Terrorism reinsurance backstops Pool Re and TRIA were set up within different contexts and the two structures have evolved differently. David Benyon reports

Twin Towers on September 11

The terrorism threat landscape is constantly changing. Heightened cyber threats, vehicles as weapons, lone wolf attacks and returning foreign fighters are all major concerns. The re/insurance sector’s role in countering it also continues to change. Protections such as cyber and non-physical damage business interruption (NDBI) have risen to the fore.

The US and UK have acknowledged the changing environment in recent months in their respective reinsurance guarantees for terrorism risk. The two commercial reinsurance backstops the two countries have developed, the Terrorism Risk Insurance Programme (TRIP) and Pool Re respectively, are different.

But both systems are designed for the same basic purpose: to provide shared public-private compensation for insured losses from acts of terrorism, to add resilience the economy and for the insurance sector should the worst happen.

Responding to terror

Pool Re was set up in 1993, born out of the IRA’s mainland UK bombing campaign, and specifically the 1992 Baltic Exchange bomb. That event led to reinsurers withdrawing cover for terrorism-related damage, with insurers compelled to follow suit. Premium is paid up front by insurers to Pool Re.

After 9/11, Pool Re’s cover was extended from fire or explosion to an “all risks” basis in 2002, and exclusions for chemical, biological, radiological or nuclear (CBRN) were removed. Pool Re’s fund stood at almost £6.5bn ($8.3bn) at the start of 2018, with UK Treasury backing, as well as $2.1bn of retrocession by commercial reinsurers.

In the US, TRIP was a direct response to the 9/11 attacks, which caused huge reinsurance losses. Then US President George W Bush signed the Terrorism Risk Insurance Act (TRIA) into law just over a year afterwards.

“TRIA has capped liability and stabilised the availability of coverage. It’s been broadly effective,” says says Frank Nutter, president of the Reinsurance Association of America (RAA).

The law, under which the US Treasury provides a promise to pay for property and some liability classes, but collects no premium, was designed to be temporary, to provide stability of re/insurance coverage available in the period after the fall of the World Trade Center’s twin towers. Nearly two decades and two renewals later, TRIP still stands.

“We’re very supportive of TRIP. When TRIA was first conceived, they looked at Pool Re but the Bush administration ultimately rejected that model,” says Bob Woody, vice president responsible for policy at the Property Casualty Insurers Association of America (PCI).

“One reason is that the government wanted a temporary programme and thought it would be difficult to extricate itself if it was an active market participant. Another concern was tying up capital and taking it out of the economy. The two programmes serve a similar purpose, but with different policy priorities, and different approaches to the problem,” he adds.

Some reinsurers have suggested TRIA’s lack of industry funding amounts to free reinsurance. “Every time gets reorganised, some critics say the private insurance sector is getting free reinsurance from the government,” says Woody. “Insurers have accepted a quid pro quo when they are obligated to offer terrorism coverage even when they don’t want to, but they still get this government backstop.”

Officials from the US and UK programmes have maintained regular correspondence. “One of the caveats inserted into the renewal of TRIA is that the US Treasury’s Federal Insurance Office (FIO) would be responsible for reviewing comparable arrangements around the globe,” says Julian Enoizi, chief executive of Pool Re. “They produced a report two years ago reviewing the pools around the world and reviewed the options for of a pre-funding model or a post-funding model like TRIA.”

But how do the systems stack up in today’s world? In the UK, the topic is much less politicised. Pool Re has made several changes to its backstop in 2017-2018. In the US industry lobbying is vociferous about making any changes. Under the Trump administration the FIO is already sounding out the industry, looking to address TRIP-related questions ahead of its renewal deadline at the end of 2020.

Cyber & NDBI risks

Cyber risk, whether standalone or packaged with other risks, is considered part of TRIP’s definition of terrorism for the lines of commercial property and liability business (including workers’ compensation) covered by TRIA. Confirmation of this came with the release of the FIO’s latest report on the effectiveness of the programme, issued in June this year.

“Depending upon the specific circumstances presented, malicious cyber activity could potentially constitute an act of terrorism under TRIA,” stated the FIO report. “As a result, to the extent cyber insurance is written under a policy that is within the definition of “property and casualty insurance” under TRIA…the provisions of TRIA apply to such policies. Treasury’s guidance states that TRIP and the requirements of TRIA will apply to any policy, including a standalone cyber policy, written in a line of insurance that is subject to the Program.”

In April 2018, the RAA wrote an open letter to the FIO in advance of its report, stating that “cyber risk is an exposure that needs further clarity in the context of coverage under TRIP…TRIP does not address how cyber-terrorism is defined…or how the loss trigger would work.”

