American International Group, Inc. (AIG) Earnings Call Transcript & Summary

And we're live. Thanks for continuing to join me today. This is the panel on cyber risks at the first Annual, hopefully, Annual, Bank of America, U.S. Insurtech Conference. We're broadcasting live from One Bryant Park here at the Bank of America headquarters, New York City. Happy to be back in the office. And this is a really great panel here on cyber risks. I mean we have 3 companies who are going to be [indiscernible] me in our panel, and all of them are at very different stages of who they are as companies and what they do. I'll let them introduce their companies a little bit, but we have Tracie Grella, who is the Head of Global Cyber Risk at AIG. She's a 25-year AIG veteran, former Head of Professional liability at AIG. Welcome, Tracie. Thank you for coming. We have Phil Edmundson, who is the founder and CEO of cyber specialty underwriter, Corvus. He's got a long tenure in the insurance industry. His business, William Gallagher, he sold to AJ Gallagher. He is early tech state -- early-stage tech investor in the insurtech area with CoverWallet and Verify. We have Josh MacDonald. He's the Chief Underwriter at cyber specialist, Elpha Secure. He's been underwriting cyber claims for Chubb, for Beazley. And I mean, really, it's such a great panel. Thank you all 3 for coming. We're going to try, I guess, do this in a little bit of alphabetical order, I guess. Tracie, why don't you begin? Tell us a little about what you're doing in AIG, and then we'll go in to each of you. And then I'll sort of ask some questions.

Okay. Thanks, Josh. Thank you for having me here today. I'm Tracie Grella, the Global Head of Cyber Risk at AIG. And in my role, I'm responsible for managing cyber insurance and cyber exposure across all of our product lines at AIG. So we're not only focused on the cyber insurance products we sell but also the cyber risk that we have in other products, such as property and casualty, and all of the other lines of AIG. And we're closely managing that risk and working with our clients to better understand their exposure, taking data that we have for all the claims activity we have over the last 2 years and developing insights that we share with our clients to help them improve their cybersecurity risks. We've also been using a lot of external data in cyber underwriting, and we use that data to help our clients identify vulnerabilities that are on their network, from malware that's on their network that gives rise to losses under the policy. And we work with that proactively to help them improve their security in that way to make them -- to improve their risk profile. So we've been writing cyber insurance for over 20 years. We're a leading carrier in over 50 countries around the world, and the cyber market is definitely dynamic. It's a time of transition as we are -- we're playing an instrumental role in insurance industry and helping improve the security of all organizations.

Thank you. Phil, tell us a little about what you're doing at Corvus.

Hey, thanks, Josh. It's a pleasure to be here with you and the other panelists. I'm the CEO and Founder of Corvus Insurance. We're an insurtech company that broadly uses new types of data to predict and prevent commercial insurance claims and to deliver value to our stakeholders. And our stakeholders are our risk capital partners, our internal underwriters, our brokers, and of course, the policyholders. And while we work in a number of commercial insurance areas, cyber insurance is the most elegant expression of our overall market thesis. And here, we use our proprietary software to ascertain insights into the IT security of organizations that we consider for our cyber insurance products. And we not only execute on that on our digital platform that we call the CrowBar, but we also use that to deliver IT recommendations, IT security recommendations to our policyholders and alerts. So that when bad things happen in the middle of the year, SolarWinds, Microsoft Exchange, our policyholders know what they can do to prevent vulnerabilities from being exploited because we understand the same view of the organizations that the cyber criminals hold. So love this conversation, great panelists. Thanks for inviting me.

And Josh, tell us about Elpha Secure and what you're doing in the market.

Sure. Thanks and happy to be on the panel. I appreciate the invitation. So Elpha Secure is a new MGA, cyber MGA insurtech space, and I'm -- we came around in response to what's really been happening in the cyber space in the past couple of years. I'm sure the audience is aware of how the cyber risk transfer market is evolving and responding to the past year by now mandating insured to have proper security hygiene in order to be insurable. So at Elpha Secure, we took that to the next level by actually embedding a full suite of risk mitigation software into the risk transfer product. We have built a solution over the past couple of years to deliver the necessary tools for a small business to mitigate cyber threats, tools such as multi-factor authentication, EDR, VPN and patching and also the resilience, should an incident occur, offset encrypted cloud backups, security operations center and incident response. We deliver all these tools to the insured at bind, giving the insured a full end-to-end solution for all their cybersecurity and insurance needs. So think of Elpha really as Progressive Snapshot for auto, but we're also putting seatbelts, airbags and brakes on the car.

