Federal Insurance Office Issues Guidance On Stand-Alone Cyber Liability Insurance Policies Under the Terrorism Risk Insurance Program

 

During late December 2016, the Federal Insurance Office issued guidance on Stand-Alone Cyber Liability Insurance Policies Under the Terrorism Risk Insurance Program. 

To view the guidance document in its entirety on the Federal Register, click here.

The guidance pertains to the Terrorism Risk Insurance Program (“TRIP”) under the Terrorism Risk Insurance Act of 2002, as amended (“TRIA” or “the Act”) relating to how insurance recently classified as “Cyber Liability” for purposes of reporting premiums and losses to state insurance regulators will be treated under TRIA and the U.S. Treasury’s TRIP regulations.

It addresses the application of certain TRIA provisions and TRIP regulations with respect to certain insurance policies covering cyber-related risks.

About TRIA

TRIA was enacted following attacks on the United States on September 11, 2001 to address disruptions in the market for terrorism risk insurance, as well as to help ensure the continued availability and affordability of commercial property and casualty insurance for terrorism risk, and to allow for the private markets to stabilize and build insurance capacity to absorb any future losses for terrorism events.

TRIA requires insurers to “make available” terrorism risk insurance for commercial property and casualty losses resulting from certified acts of terrorism (insured losses), and provides for shared public and private compensation for such insured losses.  TRIP has been re-authorized three times, most recently on January 12, 2015 when President Obama signed into law the Terrorism Risk Insurance Program Reauthorization Act of 2015, extending TRIP until December 31, 2020.

TRIA requires participating insurers to “make available” terrorism risk insurance in connection with “property and casualty insurance” as defined in the Act.  By regulation, the U.S. Treasury (which administers the law through the Federal Insurance Office) has further defined “property and casualty insurance” by reference to the classification of certain lines of commercial insurance set forth in the National Association of Insurance Commissioner’s Exhibit of Premiums and Losses (commonly known as Statutory Page 14).

Insurance reported on Statutory Page 14 under “Line 17-Other Liability” is generally subject to TRIP.  However, insurance reported on that page as “Professional Errors and Omissions Liability Insurance”–a sub-line within “Other Liability” for state regulatory purposes–is expressly excluded from TRIP by the Act.  Under the TRIP regulations, “professional liability insurance” is defined consistently with “Professional Errors and Omissions Liability Insurance” as that term is defined for state law purposes.

Cyber risk insurance is a broad term that includes insurance products covering risks arising “from the use of electronic data and its transmission, including technology tools such as the internet and telecommunications networks,” as well as “physical damage that can be caused by cyber attacks, fraud committed by misuse of data, any liability arising from data storage, and the availability, integrity, and confidentiality of electronic information.

Cyber risk insurance remains an evolving insurance market, both in terms of product development and regulatory oversight.  Certain insurance policies that may contain a “cyber risk” component or which do not exclude losses arising from a cyber event continue to be written in existing TRIP-eligible lines of insurance and are thus subject to TRIP’s provisions. 

Prior to 2016, some insurers that wrote stand-alone cyber risk insurance may have offered and reported it for state regulatory purposes as Professional Errors and Omissions Liability Insurance, which, as noted above, is expressly excluded under TRIA from the definition of “property and casualty insurance.”

As of January 1, 2016, however, state regulators introduced a new sub-line of insurance, identified as “Cyber Liability,” under the broader “Other Liability” line.  “Cyber Liability” is defined for state regulatory purposes as follows:

Stand-alone comprehensive coverage for liability arising out of claims related to unauthorized access to or use of personally identifiable or sensitive information due to events including but not limited to viruses, malicious attacks or system errors or omissions.  This coverage could also include expense coverage for business interruption, breach management and/or mitigation services.  When cyber liability is provided as an endorsement or as part of a multi-peril policy, as opposed to a stand-alone policy, use the appropriate Sub-TOI of the product to which the coverage will be attached.

This Guidance confirms that stand-alone cyber insurance policies reported under the “Cyber Liability” line are included in the definition of “property and casualty insurance” under TRIA and are thus subject to the disclosure requirements and other requirements in TRIA and the TRIP regulations as specified in the guidance here.

 

 

Should you have any questions or comments, please contact Colodny Fass.

 

 

Click here to follow Colodny Fass on Twitter (@ColodnyFassLaw)

 

 

 

 

 

To unsubscribe from this newsletter, please send an e-mail to colodnyfassnews@gmail.com.