Developing News
The TRIA Challenge Revisited
he Terrorism Risk Insurance Act (TRIA) program, set to expire on December 31, 2027, is receiving bipartisan1 support for another seven-year extension. The federal terrorism insurance backstop was designed for physical terrorism, but a key question now is whether it can realistically function as a backstop for catastrophic cyberterrorism. Early legislative activity in both chambers creates an opportunity for a broader debate about the adequacy of TRIA’s certification framework in an era of rapidly evolving cyber risk.
The TRIA Program Reauthorization Act of 2026, or H.R. 7128, is moving through the House2 and is largely similar in structure to its 2019 incarnation. Other than technical changes, the new bill would require the Secretary of the Treasury to publish notice that the process to certify an event as an act of terrorism has begun within 30 days following the occurrence and that any final certification determination will be issued within 90 days of that publication. Additionally, the minimum property and casualty losses necessary to certify an act would increase from $5 million to $10 million in 2029.
A proposed amendment in the House Financial Services Committee would have shortened the extension to five years, increased the program trigger from $200 million to $250 million, decreased the federal cost share from 80% to 70%, and required a study on charging insurers an annual participation fee. The amendment was voted down 49-2, suggesting that further limiting TRIA’s potential exposure for taxpayers is not a priority in the House legislative process at this time. With that broader debate largely sidelined for now, attention is also turning to a related question — how should TRIA be expected to respond to cyberterrorism losses?
The 2019 reauthorization required the Government Accountability Office (GAO) to study insurance coverage for cyberterrorism. In its 2025 report, the GAO concluded that while TRIA could theoretically apply to terrorism losses under eligible cyber policies, cyberterrorism events may not readily satisfy TRIA’s certification criteria. The report highlighted several practical hurdles.3 Many cyberattacks (1) may not meet TRIA’s requirement that an act be violent or dangerous to human life, property, or infrastructure, (2) may not clearly meet the requirement that the act be committed to coerce the US population or government or influence policy, and (3) may raise complications regarding TRIA’s geographic damage requirements. For that reason, the GAO suggested that if Congress considers a federal cyberterror insurance response, it may need to be structured as a program distinct from TRIA with clearer triggering criteria. The GAO also emphasized that any such federal response should incorporate features that mitigate moral hazard, such as cybersecurity requirements or incentives that encourage insureds to invest in stronger controls.
What this means for actuaries:
Please see the September/October 2014 and January/February 2020 Actuarial Review for previous coverage of TRIA.