Fantastic. So I have a bunch of questions, and you don't have to get the answers right. This isn't a quiz. This is more explain to people the market scale and how it works. The first question is how big do we think the market is currently, I guess, measured in premium, although big may not be the right way to think about it? How big could the market potentially be, if everybody needed cyber risk bought it? And how should we think about it for municipalities and small businesses who might not be even aware that they need it right now? Can you sort of scale up the market, Tracie, for us to give us a sense of what we're talking about here?

Yes. So there are lots of estimates about the size of the market. It's a little difficult to determine the actual size because of the way cyber exposure is embedded in multiple products, so it's not consistently captured across the -- across all the industries and across all companies the same way. Some companies may purchase some cyber risk in property or other lines. There's basic cyber insurance. they're -- bought policies that include cyber, so we haven't really had an actual -- an accurate measurement of what that number is. But it's definitely -- it's in the billions based on all the different estimates that we have. It is a robust market. And first -- and there are offerings that applies to all size organization. Some small organizations can get package policies with our cyber in it. A lot of the services, some that were just being mentioned, you might find selling towards small companies. Larger companies, there's products available that's more customized and can be a little bit more robust for larger companies. So the market is pretty robust and able to address different size entities, different industries. But the actual size on the number is something that there's been a lot of -- there's been different estimates on. But the -- more markets have been regularly coming in. And at some point, we have about 200 markets offering cyber insurance, so it is a robust and vibrant market.

Now I'm going to keep going through questions. Although if somebody feels like something is open-ended and wants to pipe in, you can interrupt me. And the more information we get, the better. Can we talk a little about structuring, I guess? So some risks are small, and an underwriter can take the whole risk themselves. Other risks are large and require syndication. I guess there's 2 things I want to know a little bit about that market. Maybe Phil, you can clue us in about the syndicated market versus the whole market. But the big question, I guess, for me is whenever I hear there's a big loss in the cyber market that we assume is probably part of the syndicated market is everybody on that loss is underwriting a tool where in the big syndicated deals, some companies are on, some companies are off. Can you talk about how -- I guess structure a little bit to understand what's going on?

Josh, I'll give that a try, and then I'll connect that to your first question as well because I think there's some more interesting color there, but you're right. Organizations are buying more insurance. And frequently, they need to use multiple insurers. Many insurers are reducing the amount of limit that they want to expose for any individual organization. So those are typically stacked up horizontally, frequently with the broadest coverage at the bottom and sometimes with restrictions on coverage as you go up a tower of insurance but not always. So -- but how that integrates into the earlier question, sure, we all read these estimates. Maybe the U.S. market is $4 billion, maybe double that globally, great growth potential. But the interesting thing to me is how the growth is taking place because not only are prices going up, premium rates going up, and that's driving growth, but demand is growing because organizations have much more awareness of cyber risk and the -- as Tracie said, there's lots of cyber insurance available. And they're also -- so they're buying more than they did before, and they're also requiring each other to buy more. So frequently, organizations are required to buy certain types of liability insurance before a third party will do business with them. That could be a landlord-tenant relationship or a contractor-subcontractor relationship. Those requirements for cyber insurance didn't even exist 5 years ago, and now they're increasing. And so there's a second driver. And the third driver is, let's face it, commercial insurance doesn't usually get to be a Board-level conversation. But what Board of Directors isn't talking about cyber risk today? They all are, and their brokers will generally get dragged into the meeting and try to explain why do we buy $5 million of insurance today. And oftentimes, the next question is how much does 10 cost, and how much is 20? And the attention that's being paid to cyber risk is causing organizations to buy more insurance because there's frequently an uncertain answer to that question, how much is enough. So there's a lot of things driving the growth in the market, and one way to answer that is are these horizontal towers of placements.

And for the smaller companies, I guess, there's more risk selection. There's 2 things I want to know, is -- one is when there are large losses, is everybody on them? And to the extent to which the market -- I guess how big is the -- is the market bigger for these large conglomerates and large corporations buying cyber? Or is it bigger for the many, many, many smaller entities who are buying a little bit of protection each? I guess -- yes.

