Legislative Branch Activity

Terrorism Risk Insurance Act Reauthorization

Last week, the Senate passed the Terrorism Risk Insurance Program Reauthorization Act of 2014 (S. 2244) by a 93-4 vote. The bill would extend the Terrorism Risk Insurance Act (TRIA), which expires at the end of this year, for an additional seven years. The Senate bill would keep TRIA largely the same but increase insurance companies’ co-payments from 15 percent to 20 percent. The House is anticipated to consider a separate TRIA reauthorization bill (H.R. 4871) which extends TRIA for five years and has been more controversial than the Senate bill given the changes it makes to put a greater share of the responsibility for “acts of terrorism” on the private sector. The House bill would also raise the trigger for companies that incur damages as a result of a nuclear, biological, chemical or radiological terrorist attack from $100 million to $500 million.

As it is currently written, TRIA allows the U.S. Department of the Treasury to define and certify events as “acts of terrorism” under the law, which would continue under both the House and Senate bills. A number of stakeholders have raised questions as to whether or not cyberterrorism would be covered by TRIA in both the House and the Senate processes. Members of Congress in both chambers have made statements that TRIA covers all potential terrorist-related incidents. Additionally, the Senate Banking, Housing and Urban Affairs Committee included report language that addressed the “all hazards” nature of TRIA, which includes cyberterrorism.

Executive Branch Activity

U.S. Department of Treasury Cybersecurity Efforts

Last week, Treasury Secretary Jacob Lew gave a speech to the Securities Industry and Financial Markets Association where he urged the financial sector to do more to increase their cybersecurity efforts, noting that many financial institutions are too secretive about their cybersecurity practices and when they experience breaches. Secretary Lew also called on Congress to pass cybersecurity legislation that would provide liability protections to companies that share information with the federal government. In order to reduce the cyber risks that exist in the financial sector and facilitate better information sharing, Department of the Treasury Deputy Secretary Sarah Bloom Raskin also plans to hold a series of meetings with federal and state financial regulatory agencies in the coming months.

NIST Cybersecurity Framework Review

The National Institute of Standards and Technology (NIST) is considering issuing a Request for Information (RFI) to allow stakeholders to comment on the Cybersecurity Framework that NIST developed as part of the President’s 2013 cybersecurity Executive Order. NIST is looking at issuing an RFI prior to the public workshop that they plan to have this fall to discuss the implementation of the Cybersecurity Framework. To date, the workshop has not been officially scheduled and a location has not been announced. Industry stakeholders have noted their interest in responding to a NIST RFI to convey their experiences so far with the Framework development and implementation process. Additionally, issuing an RFI would allow NIST to collect information about the process without forcing industry groups to collect data about their cybersecurity activities through a survey, which has also been discussed.