination whether there has been “damage” and where that damage has occurred is to be made without reference to any insurance that may or may not respond to losses from such damage.
The Secretary may fairly read the statute such that certification of a cyberattack may be based on an act targeting or infecting computers, equipment, or data located in the United States. To the extent a cyberattack targets or infects computers, equipment, or data only outside of the United States (even if there are economic or financial consequences in the United States), the Secretary may fairly conclude that the cyberattack did not result in “damage” in the United States.
While Congressional action is likely necessary to mitigate the challenges in applying the Program in the context of a cyber-event, FIO’s Effectiveness Report should highlight these risks with regard to the determination of the occurrence and situs of damage.
C. Nature and Situs of Loss
The Program reimburses loss “resulting from an act of terrorism” if the loss (a) is covered by insurance; and (b) occurs within in the United States.[6] As discussed in the prior section, the term “loss” is connected to that which is insured under a policy of commercial property and casualty insurance.
The simplicity of the Program is that it relies on free-market forces and state insurance regulation to determine what losses are covered by a policy of commercial property insurance. By requiring each participating insurer to retain a large program deductible and 20% of losses above that deductible,[7] the Program assumes that insurers have sufficient “skin in the game” to design, price, underwrite, and settle claims under policies consistent with the Program’s (and taxpayers’) interests. Further, the Program assumes state insurance regulators are monitoring those practices and intervening as necessary. In that way, the Program largely defers the determination of the coverage of “loss” under the policy and the location of that “loss” to the insurer.
These assumptions generally hold up for policies of insurance offered to small and medium businesses, especially for traditional lines of insurance. Congress and FIO should have far less confidence in state regulatory oversight of product design and claim settlement practices with respect to the burgeoning surplus lines market and no confidence at all in the existence of any such safeguards in the captive insurance market.
It may be useful to examine one such captive as an illustration of the lack of obvious safeguards over the insurance company’s determination of the coverage of loss and designation of a situs of that loss.
Comcast Corporation established Three Belmont Insurance Company in New York on April 29, 2013. Comcast appointed insurance broker Marsh to manage this subsidiary.
Comcast (which owns NBCUniversal) also appointed the following Comcast executives as the officers and directors of its insurance subsidiary:
- Donald B. Aspinall, Chair and President of Three Belmont Insurance Company (Vice President of Global Risk Management for Comcast);
- Charles Van H. Gavitt, Board Member and Treasurer of Three Belmont Insurance Company (Vice President of Financial Planning & Analysis for Comcast);
- Andrew G. Fossett, Board Member and Secretary of Three Belmont Insurance Company (Senior Vice President & Chief Counsel for NBCUniversal); and
- John P. Giraldo, Board Member of Three Belmont Insurance Company (Executive Vice President and Global Controller for NBCUniversal).
It is obvious from the captive insurer’s board composition that Comcast’s lawyers, finance team, and risk management function control both ends of the negotiations between Comcast and its insurance subsidiary regarding product terms, pricing, underwriting, and claims settlement.
As for the New York Department of Financial Services, its hands are largely tied in terms of oversight of these practices. Under New York law, captives are exempt from regulation of policy terms and conditions, rates, deceptive trade practices, unfair competition, unfair claims settlement practices, and nearly all other provisions of the insurance code. NY Ins. § 7001. Moreover, regulatory filings made by a captive insurer with the New York Department of Financial Services are exempt from the New York Freedom of Information Law and even protected from discovery in civil litigation. NY Ins. § 7003(c)(3).
As a result, the New York Department of Financial Services, FIO, and the public have few if any tools to understand how a captive such as Three Belmont Insurance Company interacts with the $100 billion taxpayer funded Terrorism Risk Insurance Program.[8]
Returning to the determination of the coverage for and situs of cyber-related losses, the Comcast-Three Belmont example suggests few (or no) controls protect the interests of the Program and the taxpayers that fund it with respect to:
- The generosity of the coverages the captive provides its parent against cyberterrorism;
- The decision the captive would make whether a particular cyberattack is covered by the policy it had negotiated with its corporate parent;
- The decision the captive would make about how much it owes its corporate parent under the terms of that policy; and
- The decision the captive would make as to whether (and to what extent) that loss occurred in the United States or outside of the United States.
Presumably, the officers and board members of captive would negotiate with the risk management, legal and finance team of corporate parent to settle these critical decisions. As we have seen in the Comcast example, they can be (and often are) the same people on both sides of the table. As a result, the negotiations of these key determinations are likely to be brief and decisive in favor of the ultimate corporate parent.
While misalignment of interests and limitations on state regulatory supervision for captives and, to a lesser extent surplus lines insurance, exist for all event types under the Program, they become more obvious and consequential in the context of the cyberterrorism risk.
While Congressional action is likely necessary to mitigate the challenges in applying the Program in the context of a cyber-event, FIO’s Effectiveness Report should highlight the absence of safeguards over determinations of coverage of loss and situs of loss by captive insurers (and to a lesser extent surplus lines insurers).
[1] Conference Report accompanying HR 3210 (Nov. 13, 2002), Report №107–779 at page 24. NAIC Proceedings, Terrorism Insurance Implementation Working Group (December 16, 2013) at 8–28.
[2] Sec. 102(1)(A)(iv).
[3] Sec. 102(1) (expect in the case of certain air carriers or vessels and the premises of a United States mission).
[4] Sec. 102(1)(A). The litigation management provisions refer to “property damage” in the context of a cause of action which is not pertinent to the certification process or operation of the Program.
[5] Sec. 102(1)((B)(ii), (4), and (5).
[6] Sec. 102(5) (expect in the case of certain air carriers or vessels and the premises of a United States mission).
[7] Insurer deductions are typically in the hundreds of millions or even billions of dollars per year.
[8] We do have some insights into the arrangements struck between Three Belmont Insurance Company and Comcast. Three Belmont Insurance Company has issued to its parent three policies covering up to $427,233,582 in loss for the following premium: (a) Property insurance for $72,757,832; (b) Terrorism insurance for $1,896,100; and © Nuclear, biological, chemical, and radiological terrorism insurance for $275,000.