• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to footer
  • Contact Us
  • Post A Job

Agency Checklists

Massachusetts Insurance News & Job Opportunities

  • AC Interviews
  • Agency M&A
  • Career News
  • CAR News
  • DOI News
  • Coverage Cases
  • Innovation
  • InsurOp-Eds
  • AC Podcast
You are here: Home / Latest News / Is the Cyber Insurance Market Broken?

Is the Cyber Insurance Market Broken?

May 11, 2026 by Owen Gallagher

Federal debate over cyber insurance backstop highlighting systemic risk and accumulation challenges

A Washington Think Tank Says Yes — and calls for a Federal Reinsurance Backstop

Washington Is Paying Attention to the Cyber Insurance Problem

On May 8, 2026, the Foundation for Defense of Democracies — a respected, non-partisan national security think tank based in Washington, D.C. — submitted a detailed public comment to the United States Department of the Treasury with an unexpected look at cyber insurance.

The comment was filed in response to the Treasury’s solicitation of public input for its mandated 2026 Report on the Effectiveness of the Terrorism Risk Insurance Program, the federal program that backstops private insurers against losses arising from certified acts of terrorism. That program was established by the Terrorism Risk Insurance Act, enacted by Congress in 2002 in the immediate wake of the September 11, 2001 attacks, and has been reauthorized several times since.

The comment, authored by Nicholas Leiserson, an advisor at the Foundation’s Center on Cyber and Technology Innovation, and Aarushi Garg, a research intern in the same center, goes well beyond the narrow questions Treasury posed. It makes a sweeping and carefully documented argument: the cyber insurance market has a fundamental structural problem the private sector cannot fix on its own, and only a standalone federal cyber reinsurance program will resolve it. For Massachusetts property and casualty insurers, agents, and brokers who write cyber business — or who are watching the market contract around them — this report deserves attention.


A Market That Has Grown But Not Matured

The United States cyber insurance market has reached over $14 billion in gross written premium — the total premiums charged before amounts are ceded to reinsurers — but the Foundation for Defense of Democracies report argues that growth has masked a troubling failure to mature. The most striking evidence is the size of the “protection gap.” In 2016, the White House Council of Economic Advisers estimated that malicious cyber activity was costing the American economy between $57 billion and $109 billion annually, a figure the authors note has only grown since. Yet total United States cyber insurance claims amounted to only approximately $3 billion in 2023. The report characterizes that gap plainly as evidence of market failure.

The growth story has also stalled. After gross written premium roughly doubled between 2021 and 2022, global growth slowed to under four percent in 2023. The following year the United States cyber market actually contracted, with direct written premiums — those collected before ceding risk to reinsurers — falling seven percent and the number of policies in force declining as well, according to data from the National Association of Insurance Commissioners. Facing rising premiums and narrowing coverage terms, a growing number of commercial policyholders have chosen to self-insure or abandon cyber coverage entirely.


Failing at Its Stated Purpose

Federal policymakers have long expected cyber insurance to serve a dual role: compensating victims and incentivizing better cybersecurity practices across the economy. The report concludes bluntly that the market is falling short on both counts. While the senior executives responsible for organizational cybersecurity — a role now commonly known as Chief Information Security Officer, the executive who owns an organization’s information security strategy — report that the underwriting process gives them internal leverage to push for stronger security investments, underwriting has not driven meaningful systemic improvement. Self-attestation remains the foundation of most cyber underwriting, and carriers have not used the claims adjustment process to enforce the risk-mitigation commitments policyholders made when applying for coverage. The hoped-for body of evidence linking specific security controls to reduced claims has simply not emerged.


The Structural Problem: Why Private Markets Cannot Fix This on Their Own

The report’s most important analytical contribution is its diagnosis of accumulation risk as the inescapable structural constraint on the cyber insurance market. In traditional insurance lines, geographic and operational diversity allows insurers to spread risk across largely independent events. Cyber risk does not work that way. Just three operating systems dominate desktop and laptop computing; three hyperscale cloud providers — Amazon Web Services, Microsoft Azure, and Google Cloud — command the overwhelming majority of enterprise infrastructure. Because most businesses rely on broadly identical underlying technology, a single software vulnerability can simultaneously affect an insurer’s entire book of business. The 2017 WannaCry ransomware attack and the 2024 CrowdStrike software failure are vivid examples of how quickly correlated losses can cascade across industries and geographies. Private reinsurance cannot resolve this either, because reinsurers face the exact same diversification problem regardless of how many carriers’ policies they write.

