60 Day FRN

asabaliauskas on DSK3SPTVN1PROD with NOTICES

95312

Federal Register / Vol. 81, No. 248 / Tuesday, December 27, 2016 / Notices

Treasury specifically invites
comments on: (a) Whether the proposed
collection is responsive to the statutory
requirement; (b) the accuracy of the
estimate of the burden of the collections
of information (see below); (c) ways to
enhance the quality, utility, and clarity
of the information collection; (d) ways
to use automated collection techniques
or other forms of information
technology; and (e) estimates of capital
or start-up costs and costs of operation,
maintenance, and purchase of services
to maintain the information.
Comments are being sought with
respect to the collection of information
in connection with data collection.
Treasury previously analyzed the
potential burdens associated with the
data collection process. See 81 FR 18950
(April 1, 2016). As explained
previously, the data collection rules
propose a mandatory annual data
collection process (beginning in 2017)
which will continue from year to year
as the Program remains in effect. The
information sought by Treasury will
comprise data elements that insurers
currently collect or generate, although
not necessarily grouped together the
way in which insurers currently collect
and evaluate the data. Treasury
currently anticipates that approximately
100 Program participants will be
required to submit the ‘‘Insurer (NonSmall) Groups or Companies’’ data
collection form, 300 Program
participants will submit the ‘‘Small
Insurer’’ form, 400 Program participants
will submit the ‘‘Captive Insurer’’ form,
and 75 Program participants will submit
the ‘‘Alien Surplus Lines Insurers’’
form.
Each set of data collection forms is
expected to incur a different level of
burden. Treasury anticipates
approximately 75 hours will be required
to collect, process, and report the data
for each Insurer (Non-Small) Group or
Company, approximately 25 hours to
collect, process, and report data for each
Small Insurer, and approximately 50
hours to collect, process, and report data
for each Captive Insurer and Alien
Surplus Lines Insurer.
Assuming this breakdown, the
estimated annual burden would be
38,750 hours (100 insurers × 75 hours +
300 insurers × 25 hours + 400 insurers
× 50 hours + 75 insurers × 50 hours). At
a blended, fully loaded hourly rate of
$85, the cost would be $3,293,750
across the industry as a whole, or $6,375
per Insurer (Non-Small) Group or
Company, $2,125 per Small Insurer, and
$4,250 per Captive Insurer or Alien
Surplus Lines Insurer.

VerDate Sep<11>2014

20:45 Dec 23, 2016

Jkt 241001

Dated: December 20, 2016.
Michael T. McRaith,
Director, Federal Insurance Office.
[FR Doc. 2016–31238 Filed 12–23–16; 8:45 am]
BILLING CODE 4810–25–P

DEPARTMENT OF THE TREASURY
Guidance Concerning Stand-Alone
Cyber Liability Insurance Policies
Under the Terrorism Risk Insurance
Program
Department of the Treasury,
Departmental Offices.
ACTION: Notice of guidance.
AGENCY:

This notice provides guidance
(Guidance) concerning the Terrorism
Risk Insurance Program (Program) under
the Terrorism Risk Insurance Act of
2002, as amended (‘‘TRIA’’ or ‘‘the
Act’’). In this notice, the Department of
the Treasury (Treasury) provides
guidance regarding how insurance
recently classified as ‘‘Cyber Liability’’
for purposes of reporting premiums and
losses to state insurance regulators will
be treated under TRIA and Treasury’s
regulations for the Program (Program
regulations).
DATES: December 27, 2016.
FOR FURTHER INFORMATION CONTACT:
Richard Ifft, Senior Insurance
Regulatory Policy Analyst, Federal
Insurance Office, 202–622–2922 (not a
toll free number), Kevin Meehan, Senior
Insurance Regulatory Policy Analyst,
Federal Insurance Office, 202–622–7009
(not a toll free number), or Lindsey
Baldwin, Senior Policy Analyst, Federal
Insurance Office, 202–622–3220 (not a
toll free number).
SUPPLEMENTARY INFORMATION:
This Guidance addresses the
application of certain provisions of
TRIA 1 and the Program regulations 2
with respect to certain insurance
policies covering cyber-related risks.
This Guidance may be relied upon by
the members of the public unless
superseded by subsequent amendments
to the Program regulations, or by
subsequent guidance.
SUMMARY:

I. Background
TRIA was enacted following the
attacks on September 11, 2001, to
address disruptions in the market for
terrorism risk insurance, to help ensure
the continued availability and
1 Public Law 107–297, 116 Stat. 2322, codified at
15 U.S.C. 6701, note. As the provisions of TRIA (as
amended) appear in a note, instead of particular
sections, of the United States Code, the provisions
of TRIA are identified below by the sections of the
law.
2 31 CFR part 50.

