It’s good news to see that a generally “clean” re-authorization of TRIA, with bipartisan support, is in the works in advance of Jan. 1 policy and treaty renewals. Remember, the program provides liquidity, not coverage, to participating insurers, who have to repay the Treasury. I have questions about the program trigger, which requires determinations about the motivations of attackers, but there’s no reason that cannot be addressed later on.
Regarding what’s new in the re-authorization, here’s nothing wrong with authorizing a study of the risk of “cyber-terrorism,” provided that it not compound the semantic but potentially substantive confusion about what constitutes “terrorism.” Certainly, if attackers use cyber methods to kill unsuspecting civilians, that constitutes an act of terrorism, just as if they had used any other means of attack. But “cyber-attacks” in themselves are not terrorism–they’re sabotage, albeit sabotage on steroids.
This semantic distinction matters because undeniable acts of terrorism, such as the Paris attacks of November 2015, might not trigger TRIA coverage because there is little damage to property. On the other hand, cyber attacks, even without human casualties, can trigger large losses under some lines covered by TRIA. Are we to reimburse (temporarily) cyber losses caused by political actors, but not those caused by criminals?
Clarity on these matters is needed–AFTER the program is reauthorized.
It’s good news to see that a generally “clean” re-authorization of TRIA, with bipartisan support, is in the works in advance of Jan. 1 policy and treaty renewals. Remember, the program provides liquidity, not coverage, to participating insurers, who have to repay the Treasury. I have questions about the program trigger, which requires determinations about the motivations of attackers, but there’s no reason that cannot be addressed later on.
Regarding what’s new in the re-authorization, here’s nothing wrong with authorizing a study of the risk of “cyber-terrorism,” provided that it not compound the semantic but potentially substantive confusion about what constitutes “terrorism.” Certainly, if attackers use cyber methods to kill unsuspecting civilians, that constitutes an act of terrorism, just as if they had used any other means of attack. But “cyber-attacks” in themselves are not terrorism–they’re sabotage, albeit sabotage on steroids.
This semantic distinction matters because undeniable acts of terrorism, such as the Paris attacks of November 2015, might not trigger TRIA coverage because there is little damage to property. On the other hand, cyber attacks, even without human casualties, can trigger large losses under some lines covered by TRIA. Are we to reimburse (temporarily) cyber losses caused by political actors, but not those caused by criminals?
Clarity on these matters is needed–AFTER the program is reauthorized.