The Treasury Department wants feedback on how it should consider cyber events that occur outside the U.S. in officially folding cyber events into a national reinsurance program created to buttress insurance companies in the wake of the attacks on Sept. 11.
After the terrorist attacks in 2011, companies found it difficult to secure insurance policies for property and casualties, according to a Federal Register notice set to publish Tuesday. So Congress passed the Terrorism Risk Insurance Act which required companies, under a temporary program, to make their policies available along with the disclosure of premiums and losses. In exchange, the government would establish triggers and caps for stepping in and supplementing payouts.
Congress has consistently reauthorized the program, including with the Terrorism Risk Insurance Program Reauthorization Act of 2019 which extended it through December 2027.
In accordance with the new law, Treasury issued a request for comment on its proposal to incorporate its own 2016 guidance describing certain types of standalone cyber insurance policies that should be eligible under the program and asked some new questions.
“We request comment on: (a) Whether cyber events outside the United States can inflict cyber-related losses within the United States that qualify as ‘damage within the United States’ for purposes of TRIA; (b) To the extent such cyber events can be said to inflict losses that qualify as ‘damage within the United States,’ whether such losses may also be subject to compensation under the terrorism risk insurance pools or arrangements of other jurisdictions; and (c) How Treasury could evaluate such losses representing ‘damage within the United States’ from a certification standpoint, particularly if the causative cyber events in question take place outside the United States,” the notice reads.
The program only applies to “certified” acts of terror, which carry a threshold of $5 million in property and casualty policy losses.
The congressionally created Cyberspace Solarium Commission recommended in March that the government “do more to further define what types of cyber events fall under the TRIA umbrella and what types of events should remain covered by insurance companies themselves.”
The notice also asks broader questions about how the program might be adjusted, including with prescribed time periods and processes for certifications.
Comments are due in 60 days.