PO 00000

Frm 00215

Fmt 4703

Sfmt 4703

affordability of commercial property
and casualty insurance for terrorism
risk, and to allow for the private markets
to stabilize and build insurance capacity
to absorb any future losses for terrorism
events. TRIA requires insurers to ‘‘make
available’’ terrorism risk insurance for
commercial property and casualty losses
resulting from certified acts of terrorism
(insured losses), and provides for shared
public and private compensation for
such insured losses. The Secretary of
the Treasury (Secretary) administers the
Program; pursuant to the Dodd-Frank
Wall Street Reform and Consumer
Protection Act, the Federal Insurance
Office assists the Secretary in
administering the Program.3 The
Program has been reauthorized three
times, most recently on January 12,
2015, when President Obama signed
into law the Terrorism Risk Insurance
Program Reauthorization Act of 2015,
extending the Program until December
31, 2020.4
TRIA requires participating insurers
to ‘‘make available’’ terrorism risk
insurance in connection with ‘‘property
and casualty insurance’’ as defined in
the Act.5 By regulation, Treasury has
further defined ‘‘property and casualty
insurance’’ by reference to the
classification of certain lines of
commercial insurance set forth in the
National Association of Insurance
Commissioner’s Exhibit of Premiums
and Losses (commonly known as
Statutory Page 14).6 Pursuant to the
Program regulations, insurance reported
on Statutory Page 14 under ‘‘Line 17—
Other Liability’’ is generally subject to
TRIP. However, insurance reported on
that page as ‘‘Professional Errors and
Omissions Liability Insurance,’’ a subline within ‘‘Other Liability’’ for state
regulatory purposes, is expressly
excluded from TRIP by the Act.7 Under
the Program regulations, ‘‘professional
liability insurance’’ is defined
consistently with ‘‘Professional Errors
and Omissions Liability Insurance’’ as
that term is defined for state law
purposes.8
Cyber risk insurance is a broad term
that includes insurance products
covering risks arising ‘‘from the use of
3 31

U.S.C. 313(c)(1)(D).
Law 114–1, 129 Stat. 3.
5 TRIA sec. 103(c) (‘‘make available’’
requirement); id., sec. 102(11) (definition of
‘‘property and casualty insurance’’).
6 31 CFR 50.4(w).
7 TRIA sec. 102(11)(xi) (excluding ‘‘professional
liability insurance’’); see also 31 CFR 50.4(w)(2)(xi).
8 31 CFR 50.4(t); compare National Association of
Insurance Commissioners, Uniform Property &
Casualty Product Coding Matrix (Effective January
1, 2016) (NAIC 2016 P/C Product Coding Matrix),
p. 9, available at http://www.naic.org/documents/
industry_pcm_p_c_2016.pdf.
4 Public

E:\FR\FM\27DEN1.SGM

27DEN1

Federal Register / Vol. 81, No. 248 / Tuesday, December 27, 2016 / Notices
electronic data and its transmission,
including technology tools such as the
internet and telecommunications
networks,’’ as well as ‘‘physical damage
that can be caused by cyber attacks,
fraud committed by misuse of data, any
liability arising from data storage, and
the availability, integrity, and
confidentiality of electronic
information.’’ 9 The cyber risk insurance
market has evolved significantly since it
first emerged approximately two
decades ago and is expected to continue
experiencing rapid growth.10 A 2016
report on cyber insurance noted that 19
different categories of coverage are
available to a greater or lesser extent in
the cyber insurance market, including
first and third party coverage related to
data breaches, cyber extortion, business
interruption, data and software loss,
physical damage, and death and bodily
injury.11
Cyber risk insurance remains an
evolving insurance market, both in
terms of product development and
regulatory oversight. Certain insurance
policies that may contain a ‘‘cyber risk’’
component or which do not exclude
losses arising from a cyber event
continue to be written in existing TRIPeligible lines of insurance and are thus
subject to the provisions of the
Program.12 Prior to 2016, some insurers
that wrote stand-alone cyber risk
insurance may have offered and
reported it for state regulatory purposes
as Professional Errors and Omissions
Liability Insurance, which, as noted
above, is expressly excluded under
TRIA from the definition of ‘‘property
and casualty insurance.’’
As of January 1, 2016, however, state
regulators introduced a new sub-line of
insurance, identified as ‘‘Cyber
Liability,’’ under the broader ‘‘Other
Liability’’ line. ‘‘Cyber Liability’’ is
defined for state regulatory purposes as
follows:

asabaliauskas on DSK3SPTVN1PROD with NOTICES

9 CRO

Forum, ‘‘Cyber Resilience: The Cyber Risk
Challenge and the Role of Insurance’’ (December
2014), p. 5, available at http://
www.thecroforum.org/cyber-resilience-cyber-riskchallenge-role-insurance/.
10 PricewaterhouseCoopers, ‘‘Insurance 2020 &
Beyond: Reaping the dividends of cyber resilience’’
(2015), p. 10 (estimating that the global premium
market will reach $5 billion by 2018 and at least
$7.5 billion by 2020) (PwC Cyber Insurance Report),
available at http://www.pwc.com/gx/en/insurance/
publications/assets/reaping-dividends-cyberresilience.pdf.
11 Cambridge Centre for Risk Studies and Risk
Management Solutions, ‘‘Managing Cyber Insurance
Accumulation Risk’’ (February 2016), pp. 10–11,
available at http://static.rms.com/email/
documents/managing-cyber-insuranceaccumulation-risk-rms-crs-jan2016.pdf.
12 See, e.g., PwC Cyber Insurance Report, p. 9
(noting likely existence of cyber risk coverage
‘‘within your wider property, business interruption,
[and] general liability . . . coverage’’).

