chevron-down Created with Sketch Beta.
August 09, 2021 Insurance Regulation

Editorial: Cybersecurity Damage Could Become Very Large –The U.S. Government Should Consider A TRIA-Like Layered Private & Government Insurance Solution

Eric D. Gerst, Esq.
Insurance Regulation Committee

Insurance Regulation Committee

Insurance Regulation Committee Newsletter Spring 2021

[Editors Note: The opinions in this Editorial are solely those of the author, and do not necessarily represent the opinions of the American Bar Association, or any officer, staff, committee or other entity or individual]

The age of cybersecurity has become front and center in the minds of most individuals, businesses, and governments. How do we protect against hacking, phishing, malware, ransomware, or other destructive or disruptive forces, whether the perpetrator be individual or a group, domestic or foreign? How does an individual, businesses or governments pay for damages resulting from this growing criminal threat? Where will it strike next? What enforcement procedures do we have in place to deter cyber damage? Should there be a universal federal law enacted to fund the policing of our Internet and other electronic communication, or should it be left to the states?

Many states are wrestling with the problem as to how big the cybersecurity damage might be, and some states have already created regulations for those domiciled in their states.

Eric D. Gerst

Most importantly, what is the mechanism to pay for cyber damage? Many states are wrestling with this problem. Recently New York State has become the first state in the nation to issue regulations for cybersecurity for companies doing business in New York State. The New York State regulation prescribes fines for its full violation, and has already enforced fines against corporations . Other states are reviewing and some are adopting, the National Association Of Insurance Commissioners (NAIC) Model Law. Articles about cybersecurity and cyber insurance appear in this issue of the IRC newsletter. The newest question is whether cyber insurance will become so expensive and unavailable in the private sector, that Congress will need to adopt a TRIA-like solution to provide several layers of cyber insurance. The Terrorism Risk Insurance Act of 2002 (TRIA), and extended several times , now expiring on December 31, 2027, has as its core a concept of several layers of insurance, both private and government. The first layer in TRIA is private insurance, then the second layer is by government, and the third level is by private insurance. This private-public-private insurance concept has allowed insurance to be written on many high-rise construction projects, among others . Without this insurance many large projects in urban areas would never have been able to be obtain insurance covering terrorism. TRIA has worked well , and it is recommended that Congress consider this TRIA-like layered approach for cybersecurity and cyber damage. It is noteworthy that in The Terrorism Risk Insurance Program Reauthorization Act of 2019 (P. L. 116 94), which extends TRIA for seven years through December 31, 2027, acknowledges that Congress is recognizing the important and emerging issue of cyber. The Act requires the U.S. General Accountability Office (GAO) to conduct a study on cyber terrorist risks, including determination of whether the current coverage for cyber under property and casualty insurance is adequate, whether the private insurance market’s ability to adequately price cyber risks, the potential costs of cyber attacks; and to consider whether the TRIA structure [private insurance-government layer -private insurance layer] is appropriate to cover cyber terrorism. As of May 2021 the GAO study has not yet been completed or released. Several “white paper” studies and otherf articles published recently in The Insurance Journal and other media outlets clearly favor a layered private and government insurance program, similar to TRIA. This editorial is in favor of a TRIA-like structure of private and government insurance to cover the growing risk of significant cyber terrorism damage. There must be a solution put in place – soon.

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

Eric D. Gerst

Insurance Regulation Committee Newsletter Editor

Eric D. Gerst is a published author, attorney and legal consultant concentrating in insurance, finance, litigation and transportation, with offices in the suburbs of Philadelphia, Pennsylvania. His first book, published in April 2008, predicted the collapse of the insurance industry and the severe problems in the overall financial industry. The book appeared as #1 on’s Bestseller List For Business Insurance. He is completing a second book on the aftermath of the Great Recession of 2008, expected to be released in late 2021 or 2022. He is a member of the Philadelphia, PA, DC, & NYC bars, and has been admitted to practice before the Supreme Court of the United States. He holds an AV Preeminent Rating (the highest rating possible for legal ability and ethical standards) from Martindale Hubbell. He is member of the ABA Tort Trial And Insurance Practices Section (TIPS), and Vice Chair and Newsletter Editor of the ABA TIPS Insurance Regulation Committee (IRC). Gerst was also a participant on the American Bar Association Task Force FIIRM (Federal Involvement In Insurance Regulatory Modernization). He has been a panelist at the ABA TIPS symposium on the topic of state or federal regulation of the insurance industry. He is a planning/faculty member for an upcoming ABA TIPS IRC podcast on the subject of cyber security and cyber insurance. Mr. Gerst can be reached at [email protected].