I think all carriers have -- there's a number of different underwriting processes. We even mentioned some of the things that we were doing as we opened up. And so carriers have different appetite right now and are targeting different types of business, whether it's small or large or industry based or control based, what they're looking for. So when you -- no, there will be many towers where not every company is on. There's so much capacity in the market. There are many large losses that large company carriers are not on. You're not going to see that on every large tower that every carrier is participating because there are so many markets that are available and because each market is looking for different type of risks and focusing their portfolio in different ways.

Yes. To piggyback on what Tracie just said, there are some carriers whose strategy is only to place the primary and then maybe first or second excess, and then some other carrier strategy is to only place high excess placements. So yes, there -- to piggyback on what she said, there are plenty of large losses where half of like the major carriers are probably not even on the loss.

And in terms of the market right now, I guess, this is to Josh. I wonder, to some extent, is the -- saves the markets in right now. And I'd say for most players or some players are looking just to breakeven and learn about the depth that's necessary to become a great player? Are we at the stage where everyone is trying to make money? Is there -- is this sort of -- is the whole industry in startup stage where the goal is just to be relevant?

I think there is some partial merit to this view, really, dependent on the carrier. Up until, I'd say, the past 2 years, most carriers were actually making money and pretty good money at that in cyber despite the relative infancy. There were ebbs and flows of profitability between major accounts and middle market and then various industry classes. But by and large, those dynamics were manageable from a profitability perspective. Of course, there were some outliers who made some bad bets that didn't make money, but I believe that was the exception and not really the rule. But really, that all changed in the past 2 years with the rise in ransomware. Middle-market accounts, which were historically a growth class, quickly became unprofitable. But the problem is none of the carriers had the data to predict a quick turn, and that's one of the issues with cyber risk, right? It evolves and changes quickly. Unfortunately, to compound the problem, what we saw in the past 5 years was traditional incumbent carriers trying to achieve really aggressive new business goals while competing with unsustainable rates in the marketplace, not dissimilar to the many lines across P&C. Cyber was just the last line to get there. But most incumbent carriers at this point have largely taken like new business goals off the table this year and will be growing on rate alone while using their data to correct their books, putting them, I believe, in a better position to return to profitability as opposed to newer entrants. And certainly, the carriers with the vast amounts of data will be in a better position to inform their underwriting and pricing moving forward and derisk their book as much as possible. So I think that the view that you proposed has considerably more merit moving forward than it did historically.

Just to make a note, the -- if you're listening to this webcast, you're probably asked through the Veracast web system. We're -- although we're not -- we're virtual and not live, it's possible for you to ask questions as well. You can type questions into the screen. I can ask them, and I do welcome your questions. I have plenty of them. But if you have questions for me, please send them in, and I can relay those questions. So obviously, the claims are up to the ransomware, and there might be some nervousness. I've often wondered what a real worst-case scenario is for maybe a cyber cat event for the industry. I'm always worried about the fat tails and things being price escaping the perception. Tracie, to your estimation, is there something that I should think of as a cyber cat event where the industry sort of understands that this is a major risk looming out there, and it's paying the price for that outcome?

The big concern for cyber insurers is systemic risk, and that's what we've been focused on from the beginning is measuring this risk. So a lot of work goes into accumulation, modeling and scenario development around the type of catastrophic events that we can have. Some of them could be a type of value or some type of vendor that is well relied on in the industry that might have a vulnerability or some type of failure. And so we -- the -- all the carriers are working on developing the scenario, sharing those scenarios and developing that modeling. And we -- the industry recently formed a consortium with a few group of use carriers that are in that consortium now. And hopefully, more will be joining. And one of the things that we're working on in that consortium is working together around modeling systemic risk and improving the data collection around that. And we bring in suppliers. Some of the key suppliers like key cloud companies and others that are major aggregators so that we can better understand how they're managing their risk, what they see as the potential and make sure that we're working with our insured to capture the right data to measure that. So that's an area of focus. It does need to continue to move forward and develop, and there are some efforts for the industry to work together to share all of our knowledge there to better model out that risk.

