professionalinsight
 

Developing News

The TRIA Challenge Revisited

By Cameron Hermann
The following article is solely the opinion of the author and does not reflect the views of his employer.
A glowing, translucent glass shield with a digital padlock icon, symbolizing cybersecurity protection.
T

he Terrorism Risk Insurance Act (TRIA) program, set to expire on December 31, 2027, is receiving bipartisan1 support for another seven-year extension. The federal terrorism insurance backstop was designed for physical terrorism, but a key question now is whether it can realistically function as a backstop for catastrophic cyberterrorism. Early legislative activity in both chambers creates an opportunity for a broader debate about the adequacy of TRIA’s certification framework in an era of rapidly evolving cyber risk.

The TRIA Program Reauthorization Act of 2026, or H.R. 7128, is moving through the House2 and is largely similar in structure to its 2019 incarnation. Other than technical changes, the new bill would require the Secretary of the Treasury to publish notice that the process to certify an event as an act of terrorism has begun within 30 days following the occurrence and that any final certification determination will be issued within 90 days of that publication. Additionally, the minimum property and casualty losses necessary to certify an act would increase from $5 million to $10 million in 2029.

A proposed amendment in the House Financial Services Committee would have shortened the extension to five years, increased the program trigger from $200 million to $250 million, decreased the federal cost share from 80% to 70%, and required a study on charging insurers an annual participation fee. The amendment was voted down 49-2, suggesting that further limiting TRIA’s potential exposure for taxpayers is not a priority in the House legislative process at this time. With that broader debate largely sidelined for now, attention is also turning to a related question — how should TRIA be expected to respond to cyberterrorism losses?

The 2019 reauthorization required the Government Accountability Office (GAO) to study insurance coverage for cyberterrorism. In its 2025 report, the GAO concluded that while TRIA could theoretically apply to terrorism losses under eligible cyber policies, cyberterrorism events may not readily satisfy TRIA’s certification criteria. The report highlighted several practical hurdles.3 Many cyberattacks (1) may not meet TRIA’s requirement that an act be violent or dangerous to human life, property, or infrastructure, (2) may not clearly meet the requirement that the act be committed to coerce the US population or government or influence policy, and (3) may raise complications regarding TRIA’s geographic damage requirements. For that reason, the GAO suggested that if Congress considers a federal cyberterror insurance response, it may need to be structured as a program distinct from TRIA with clearer triggering criteria. The GAO also emphasized that any such federal response should incorporate features that mitigate moral hazard, such as cybersecurity requirements or incentives that encourage insureds to invest in stronger controls.

What this means for actuaries:

While it is still early in the legislative process and the bills have yet to be enacted, the current approach suggests a more proactive posture by the government in reauthorizing TRIA. Notably, there appears to be less emphasis on further shifting risk exposure from taxpayers to insurers, as evidenced by the defeat of amendments aimed at increasing insurer responsibility. In light of the GAO’s findings, the insurance industry should also watch whether proposals for a cyber-focused federal backstop, either through changes to TRIA or through a distinct “cyber-TRIA” concept, gain traction in the Senate. For now, this suggests a period of relative stability for actuaries and the broader insurance industry while they navigate the landscape of terrorism risk coverage.

Please see the September/October 2014 and January/February 2020 Actuarial Review for previous coverage of TRIA.

Cameron Hermann is an actuarial analyst at Verisk. He is a member of the Actuarial Review Writing Subgroup.