A recent report by the Foundation for Defense of Democracies (FDD) suggests that Congress should consider establishing a federal cybersecurity reinsurance program as part of the upcoming reauthorization of the Terrorism Risk Insurance Act (TRIA), set to expire in 2027.

The report argues that cyber insurance, though expanded over the last two decades, remains underdeveloped, with inconsistent premiums, a persistent coverage gap, and challenges in accurately modeling risk.

In response to concerns that the private insurance market may struggle to scale quickly or effectively enough to address rising cyber threats, a federal backstop has been proposed. The report outlines how a federal reinsurance mechanism, modeled in part on TRIA, could potentially reduce volatility in the market, support insurers facing large-scale losses, and encourage broader uptake of cyber insurance.

Government coinsurance for damages exceeding a certain threshold, capped liabilities, and a recoupment structure that gradually shifts costs back to the industry are central to this plan.

Together, these measures aim to drive growth in the cyber insurance market while strengthening national cybersecurity resilience.

Why It Matters: Ongoing volatility in the cyber insurance market has left many businesses underinsured against digital threats. Proponents of federal involvement argue that without a mechanism to manage systemic cyber risk, the broader economy could remain exposed. However, whether a government backstop would lead to a more stable, efficient market remains to be seen, and questions remain around implementation, cost, and the limits of public-private risk sharing.

• Unstable Market with Limited Coverage: Despite significant growth in premiums, the cyber insurance market has shown signs of strain, including declining coverage in some years, rising costs, and a lack of standardization. The report notes that the vast majority of cyber-related losses remain uninsured, suggesting that the current market may not be sufficient to manage large-scale digital risk.

• Proposal for a Targeted Reinsurance Mechanism: The recommendation includes a federal reinsurance program that would only be triggered during high-impact incidents, such as a widespread malware outbreak. Insurers would retain some financial responsibility, with government support kicking in above a defined threshold and a repayment mechanism (recoupment) activated afterward. This structure, however, has not yet been tested for cyber-related risks, and its practical outcomes are uncertain.

• Data-Sharing Requirement Tied to Participation: As part of the proposal, participating insurers would be required to share anonymized data on incidents and cybersecurity controls. While this could support better modeling and policy analysis, it also raises questions about data handling, privacy, and whether sufficient participation would occur to produce representative insights.

• Scope Limited to Existing Coverage: The proposed backstop would not apply to risks often excluded from private insurance, such as cyber war or infrastructure disruptions, which some observers view as essential to market stability. While the report suggests setting clearer limits on exclusions, balancing these changes with insurer willingness to participate could be complex.

• Timing Linked to TRIA Reauthorization: With TRIA’s expiration approaching, the report suggests that 2025 offers a legislative opportunity to consider a cyber component. This may provide procedural efficiency but also risks introducing untested elements into a well-established program, potentially complicating reauthorization efforts.

Go Deeper → Federal cyber insurance backstop should be tied to expiring terrorism insurance law, report recommends – CyberScoop

How a Government Reinsurance Program Can Accelerate Maturation of the Cyber Insurance Market – FDD