Yes. I think just to add to that, Josh. As an industry, we definitely need better data and more granular data. We need to be able to have a full understanding of our insured security posture like down to the end point. That enables us to properly underwrite. And as important, that data enables the cat models, as Tracie mentioned, to more accurately measure those fat tails. But ultimately, that enables the industry to properly price the risk. When you think about NotPetya, probably the closest we've come to a cat, they easily could have been avoided for most companies if they had a proper patching cadence in place as Microsoft had released that patch for about 3 months prior to the event. So having insight into an insurance patch cadence, just as an example, beyond the paper application is critical. If you're behind the firewall and you can see what their actual patching cadence is, then we can actually underwrite to that better, then we'll have a more exact underwriting science than what currently exists.

Josh, this is really still a big, big challenge for the industry. Most of us, I'm assuming, on the panel and others in this field, look to a variety of third-party cat modeling companies. And if you use multiple models, you'll find, at least we have, and we've heard from other fine competitors, that you get very different results from these different modeling tools. And so I think it's fair to say there's not a consensus yet around what is the most likely catastrophe. And then even if you can narrow it down that way, how do we model this? And some of the interesting developments that -- to look forward to are whether or not we see risk capital segmenting the risk and looking at this the way that the risk capital market looks at Florida windstorm. And as well the very top catastrophic risk is something that we can pass off to insurance-linked securities markets or other forms of capital as more and more tools, the tools we use, and I think that Josh and Tracie use are able to score risks at the individual account level so that we can put together portfolios that are able to be at least partially securitized in risk transfer.

So I guess this answers sort of again to my next question a little bit. If we look at this as a 20-year sort of line of business that was truly in its infancy 20 years ago, what were the initial data and variables that the industry was relying on early on in the process? What are contemporary variables and information that you're looking for? And what will be -- as things are developing, you're seeing the emerging possibilities of things that are within the realm of knowable that are going to help refine the underwriting for the next generation of products that are being sold? I guess, Josh, why don't we start with you on that one? Or actually -- I might ask Phil actually, sorry. Again, Phil, why don't you start there? And of course, Josh, come in, and Tracie. What is the data we're looking at? What was it? What is it? What will it be?

The insurance industry over the course of my career, I've seen several new products emerge and get broad acceptance. And this is obviously one of those. The cyber risks started bias and outgrowth the professional liability at companies like AIG and Lloyd's of London, Chubb, other early pioneers who tried to use the smartest people in our business to build models for it. As Josh said earlier, for the most of this history, that model has led to an overpricing of risk, a market that was not rational and produced above-average profits until the last couple of years. Now we're all focused on accumulation and catastrophe, and I think it's going to take some time for that to shake out. I've spent my whole career at the intersection of technology and insurance, and I'll use an example from another part of that career. We -- I've worked in the biotech sector in the '80s and '90s. And at the beginning, when biotech companies first started to bring drugs into clinical trials, commercial insurers charged $1,000 per clinical trial subject for a $5 million insurance policy. Today, they charge about $10. So what happened there is at the beginning, there was a lot of fear and a lot of uncertainty and a lack of track record that led to an overpricing or overcaution in pricing risk because everybody was afraid of biotech. Don't you remember? We used to have headlines about unmanageable fears of altering DNA? And then we all got used to it, and things settled down. So it will be interesting to see if cyber follows that same pattern or not. But right now, we've gone down a path where, initially, the industry overpriced risk. Now the cyber criminals have taken the upper hand, and we'll have to find a new equilibrium here in the coming years. I don't think it's going to be months. It's going to be years before it settles.

And then to understand the claims side of the equation, so I mean, in the past decade or so, some of the -- or maybe 5 years or more, some of the more notable events have been the Equifax data hack, the Kohl's data hack, the Colonial Pipeline hack. There was a county chef data privacy thievery. There was ransomware. Can we talk about a little bit, Josh, about the claims for nearly having private data stolen versus having a ransomware attack? There was, this past year, a large insurer was in a major ransomware attack. That was -- that costs a lot of money. As the claim -- some of the claims are very different sizes that referenced different situations. What does the claims history look like to help us understand what's at risk and try and come up with an understanding for the industry about what protections we're looking at?

