Can cyber insurance cover acts of cyber terrorism?

The politically charged nature of terrorism means that the biggest risk to insurers may be a government's willingness to label something terrorism in the first place.

cyber terrorism dynamite explosion blow up binary detinate
Getty Images

When the twin towers fell on 9/11, insurance carriers paid out claims of 44 billion dollars, and then decided they really didn't want to insure tall buildings in Manhattan against terrorism anymore, thank you very much.

Alarmed, the US government created TRIA, the Terrorism Risk Insurance Act, a government-funded backstop for private insurance carriers offering terrorism policies. In the event of another terrorist attack resulting in insured losses of more than $180 million (in 2018), TRIA will pay up to $100 billion—with a “b”—in the event of a large-scale terrorist attack, as officially certified by the US government.

The US modeled TRIA on Pool Re (the "Re" is for reinsurer), a similar program pioneered by the UK following IRA bombings in the early 1990s, including the 1993 IRA bombing at Bishops Gate, then the costliest terrorist attack of all time with losses of more than a billion dollars. In the event of a terrorist attack in the UK, Pool Re pays out to the affected insurance carriers once losses exceed a certain threshold.

Today, governments and insurance carriers are struggling with how to insure against similar acts of terrorism—depending on your definition of the "t"-word—on the cyber domain. An attack on cyberphysical systems could cause significant property damage and even loss of life, but most cyber terrorism policies exclude physical damage. Destruction of a mission-critical database might be covered, for example, but if your chemical plant blows up, that's probably not covered under existing policies.

In a move that acknowledges this growing risk, Pool Re announced in April 2018 that it now covers acts of cyber terrorism that result in physical destruction. Just one catch: Pool Re only pays out if the UK government publicly labels a particular act "terrorism."

What exactly is terrorism, anyway?

Consider Stuxnet. As we all know now, Stuxnet was a targeted act of clandestine violence conducted by the US and Israeli secret police against Iran that resulted in damage to cyberphysical systems. The attack was explicitly intended to coerce that country's politics.

By any reasonable definition, Stuxnet was terrorism. But because nothing the US ever does can be considered "terrorism," even when it causes terror, destruction of property, loss of life, and so forth, we don't use the dreaded "t"-word.

The politically charged nature of terrorism, therefore, means that the biggest risk to insurers may be a government's willingness to label something terrorism in the first place.

To continue reading this article register now

The 10 most powerful cybersecurity companies