Cyber insurance has been evolving over the past twenty years. Policies that contain cyber coverage within the policy providing other coverage have been within the standard lines and have been included under the parameters of the TRIP program. As stand-alone cyber policies have been developed, they were included under the errors and omissions liability category and excluded under TRIA from the definition of property and casualty insurance. In 2016 a new sub-line was developed for cyber liability. It is defined as stand-alone coverage for liability "arising out of claims related to unauthorized access to or use of personally identifiable or sensitive information due to events including but not limited to viruses, malicious attacks or system errors or omissions." Coverages that could be included within the cyber coverage are business interruption, breach management or mitigation services. Therefore stand-alone cyber policies are not included as property or casualty insurance TRIA, and must adhere to those provisions.

 For in-force policies, the insurer must offer coverage subject to disclosures under a certain section of the guidance (31 CRF 50 subpart B) or demonstrate that the property disclosures were provided to policyholders before the date of certification of an terrorist acts. Remember, under TRIA acts must be certified by the Secretary of Treasury as terrorist acts before coverage can be claimed under TRIA. Also, if a carrier did not make any offers of coverage to in-force policyholders reported under the Cyber Liability section, it is not required to do so now.

 Effective April 1, 2017, insurers must provide disclosures and offers for new and renewal cyber liability policies that comply with the TRIA and TRIP requirements. Stand-alone policies reported under TRIP-eligible lines of business must adhere to the TRIP requirements.

 Confusion over the guidance can exist in a number of ways. Carriers that issued stand-alone cyber policies without offering terrorism coverage or exclusion terrorism coverage will not be covered by TRIA in event of a terrorist act unless the proper disclosures have been send to insureds. These notices may be made mid-term, and carriers may want to do so in order to protect themselves and insureds in event of a loss.

 On stand-alone cyber policies issued before April 1, 2017, that exclude terrorism, the exclusions will stand unless midterm disclosures have been made and coverage has been purchased that provides such coverage. However, with the re-designation of stand-alone cyber policies, such actions must be made at renewal.

 As of April 1, 2017, per the new guidance, new and renewal policies must provide disclosures on terrorism coverage. Any policies written after April 1, 2017, with a terrorism exclusion may find that the exclusion could be declared invalid and that the TRIA backstop would not apply as the policy was not compliant. A copy of the guidance can be found here.