Yes, sure. So the Equifax incident, even in contrast to what we're seeing in the news with ransomware, was still a massive loss. But the drivers of that loss were different. So notification and credit monitoring expenses and then forensics to determine the root cause and scope was what really drove that loss as opposed to ransomware, which does require a heavy forensic response. It's usually the resulting ransom and business interruption that drives the loss. Before ransomware, as akin to the Equifax breach, personal information aggregation was the biggest exposure when underwriting to cyber risk. And so it was relatively easy to quantify the exposure to a certain degree, what are the number of records. These could be credit card numbers, social security numbers, et cetera. And while PII breaches can and do still occur, technology and controls have advanced to a degree where organizations can largely scope these exposures out of their risk profile. But what's difficult to price in this current loss environment is the unknown associated with ransomware. How much are the hacker is going to demand -- or how much are the hackers going to demand? Can clients recover and restore in an efficient manner to avoid a lengthy business interruption? But the good thing is, as we speak, all carriers are accumulating the data that will help better inform their underwriting questions and processes and pricing in response to ransomware. So that's really the evolution that we've seen from one threat vector of being -- or one threat being massive PII aggregation, which we still see, to sort of the unknowns that we are facing with ransomware right now.

And is it -- is the rise in ransomware an outgrowth of crypto? Like can ransomware exist without crypto?

Well, it's a tough question. I think a lot of fingers are being pointed in that direction, and I think that there is certainly a degree of blame to be associated with crypto, but it's not all on the hands of crypto. I mean there's certainly -- certain aspects that regulators can do with crypto, making it less transparent and easier to track criminals and therefore easier to get the funds back and/or prosecute those criminals. But there are other things that go into it, such as poor cybersecurity hygiene. I mean as long as we implement a baseline of cybersecurity for companies that are doing business on the Internet, that would prevent a lot of ransomware claims on its own. So there's a lot of different factors that go into it, but crypto certainly does play its part.

I'm going to pause for a second because we have some questions from the audience. I have more questions, but I'll ask some of theirs. Can you make some comments about cyber reinsurance? Seems like that's much harder to price. Do you guys have any thoughts about the reinsurance markets for the audience? Anyone can answer.

I can't comment on pricing of the reinsurance market, but the reinsurance market is certainly an important piece of the market for cyber. Many carriers are using reinsurance. And again, to lose that, the systemic risk exposure, so we're spreading the risk out. And so that is an important piece. And there is a lot of start-up companies coming in and offering cyber insurance, so they're relying on reinsurance as well. So it is a critical piece of the market. And the reinsurers are asking questions about systemic risk and how carriers are managing that, how we're collecting data, the data that we're capturing. And so they'll have an influence on that as well, what they see as important across from a systemic standpoint.

Yes. I think, Tracie, you hit the nail on the head here. I mean they really fear the aggregation, so capacity is starting to become tight and will probably be tight for a while to come. A lot of large primary carriers do rely heavily on quota share reinsurance. And so that pressure supply, I think, will really start to increase and continue for quite some time.

And the second question is while prices are up due to claims currently, have terms and conditions changed as well? Is -- can insurance buy the product they want? Is it available on the market? Or is -- or you can't even get, at this point, the amount of protection or the product you're looking for?

Well, there are certainly exceptions, and there has been some tightening on terms but not as broadly as there has been on pricing. So certainly, what -- not everyone realizes, I think, is that there's a lot of levers inside a cyber insurance policy. It's much more complex than most other types of commercial insurance policies. And so we're certainly seeing some of those knobs being turned down. But -- and in some classes of risk and companies that perhaps fail their IT security, scan tests or tools that we all use now, you may see some restrictions. But broad coverage is still available.

And a lot of the restrictions that are being introduced in the market are really incentive to help organizations improve their security, so you might see restrictions. But if a company can improve their security, we're giving guidance out, the types of controls that need to be in place. We're working with our clients to get those controls in place. We're identifying -- through scans and other data sources, we're identifying vulnerabilities and weaknesses. And when organizations can clean those up, then they will see more broad cover. For those that can't or aren't investing now or something, we hear a lot that this is a plan, but it does take time. It will be over the next couple of months, the next year, there will be restrictions on cover.

