Congress should use renewal of an expiring terrorism insurance program to create a federal backstop for cybersecurity insurance, according to a report out Tuesday that tries to thread many difficult needles to bolster an industry that its author says isn’t developing fast enough.In an ideal world, cybersecurity insurance can be a valuable tool to protect policyholders and push everyone into adopting better cyber practices, but it will need government intervention to reach its full potential amid an array of challenges, Nick Leiserson writes in a study for the Foundation for Defense of Democracies, a D.C.-based think tank. “Despite its massive growth over the past 20 years, cyber insurance is not living up to policymakers’ expectations,” Leiserson writes. “There is a significant coverage gap. Most damage caused by malicious cyber actors is not insured. The market remains immature, with significant year-over-year fluctuations in premiums, contracts, and underwriting. Cyber risk pricing remains nascent, and lessons from this market-driven approach have not filtered into broader cyber policy conversations or cybersecurity operational activities.”CyberScoop is first to report on the paper, which anticipates the best bet for creating a federal cybersecurity reinsurance program is to tie it to the 2027 expiration of the Terrorism Risk Insurance Act (TRIA). Congress passed the law after the Sept. 11 terrorist attacks to create a federal backstop for massive events when insurance protection threatened to become scarce.Given how insurance contracts work, Congress’ real deadline for reauthorizing TRIA is the end of 2026, so 2025 is a key year for taking action in order to begin holding hearings and writing legislation, Leiserson told CyberScoop.Skeptics of creating a TRIA-like cybersecurity reinsurance program contend it would be difficult for a host of reasons, such as a lack of necessary data, and maybe inadvisable anyway due to the potential taxpayer burden and other factors.The proposal from Leiserson — who worked on cyber issues as a Hill staffer and at the Office of the National Cyber Director, and who is now senior vice president for policy at the Institute for Security and Technology — attempts to answer those challenges, as well as the ones currently facing the industry.The fundamental recommendation: “Congress should design and authorize a reinsurance program designed to mitigate systemic risk associated with cyber incidents that are already covered by most cyber insurance policies. The program should provide for government coinsurance above a certain threshold, have a cap on total liability, and be funded through recoupment should it be triggered.”The recoupment mechanism, Leiserson told CyberScoop, would be a kind of fee or tax on insurance companies paid over time. That would be applied after the government backstop is invoked when, say, “a virulent worm spreads like wildfire across the globe,” he wrote. Without a backstop, a sufficiently catastrophic attack would likely trigger the federal Stafford Act disaster recovery law, leaving the government and taxpayers on the hook anyway, he said.Insurance companies would likely pass recoupment costs along to customers, but it’s natural in the industry for an increase in risk to lead to higher premiums, he said. And if the backstop never got used, it “would simply allow the country to reap the benefits of cheaper capital and lower premiums today,” he wrote.In light of existing coverage gaps, the point of limiting the proposal to risks already covered by cybersecurity insurance policies today is that a backstop program makes the cost of capital cheaper by protecting against “tail risk” in the form of a rare event, and that would translate into lower premiums for more coverage down the line, Leiserson said.The backstop should be accompanied by a requirement for data sharing by its participants, the paper recommends — data that’s anonymized and shared with the government or a designated third party.“Validated cyber incident data is difficult to come by,” the study says. “It is even harder to find such data paired with information about the control environment on the victim’s systems. Whether due to fears of reputational harms or lawsuits by shareholders or customers, victim organizations are quite reticent to share such data — but one of the few places they do share, at least to some extent, is with their insurers.”Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, said the next step for the think tank is to write draft legislation and present it to lawmakers.The post Federal cyber insurance backstop should be tied to expiring terrorism insurance law, report recommends appeared first on CyberScoop.