Risk models show industry burden under TRIA

The extension of the federal Terrorism Risk Insurance Act represents solvency protection in extreme events but is not an industry subsidy, according to risk modeling experts at Risk Management Solutions and AIR Worldwide Corp.

While it is impossible to predict how much insured damage terrorists would cause in any specific year, the average annual loss retained by the industry under the new federal program should eclipse 90 percent any terrorism loss. There is a 10 percent chance of damages reaching deductibles if an attack occurs.

Industry estimates of losses from the Sept. 11, 2001 attack range from $30 billion to $40 billion, including about $20 billion in losses in New York City that would have qualified for coverage under TRIA had the law been in effect on that date.

Deductibles are rising from 17.5 percent to 20 percent of direct earned premium through the 2007 extension. At the same time, the government quota share on losses above retention is estimated to shrink from 90 percent to 85 percent.

At the end of 2007, companies could face bearing the risk with no government backstop. "The law amends the TRIA statute and includes higher insurer retention levels for 2006 and 2007," noted Jack Seaquist, senior manager at AIR. "However, while insurer retention will grow incrementally over the next two years, the program's expiration at the end of 2007 will result in a dramatic increase in insurers' loss retention in 2008, assuming no further government or industry solution is forthcoming."

AIR illustrated the legislation's impact by modeling three scenarios based on the portfolio of a typical medium-sized, multi-line property and casualty company. The sample company has a high concentration of exposures in major cities and $2 billion in total annual premiums.

A delivery truck bomb is detonated in a major U.S. city in the first scenario. The damage results in almost $12 billion in losses to the industry. The representative company would retain 100 percent of its $230 million total losses, since the deductible would not be reached in any year.

The second scenario suggests the detonation of a large truck bomb in a major U.S. city. This scenario results in a $40 billion loss for the industry. The representative company would retain $345 million of its $760 million total loss in 2006, more than $400 million in 2007, and all $760 million after the expiration of TRIA.

Finally, the third illustration is a chemical attack in a major U.S. city resulting in an $85 billion insured loss. The insurer would retain $407 million of its $1.4 billion total loss in 2006, nearly $500 million in 2007, and the full $1.4 billion after the expiration.

Risk at home and broad
The rise in deductibles and shrinking of government's role are coming at a time when the risk may be less at home but not abroad. "Near-term terrorism risk in the U.S. has decreased since the initial TRIA bill, mainly due to homeland counter-terrorism measures, but the Jihadist threat continues to rise worldwide," said Dr. Andrew Coburn, director of terrorism research at RMS.

RMS believes macro-attacks within the U.S. will remain a threat for many years with the possibility of a larger scale attacks increasing over time.

Government estimates its cost under terrorism insurance extension

The Congressional Budget Office is projecting a government cost of $1.5 billion through the next 10 years under the legislation extending the Terrorism Risk Insurance Act of 2005 (S. 467).

However, despite weighing averages reflecting the probabilities of various outcomes, future attacks still possess an inherent unpredictability and costs could vary greatly from the estimate, according to CBO. "There is no reliable way to predict how much damage might be caused in any specific year," the agency added.

S.467 extended the federal backstop for terrorism losses until the end of 2007. For government assistance under the extended TRIA to be triggered, the attack must be committed by a foreign interest and cause damages of at least $50 million. In 2007, the damage requirement swells to $100 million. Coverage excludes commercial auto, burglary, surety, professional liability, and farm owners' multiple peril. Policies may not cover losses from events involving nuclear, biological, or chemical materials. Experts say losses from the excluded lines are unlikely to significantly affect average annual losses. Losses similar in scale to those sustained on Sept. 11, 2001, (an estimated $20 billion) are likely to occur very rarely. The estimated increased governmental receipts to $150 million throughout 2006-2010 and $720 million over the next 10 years.

Between 2006 and 2010, the TRIA extension will cost the federal government $1.4 billion, and between 2006 and 2015, an estimated $1.5 billion, according to CBO.

The Department of Treasury has the ability to recoup costs through surcharges. CBO estimates that the government might eventually collect total surcharges of $1.6 billion.

64% of firms suffer loss due to cyber incidents

The FBI reports that 9 out of 10 organizations in the country are victims of some sort of computer security incident, and one-fifth are hit more than 20 times a year.

