Treasury Asks Whether Terrorism Risk Insurance Program Should Bolster Cyber Coverage

The Terrorism Risk Insurance Program, created after the September 11 attacks, provides a federal reinsurance layer for insurers underwriting terrorism exposure. As the 2002 Terrorism Risk Insurance Act nears its 2027 sunset, Treasury is evaluating whether the program should also serve as a backstop for cyber incidents that meet the law’s terrorism definition. By soliciting stakeholder input now, the department aims to shape a report that could influence Congress’s reauthorization decisions, potentially embedding cyber coverage into the core of the federal insurance safety net.

Cyber insurance markets have struggled with capacity constraints, pricing volatility, and ambiguous policy language. A 2024 GAO report underscored that TRIP’s current framework only covers cyber losses when they are certified as acts of terrorism—a narrow criterion that excludes many high‑impact attacks. Recent incidents, such as the wiper attack on medical‑device maker Stryker linked to geopolitical retaliation, illustrate how cyber events can have terror‑like motivations yet fall outside existing coverage. These gaps leave insurers and large enterprises exposed to catastrophic losses, prompting calls for a more expansive federal role.

If Congress ties a dedicated cyber‑insurance backstop to the reauthorization of TRIA, the industry could see a more predictable risk pool, lower premiums, and greater availability of coverage for critical infrastructure. However, expanding the definition of terrorism‑related cyber events raises concerns about moral hazard and the fiscal exposure of the Treasury. Stakeholders should monitor the comment deadline on May 8 and prepare position papers, as the outcome will likely set the tone for future cyber‑risk legislation and influence capital allocation across the insurance sector.