So when I think about ransomware, it triggers my head as an insurance guy that it somewhat relates to the old kidnap and ransom policies. And there was part of that which was the payment and protection for the buyer to pay those claims and get back to their loved ones or whatever. But there was also a component of that a lot of these specialists had black ops, former military personnel who would work to remediate the claim after payment and get the ransom back. To what extent are the claims departments for cyber risk underwriters involved in trying to minimize claims through remediation through trying to, I guess, find who the villains are in this whole story and get the money back over time as a way of minimizing their own costs? And I guess I'll go to Tracie on that one.

Okay. There are a number of external vendors that are involved in the process. The claims department is certainly involved, but there are ransomware negotiators or external vendors of cryptocurrency that holds cryptocurrency wallet. And they -- and the clients, the ransomware negotiators, they're working with law enforcement. The law firms are working with law enforcement. So there's a number of parties that are involved. And then you have the private firm as well so -- and then there's others. So the claims department is involved with working with these various vendors and certainly working with the insured through this matter and helping to give a sight on how to recover in a low cost-effective way but definitely a number of experts at a time can be involved in the type of negotiation and discussion.

So I think the latest news or at least big story was the JGB (sic) [ JBS ] meat processing plant. Without betraying my own ignorance, I mean, it doesn't sound like the bedrock of cybersecurity. That target might have been able to be hackable before. It wasn't like a momentary letting down of the guard. As I imagine, there's a lot of hackable businesses out there. Are we at the trough of cybersecurity hygiene right now? Are -- as we go forward, is hygiene going to get a lot better, and it's going to be harder to hack into various targets? Or is this kind of like code and semiconductors and Moore's law that as time goes on, while silicon wafers get cheaper and thinner, the amount of code is doubling, so we're kind of running in place? Will the hackers get more sophisticated at the same pace that cyber hygiene is improving, and so we're going to be at this equilibrium in -- for the foreseeable future? Phil, I guess I'll go with you on that question.

Josh, that is a great question. And I think you got to the most difficult part at the end there is will the cyber hackers, the cyber criminals continue to grow in sophistication? Will they be able to continue to hide under the protection of certain governments or, in other ways, a good law enforcement? Because they will need to amp up their game because so much is being spent on cybersecurity, not just because we recommend it to our policyholders, but organizations are doing this and investing broadly, maybe not all of them, but broadly into cybersecurity. And I'm sure one of your colleagues that covers the cybersecurity software market can talk about that at great length. So big challenges there and a lot of uncertainty about how the cyber criminals will be able to continue to stay steps ahead of the cybersecurity industry and those of us who underwrite the risk.

Josh, I'd jump in there and say that I think the rule of thumb going to JGB (sic) [ JBS ] is that any company can be had. That has been proven many times over. If you think about the NSA, Mandiant, military agencies and the biggest banks have all been compromised, and they have the best cybersecurity in the world. I'm not privy to JGB's (sic) [ JBS ] network security, but it is known that manufacturing is a vulnerable class with outdated operational technology and a high dependency on uptime. So their control is going to be best in class. But when you have the power of a state-sponsored actor breaking down your door, very few companies stand a chance of prevention. So in the context of ransomware, it's how resilient is a company when they're hacked? Could JGB (sic) [ JBS ] recover their data quickly to avoid a substantial interruption to their operations? Did they have a business continuity plan in place? To your point that the hacks are still making news, making them appear infrequent, but I would estimate that probably less than 1% of hacking incidents actually make the news. Hackers are taking every opportunity they can right now because, as you said, security hygiene is only going to improve across the board. Governments are demanding better hygiene. Industry groups are demanding better hygiene. Insurance carriers are now demanding better hygiene. And once the baseline of cybersecurity hygiene improves, because it was very low before, especially in the middle market to small, even a modest improvement across the board, I think, will make a significant impact.

And I guess something that Phil said does a relationship between cyber hackers and state sponsorship, to what extent are there going to be successful cyber hackers without the protection and funding of a state sponsor, a state as a bad actor being a funder of this sort of villainy and whatnot? Are many of these cyber hackers truly independent and just villains for their own purposes? Or is this necessarily tied to international peace disruption? I guess, I mean, I'll leave up to you. We're kind of out of order. I matched this, who's going to get the questions. Anyone can answer, just because it doesn't matter so much. But what's the linkage? We're going to go and talk about terrorism a little bit. We're going to talk about [ BI ] a little bit. It can go anywhere. So you guys can take wherever you want.