The reinsurance industry still wants further clarification and more detail. Questions remain about TRIP’s response to an incident of cyber-terrorism, thinks Nutter, author of the RAA letter to the FIO.

“It’s not at all clear that if there was a major impact on the electricity grid or shutdown of the internet, with a broad impact across the economy, how widely TRIA could be used,” Nutter told GR. “The industry is worried about a Black Swan scenario with wide-reaching consequences. Cyber liabilities, for example, can be classed as an act of terrorism.”

Representing the primary market, PCI is broadly satisfied by TRIP, but acknowledges lingering cyber uncertainties. “Questions are swirling around,” says Woody. “Particularly in the case of cyber there is some concern. Cyber is eligible for the TRIA backstop but part of the problem is that a lot of cyber is written as liability coverage. Among the series of TRIA-covered lines, professional liability is not one of them.”

In the UK, Pool Re is also moving to address cyber and NDBI questions. Its cyber exclusion has already been removed since April, relating to material damage and direct business interruption. Its expanded retro deal with a panel of 47 private reinsurers now includes this cyber risk, and transfers some it back into the market.

Intangible assets at cyber risk remain covered by the private cyber market, but incoming government legislation, expected by the end of 2018, will add NDBI to its umbrella. Details of future Pool Re NDBI protection remain to be seen.

“It’s expected Pool Re will begin to compete more in this space,” says one insurance broker, speaking to GR. “It looks like it will begin to cover some of the major issues around non-damage, perhaps even loss of attraction resulting from terror events. However, there’s also a growing market appetite for NDBI in the private market.”

In the US, TRIP applies to events causing losses at least $5m and works to a $100bn cap, and any attack, physical or digital, needs to be classified as terrorism by the government. The Boston bombings in 2013, for example, were not classified as a terrorism event. In that case, the direct material damages were low, but the NDBI costs for such an event or from a cyber event, such as disruption to infrastructure, inaccessibility and associated drops in revenue, could be much higher.

Tripping 2020

An obvious gap in coverage in the US would be a delay in TRIP’s reauthorisation The industry broadly supports renewal. However, there are precedents. In January 2015 there was a 12-day delay before 2007’s Terrorism Risk Insurance Program Reauthorization Act (TRIPRA) was renewed.

“Any lapses would be extremely disruptive,” says Nutter. “If TRIA were not to be reauthorised on time, companies would have to evaluate whether or not they would continue to offer the coverage.

The National Flood Insurance Program (NFIP) provides a further example of disruption caused by gaps in renewal. “The NFIP has routinely seen short-term extensions and lapses,” says Nutter. “The most notable change was that getting mortgages on properties was suspended, because flood insurance is required if the bank or lender has federal backing.”

PCI’s Woody thinks it’s too early to tell how long TRIA will be renewed for, but that so far it looks like the FIO has a good grasp on matters at this stage, to avoid “confusion and uncertainty” in 2020.

“We’re making the case to Congress that this is something to avoid and act sooner rather than later. I would have said a gap was unlikely until the last TRIA authorisation when we had a brief gap. There’s always concern but signs so far indicate there’s a good understanding,” says Woody.

Reinsurance void

The US Treasury has established an Advisory Committee on Risk-Sharing Mechanisms (ACRSM), tasked with advising ways to shift terrorism risk insurance from the government to the private market.

The FIO’s report in June found that private reinsurance capacity for terrorism risk has improved significantly in the years since 9/11. Some reinsurers have offered terrorism as part of coverage principally devoted to natural catastrophe risks. Others have taken it on separately, witness Pool Re’s retro panel or steps taken to transfer NFIP risk to the private market.

“A big question is whether the federal government is interested in risk transfer risk related to TRIA into the private sector,” says Nutter. “In testimony the private sector has indicated willingness to take on more risk, but at present there is no answer on that.”

TRIP has gradually handed more risk to the private market, Woody notes. “Every time it’s renewed, there are discussions about making changes. Incrementally each time, the insurer deductible and the programme trigger keep going up, which means the industry takes more of the risk, before the government programme would kick in,” he says.

Despite this, the aggregation risks presented by terrorism, and lack of mature catastrophe risk models to measure their likelihood and severity, continue to limit reinsurance capacity. CBRN concentration risk still lies beyond the scope of what reinsurers would be willing to accept. Cyber reinsurance carries aggregation worries. In short, capacity would still run dry, and schemes like TRIA and Pool Re are still necessary.

“A few reinsurers feel the federal programme crowds them out, but we don’t think the private reinsurance market would be willing to fill the void,” says Woody. “Generally speaking, people are singing from the same hymn sheet. Usually there are some changes around the fringes; we’ll just have to wait and see what they are.”