The report warns that the problem is worsening with the rapid advancement of artificial intelligence tools capable of identifying and exploiting software vulnerabilities at scale. Industry analysts have described the potential for a single widely exploited artificial intelligence-identified vulnerability as a “cyber catastrophe” event affecting thousands of organizations simultaneously — precisely the kind of correlated, market-wide loss that private capital is structurally unable to absorb. Compounding matters further, state-backed cyberattacks cannot be priced actuarially at all, and the “war exclusions” carriers have added to address this gap have generated their own litigation risk, given the absence of settled case law defining what constitutes “cyber war” for insurance purposes.


Why the Existing Federal Terrorism Insurance Framework Does Not Fit

Treasury’s request for comment invited input on whether the Terrorism Risk Insurance Program could be extended to address cyber losses. The Foundation for Defense of Democracies answers essentially: no. The program was designed to reverse a coverage exclusion — after September 11, insurers had largely stopped offering terrorism coverage, and Congress required them to offer it again. The cyber insurance problem is different: coverage is widely available, but accumulation risk limits how much of it insurers can provide at prices the market will bear. The existing program also activates only after a formal government certification of a terrorist attack reaching a defined loss threshold — and notably, no certified attack has ever triggered that reinsurance since the program’s inception. Cyber losses are overwhelmingly attritional, occurring daily across the market rather than as rare catastrophic events awaiting a government declaration. And the vast majority of cyber incidents that American businesses experience cannot be characterized as acts of terrorism in any event, meaning the existing framework addresses only a small fraction of the actual exposure.


The Case for a Standalone Federal Cyber Reinsurance Program

The Foundation for Defense of Democracies recommends that Treasury use its 2026 Effectiveness Report — due to Congress by June 30, 2026 — to formally recommend that Congress authorize a standalone federal cyber reinsurance program. The proposed architecture is deliberately straightforward. Participating insurers would retain an initial layer of losses with no government reimbursement, preserving underwriting discipline. For losses above that threshold, a coinsurance arrangement would apply, with the carrier paying a defined percentage and the federal government paying the balance. A cap on total federal liability would protect taxpayers, and the government would recoup payouts through a surcharge on cyber policies industry-wide — a mechanism the report prefers over prepaid premiums, which are difficult to calibrate without mature actuarial data. The backstop would activate only for correlated, market-wide loss events, not for day-to-day attritional losses. Treasury would set retention amounts and coinsurance percentages through regulation rather than statute, allowing the program to evolve as the market matures.

A notable secondary feature of the proposed program is a mandatory data sharing requirement as a condition of carrier participation. Insurers would be required to share anonymized incident data at regular intervals with the government or a designated third party. That aggregate data, returned to the broader cybersecurity community, could finally provide the evidence base for effective security controls that the market has failed to generate on its own — a benefit the authors describe as reaching well beyond the insurance sector.


What Massachusetts Property and Casualty Professionals Should Take From This

For insurers, agents, and brokers in the Massachusetts property and casualty market, several practical implications follow. If a federal backstop relieves the tail-risk burden from carriers’ balance sheets, the expected result is more available capacity and downward pressure on premiums — welcome news for agents placing mid-market commercial accounts that have increasingly found cyber coverage unaffordable or self-insured out of frustration. The mandatory data sharing requirement could, over time, produce the actuarial foundation the market currently lacks, improving pricing accuracy and eventually enabling underwriters to move beyond self-attestation. On war exclusions, Massachusetts carriers should take note of the report’s warning: the absence of settled legal standards on what constitutes “cyber war” for insurance purposes is a growing litigation exposure, and the disputes that have followed major state-attributed attacks are a preview of what lies ahead as geopolitical cyber activity escalates.

On timing, the Treasury’s report is due within weeks. If it recommends a standalone federal cyber reinsurance program, congressional debate will follow, and the industry will have an early opportunity to shape the outcome. Massachusetts insurers, reinsurers, and their trade associations should be watching and considering whether to engage.


