Yesterday, President Obama unveiled new data protection and cyber security legislative proposals aimed at enabling public-private sector information sharing, establishing a national standard for data breach notification and modernizing law enforcement authorities to combat cyber crime. The President is looking to capitalize on a sense of urgency on the heels of the Sony Hack and, 2014, a year that will go down as a tipping point in the proliferation of cyber attacks and breaches. There is certainly skepticism that this package is a retread in many ways.
The legislative proposals are similar to congressional legislation that has been languishing on Capitol Hill – in part over privacy concerns and in part over concerns that compliance-based solutions will fail to create an adaptive and collaborative structure that would allow the public and private sectors to advance risk management models capable of managing cyber security threats as they continue to evolve.
The Council is monitoring developments closely for the impact these proposals may have on the strengthening cyber insurance market. Constructive and balanced approaches to better information sharing is needed and we have growing confidence from signals made this week by Republicans that this is an issue they will take up sooner rather than later. Six cyber or data security-related bills (5 in the House, 1 in the Senate) have already been introduced in the 114th Congress. These are markers, and a good sign that cyber will be a priority issue.
“Recent events certainly underscore the need, again, to tackle cyber security,” said Majority Leader Mitch McConnell yesterday. “It’s been very complicated with a lot of jurisdictional crosscurrents in the Senate; we’re going to make another run at breaking through that problem and getting something the president can sign,” he added, referring to the deadlock over congressional turf that helped doom a passel of cyber bills in the last Congress.
Stay in the loop by visiting The Council’s Cyber Roundup at cyber.ciab.com for the latest cyber risk news and developments in DC and in the insurance market.
Meanwhile, on TRIA …
By now, of course, all know that Congress passed a TRIA “extension” program last week and the President signed it into law on Monday, resulting in a 12-day lapse in the program.
As we previously noted, we are working with the Federal Insurance Office – a Treasury Department office that now oversees the TRIA program – to clarify as follows:
- If an insurer had a conditional exclusion dictating that if TRIA goes away the terrorism coverage expires and the insurer chooses not to exercise that right, the coverage will remain in place and the insurer will be deemed to have satisfied all program requirements for that coverage. (We also have asked this to apply to policies that have changed terrorism terms/conditions upon TRIA expiration that carriers opt not to exercise.)
- To address the marketplace confusion (which carriers have effectuated their exclusions and which opted not to on the expectation that the program would be renewed as it now has been), we have asked FIO to issue guidance stating that the exclusions will be deemed to have not been exercised (i.e., the coverage remains in place) unless the insurer has affirmatively notified the policyholder that the exclusion was exercised. (We have asked that this same deemer rule apply to policies that had changed terms/conditions that went into place upon TRIA expiration.)
- Any offers of terrorism coverage that were made in 2014 for 2015 coverage that were rejected by the policyholder will be sufficient under the new rules and no new offer need be made.
- Mandatory TRIA notices provided in 2014 that complied with the rules then in effect need not be updated to incorporate the new technical details (i.e., new Act name/date) until renewal.
We have no idea as to whether this effort for regulatory guidance will be successful (and rapid issuance of regulatory guidance is always a tough hill to mount).
In our alert that went to members noting the passage of TRIA last week, we made a mistake. We included a statement from Rep. Randy Neugebauer (R-TX), last year’s chairman of the Financial Service Committee’s Insurance Subcommittee, in the Congressional Record that indicated an intent for the program to continue unimpeded. In reality, while we had SOUGHT such a statement as a perceived helpful matter, the fact is that Congressman Neugebauer did not make any such statement. We regret that mistake, especially as the congressman has been a tremendous champion on a multitude of issues and TRIA renewal could not have been achieved without him.
Nonetheless, we continue to underscore that the law is NOT retroactive to Jan. 1. This has special relevance for “gap” plans that were secured during the lapse.
Meanwhile, the President now has 88 days remaining to appoint members of the governance board of the new National Association of Registered Agents and Brokers. The board will have 13 members, eight of whom will be state insurance regulators selected from a slate proposed by the National Association of Insurance Commissioners, and five of whom are other stakeholder representatives. We’ll be meeting with our coalition partners in the coming days to help move this process along expeditiously.