The nation’s lawmakers should consider adding cyber terrorism to the federal Terrorism Risk Insurance Act (TRIA) when they renew that reinsurance program, advises Michael Chertoff, former homeland security chief under President George W. Bush.
“It’s better to clarify now, not later. Put that on the table,” he recently said of the current debate in Congress over the renewal of TRIA, which expires at the end of next year.
The former judge and U.S. attorney cautioned that there could be “terrorism fatigue and anti-government bailout mindset” among some in Washington who question the need for TRIA.
“A financial crisis is very different from terrorism,” Chertoff added.
He said that that while the private insurance industry has a role to play in terrorism risk management, it can’t handle the risk alone. “I don’t think anyone believes the private sector is responsible for stopping terrorism,” he said.
Chertoff, who was a keynote speaker at the recent Property Casualty Insurers of America annual meeting in Boston, now heads Chertoff Group, a risk and security consulting firm.
In a review of the current risk landscape of manmade and natural disasters—including the 9/11 attacks, Hurricane Katrina and conflicts in the Middle East—Chertoff identified cyber terrorism as the biggest risk of all.
He urged government and business to come to an agreement on information-sharing and system standards to help manage cyber thefts and attacks.
He said such pacts should provide corporations with confidentiality and a “safe harbor” from liability if they agree to share information about attacks they have suffered.
Corporations opposed to the government setting minimum standards for cyber security might want to consider the risk of a jury imposing even stricter standards should there be a cyber attack involving many deaths and lots of damage, Chertoff said.
He stressed that risk management before an event is more important than paying claims after one. “You can manage but not eliminate risk,” he said.
Chertoff identified the biggest danger for risk management is “overplaying the risks that have occurred and downplaying ones that haven’t.”
He said it “would be a big mistake to think that what hasn’t happened couldn’t happen.”
Despite warnings, the U.S. was not as prepared as it should have been for the 9/11 attacks, according to Chertoff. As so often happens, he said, it takes a catastrophic event to “crystallize the will power.”
Similarly, with respect to Hurricane Katrina, there was “bad risk management” before the storm for which the country paid a high price. For example, he said there were plans for gates that might have prevented some of the flooding in New Orleans, but the gates were not installed because citizens complained they were ugly. Several years later, in 2008, the gates were in place for Hurricane Gustav and prevented flooding.
In the fight against terrorism, he said the U.S. must not kid itself because it has had some success in stopping some attacks. The enemy is “constantly adapting” and is now more dispersed, with smaller groups that can fly under the radar, are more local and harder to track, making local intelligence gathering more important than ever, he said.
Cyber is the biggest threat, with thefts occurring every day and China and others gaining competitive advantage by stealing intellectual property, according to the security expert.
He told the insurance executives that it is not only defense information that is being stolen but also information on infrastructure and energy systems, businesses and individuals, algorithms and formulas.
Cyber attacks are also being used as a political weapon—as hacktivists like Anonymous seek to penetrate and embarrass organizations.
“This issue affects enterprise,” Chertoff said, stressing that the “loss of confidence is potentially staggering.”
The culture of building risk management upfront is important, he said, and insurance can play a critical role in driving behaviors that mitigate cyber risk as it has done in fire safety and auto safety.
In the area of cyber risk management, Chertoff urged a legislative framework that would include increased information sharing when attacks or threats occur, a safe harbor for those reporting, standards for systems, and some liability protections.