Yes. Josh, we rely on the reports from the FBI and the law enforcement agencies to answer that question. And that certainly points out the fact that, in many cases, if not state-sponsored, there are state defenders of these attacks. But honestly, most of the events that we respond to, the party on the other side, and they have a code name, but they are otherwise pretty opaque and are mostly successful in staying that way.

So after September 11, 2001, the insurance industry have gummed up because nobody wanted to -- no one really knew how to price really wanted to take the risk of a terrorist event becoming a property cat destruction for a lot of small risks, large and small. And the federal government responded with TRIA as an umbrella protection that allowed the insurance institute to continue to underwrite without having to contemplate terrorists making exactly the -- there's been no real claim under TRIA. I guess it's worked or hasn't worked, but it's definitely been tested. But as we think about the ability of some of these cyber hackers to potentially create mass havoc, where does criminality end and terrorism begin? And does the TRIA over cyber attacks, does -- do we need a TRIA for cyber attacks? Where are we right now? And then what do we have to contemplate? What fears should the government be for assuaging with protection for the private market? Phil looks like he's ready to answer, so I'm just going to give it to Phil. Anyone can answer.

Yes. It's a great question, Josh. So my understanding is TRIA does not preclude cyber events from its definition of terrorism. However, the definition of what is an active terrorism has not been put to the test under TRIA. And there's a lot of different scenarios that could play out here where we have cyber criminals who, as I just said, are so opaque in their source and where there's not clarity around the motivations of their government sponsors, defenders or colleagues. So it is -- I think what would be most helpful to the commercial insurance industry is clarity from the treasury department around when TRIA might respond to a large cyber event rather than the need for a new legislation.

All right. And the final question, I guess, for today involves Mr. Biden and Mr. Putin. And so at the recent summit, Biden, I guess, drew a red line around 16 different sectors that the United States would not stand for any cyber hack disruptions. And I guess Mr. Biden believes that was in Mr. Putin's ability to limit the amount of cyber hacks. When we think about how business is priced, did the cost of protecting -- should the cost of buying cyber insurance on those 16 areas go down because, presumably, they're under the explicit protection of the United States government in terms of prompting an international incident if something should happen? And does that mean everything else is fair game, and the price of the remaining sectors that were not specifically named something maybe should go up in value because the United States have less of an aggressive view on what would be the response if something were to happen to those areas?

My gut reaction to that would be no. I mean, even if you scope Russia out, there's still several other state actors that would have no problem targeting those entities. So I don't think any insurance carrier would be prudent to place their pricing based on that loose agreement, if it even was an agreement, as opposed to a directive.

If something changes, I mean, we always look at our portfolio based on different segments, where tax are coming from, who their accounts and what the potential loss could be. So that would all -- we would address that. But you'd have to see that change, and it does seem like it would be unlikely. I agree with what Josh was saying.

Agreed.

So there's one question coming through here. And in a lot of different types of policies, acts of war are excluded. And if there is a cyber claim that was paid, and that, later, it's determined to be the act of a foreign government who was actually the instigator of that attack, would -- is that claim a claim that could be subrogated or could be -- to the government or whatnot? Is an attack by a foreign government a payable event? Or is that somehow excluded in how the business is underwritten today?

Typically, in any cyber insurance policy, there's not an exclusion for actors. So the actor who conducts the -- who are the actors of an attack that of in itself is not an exclusion. So you do need to look at both war exclusion and other exclusions in the policy. And in the cyber marketplace, war exclusions were addressed years ago to make sure we know that many attacks come from state actors and state-sponsored actors. So in a cyber policy, that has been considered as a war exclusion. And so there was some language that was removed. But when you look at other insurance policies in the market, the war exclusion may be more robust and not written with cyber attacks in mind. So those who are concerned about having a cyber attack that might result in a property damage or some type of bodily injury, they are going to have a more strict war exclusion in those policies typically.

Well, thank you all for your time today. We are at the end of the session. I do appreciate you all joining. And if anyone has any questions for any of the participants, you can e-mail me those questions, and I can certainly pass them on to you. But it's certainly been interesting. And obviously, this is a topic that is constantly evolving. The best of luck to all 3 of you, and we'll continue the dialogue and learn more from each other as time goes on.

Thanks for having us.

Thanks, Josh.

Thank you.

And then let's avoid those claims. All the best.

Thanks so much. Bye.