Almost two-thirds suffer financial loss as a result of the cyber incidents.

The 2005 FBI Computer Crime Survey is based on responses from a cross-section of more than 2,000 public and private organizations. Among its findings:

Frequency of attacks. Nearly nine out of 10 organizations experienced computer security incidents in a year's time; 20% of them indicated they had experienced 20 or more attacks.

Types of attacks. Viruses (83.7%) and spyware (79.5%) headed the list. More than one in five organizations said they experienced port scans and network/data sabotage.

Financial impact. Over 64% of the respondents incurred a loss. Viruses and worms cost the most, accounting for $12 million of the $32 million in total losses.

Sources of the attacks. They came from 36 different countries. The U.S. (26.1%) and China (23.9%) were the source of over half of the intrusion attempts, though masking technologies make it difficult to get an accurate reading.

Defenses. Most said they installed new security updates and software following incidents, but advanced security techniques such as biometrics (4%) and smart cards (7%) were used infrequently. In addition, 44% reported intrusions from within their own organizations, suggesting the need for strong internal controls.

While most companies are well aware of the threats the cyber crimes pose to their computer systems and data bases, many may be unaware of the availability of coverage to help deal with the damages caused by attacks after they've occurred.

"Companies spend a great deal of money on the technology to protect themselves from such attacks. But the majority are unaware of the fact that there are policies out there which are designed to cover some of the risks companies face," noted Marcus Breese, Lloyd's broker with Hiscox Technology. According to Lloyd's, the type of coverage available varies from the very general to quite specific.

Risk models show industry burden under TRIA

The extension of the federal Terrorism Risk Insurance Act represents solvency protection in extreme events but is not an industry subsidy, according to risk modeling experts at Risk Management Solutions and AIR Worldwide Corp.

While it is impossible to predict how much insured damage terrorists would cause in any specific year, the average annual loss retained by the industry under the new federal program should eclipse 90 percent any terrorism loss. There is a 10 percent chance of damages reaching deductibles if an attack occurs.

Industry estimates of losses from the Sept. 11, 2001 attack range from $30 billion to $40 billion, including about $20 billion in losses in New York City that would have qualified for coverage under TRIA had the law been in effect on that date.

Deductibles are rising from 17.5 percent to 20 percent of direct earned premium through the 2007 extension. At the same time, the government quota share on losses above retention is estimated to shrink from 90 percent to 85 percent.

At the end of 2007, companies could face bearing the risk with no government backstop. "The law amends the TRIA statute and includes higher insurer retention levels for 2006 and 2007," noted Jack Seaquist, senior manager at AIR. "However, while insurer retention will grow incrementally over the next two years, the program's expiration at the end of 2007 will result in a dramatic increase in insurers' loss retention in 2008, assuming no further government or industry solution is forthcoming."

AIR illustrated the legislation's impact by modeling three scenarios based on the portfolio of a typical medium-sized, multi-line property and casualty company. The sample company has a high concentration of exposures in major cities and $2 billion in total annual premiums.

A delivery truck bomb is detonated in a major U.S. city in the first scenario. The damage results in almost $12 billion in losses to the industry. The representative company would retain 100 percent of its $230 million total losses, since the deductible would not be reached in any year.

The second scenario suggests the detonation of a large truck bomb in a major U.S. city. This scenario results in a $40 billion loss for the industry. The representative company would retain $345 million of its $760 million total loss in 2006, more than $400 million in 2007, and all $760 million after the expiration of TRIA.

Finally, the third illustration is a chemical attack in a major U.S. city resulting in an $85 billion insured loss. The insurer would retain $407 million of its $1.4 billion total loss in 2006, nearly $500 million in 2007, and the full $1.4 billion after the expiration.

Risk at home and broad
The rise in deductibles and shrinking of government's role are coming at a time when the risk may be less at home but not abroad. "Near-term terrorism risk in the U.S. has decreased since the initial TRIA bill, mainly due to homeland counter-terrorism measures, but the Jihadist threat continues to rise worldwide," said Dr. Andrew Coburn, director of terrorism research at RMS.

RMS believes macro-attacks within the U.S. will remain a threat for many years with the possibility of a larger scale attacks increasing over time.