VerDate Sep<11>2014

20:45 Dec 23, 2016

Jkt 241001

Stand-alone comprehensive coverage for
liability arising out of claims related to
unauthorized access to or use of personally
identifiable or sensitive information due to
events including but not limited to viruses,
malicious attacks or system errors or
omissions. This coverage could also include
expense coverage for business interruption,
breach management and/or mitigation
services. When cyber liability is provided as
an endorsement or as part of a multi-peril
policy, as opposed to a stand-alone policy,
use the appropriate Sub-TOI of the product
to which the coverage will be attached.13

This Guidance confirms that standalone cyber insurance policies reported
under the ‘‘Cyber Liability’’ line are
included in the definition of ‘‘property
and casualty insurance’’ under TRIA
and are thus subject to the disclosure
requirements and other requirements in
TRIA and the Program regulations as
specified in the following Section.
II. Guidance
Treasury provides this Guidance to
clarify that the requirements of TRIP
apply to stand-alone cyber insurance
policies reported under a TRIP-eligible
line of insurance.14 This Guidance is
designed to address the application of
TRIA and the Program regulations to
such cyber risk insurance policies due
to the aforementioned developments in
this area, which may have caused some
marketplace uncertainty.
Guidance One (Cyber Liability Included
in Property and Casualty Insurance)
Effective January 1, 2016, policies
reported for state regulatory purposes
under the Cyber Liability sub-line on
Line 17—Other Liability of the NAIC’s
Exhibit of Premiums and Losses
(commonly known as Statutory Page 14)
are considered ‘‘property and casualty
insurance’’ under TRIA.
Guidance Two (Application to In-Force
Policies)
(a) An in-force policy reported under
the Cyber Liability sub-line on Line
17—Other Liability of the NAIC’s
Exhibit of Premiums and Losses
(commonly known as Statutory Page
14), and which provides coverage for
13 NAIC 2016 P/C Product Coding Matrix, p. 10.
‘‘Sub-TOI’’ refers to ‘‘Sub-Type of Insurance.’’
14 As is the case with all other coverages subject
to TRIA, policy losses that do not arise from an ‘‘act
of terrorism’’ certified by the Secretary of the
Treasury would not trigger the Program backstop.
For example, an act cannot be certified as an ‘‘act
of terrorism’’ unless it is, among other things, ‘‘a
violent act or an act that is dangerous to human life,
property, or infrastructure. . . .’’ 31 CFR
50.4(b)(1)(ii). To the extent a cyber event did not
satisfy this requirement, the backstop provisions of
TRIP would not be implicated. Any specific
determination in that regard could not be made in
advance and would depend upon the circumstances
and considerations presented in any particular case.

PO 00000

Frm 00216

Fmt 4703

Sfmt 4703

95313

insured losses under TRIA, is not
eligible for reimbursement of the
Federal share of compensation unless:
(i) The insurer offered coverage for
insured losses subject to the required
disclosures under 31 CFR 50 Subpart B;
or
(ii) The insurer demonstrates that the
appropriate disclosures were provided
to the policyholder before the date of
any certification of an act of terrorism.15
(b) An insurer that did not make an
offer for coverage for insured losses
under an in-force policy reported under
the Cyber Liability sub-line on Line
17—Other Liability of the NAIC’s
Exhibit of Premiums and Losses
(commonly known as Statutory Page 14)
is not required to do so at this time.
Guidance Three (Application to New
Offers and Renewals of Coverage)
Effective April 1, 2017, and consistent
with TRIA and the Program regulations,
an insurer must provide disclosures and
offers that comply with TRIA and the
Program regulations on any new or
renewal policies reported under the
Cyber Liability sub-line on Line 17—
Other Liability of the NAIC’s Exhibit of
Premiums and Losses (commonly
known as Statutory Page 14).
Dated: December 20, 2016.
Michael T. McRaith,
Director, Federal Insurance Office.
[FR Doc. 2016–31244 Filed 12–23–16; 8:45 am]
BILLING CODE 4810–25–P

DEPARTMENT OF VETERANS
AFFAIRS
[OMB Control No. 2900–0051]

Agency Information Collection
Activity: (State Approving Agency
Reports and Notices 38 CFR 21.4154,
21.4250(b), 21.4258, 21.4259)
Veterans Benefits
Administration, Department of Veterans
Affairs.
ACTION: Notice.
AGENCY:

The Veterans Benefits
Administration (VBA), Department of
Veterans Affairs (VA), is announcing an
opportunity for public comment on the
proposed collection of certain
information by the agency. Under the
Paperwork Reduction Act (PRA) of
1995, Federal agencies are required to
publish notice in the Federal Register
concerning each proposed collection of
information, including each proposed
extension of a currently approved
collection, and allow 60 days for public

SUMMARY:

15 See

E:\FR\FM\27DEN1.SGM

31 CFR part 50, subpart G.

27DEN1