A Debate the Industry Cannot Afford to Ignore

The Foundation for Defense of Democracies’ public comment is one voice in an ongoing federal rulemaking process, but it is a sophisticated one. The broader debate has been building for years: the Government Accountability Office — Congress’s independent, non-partisan auditing and research arm — recommended in 2022 that Treasury assess the potential for a federal insurance response to catastrophic cyber incidents, and Treasury has convened stakeholder conferences in 2023 and 2024 to explore program design. The 2026 Effectiveness Report may be the moment this discussion produces a concrete legislative recommendation.

Whatever one thinks of a federal backstop, the structural diagnosis the report offers — accumulation risk as the inescapable constraint on cyber insurance market growth, worsening with the spread of artificial intelligence-enabled attack tools — is one that every property and casualty professional writing cyber business should understand. Massachusetts professionals who want to follow this issue seriously are well served by going directly to the source. The full report is only nine pages, but it carries 43 footnotes pointing to government studies, rating agency analyses, academic research, and congressional testimony. For anyone who wants to dig into the underlying evidence on cyber insurance market structure, federal backstop design, or the war exclusion debate, that citation apparatus alone makes the report an exceptionally useful starting point.


About the Foundation for Defense of Democracies

The Foundation for Defense of Democracies is a non-partisan policy institute based in Washington, D.C., focused on national security and foreign policy. Its Center on Cyber and Technology Innovation examines the intersection of emerging technology, economic policy, and national security. The public comment discussed in this article was authored by Nicholas Leiserson, an advisor at the Center on Cyber and Technology Innovation, and Aarushi Garg, a research intern at the same center. It was submitted to the United States Department of the Treasury on May 8, 2026, in response to the Treasury’s Request for Comment on the 2026 Report on the Effectiveness of the Terrorism Risk Insurance Program.

The full report, with complete citations and source references, is available free of charge at:https://www.fdd.org/analysis/2026/05/08/2026-trip-effectiveness-report/

Primary Sidebar

Search Our Archives Here

Job Board

Career News

Union Mutual Insurance Company President and CEO Lisa Keysar, who announced her retirement effective December 31, 2026.

Union Mutual Celebrates the Career of Lisa Keysar and Announces Next Chapter in Leadership

The winner of the MAIW/Essex Chapter Scholarship for 2026

The Winners Of The MAIW’s Essex/Middlesex Chapter 2026 Estelle Jeter Scholarship

Smiling woman in a dark blazer and blue top, posing for a professional headshot against a neutral gray background.

Sarah Jarvis Joins Vermont Mutual as Vice President and Chief Administrative Officer

View All

MA Division of Insurance Advertisements

Official notice on Commonwealth of Massachusetts Division of Insurance letterhead dated July 1, 2026, regarding license amendment for OBI America Insurance Company at Plymouth, MN address for Accident and Health insurance in the Commonwealth.
Official notice from the Commonwealth of Massachusetts Division of Insurance about OBI National Insurance Company’s license amendment, dated July 1, 2026, with address block and filing instructions.
Official Massachusetts Division of Insurance notice to General Security National Insurance Company about amending its foreign license to transact property and casualty insurance, dated July 1, 2026.

Listen Now

Sponsor

Interviews

From Nuptials, Tickets, and Taxes to Trusted Advisor: One Agency’s Unique Path to P&C Success

A Conversation with Evan Silverio, President & CEO of Silverio Insurance Group

Deland, Gibson Celebrates 125 Years: A Conversation with CEO Chip Gibson

The Fourth-Generation Family-Owned Agency is Based in Wellesley

Talking with Richard Welch: Growth and Innovation at Hospitality Mutual | Agency Checklists

Talking with Richard Welch: Growth and Innovation at Hospitality Mutual

Mr. Welch is CEO of Massachusetts-based Hospitality Insurance Group

Born and Bred in the Bay State: The Special Agent Story

Our Latest Agency Interview is with the Founder & President of Special Agent

A Conversation with Daniel C. Bridge – The 2023 Insurance Professional of the Year

Daniel Bridge is Board Chair, President, and CEO of Vermont Mutual Insurance Group

Making The Leap From Corporate to Entrepreneur: Nadeen Vella On Building NaVella Insurance From Scratch

Making The Leap From Corporate to Entrepreneur: Nadeen Vella On Building NaVella Insurance From Scratch

Our latest Agency Interview is with Nadeen Vella, the founder and owner of a virtual scratch independent agency.

View All

InsurOp-Eds

Agency Checklists, MA Insurance News, Mass. Insurance News

InsurOp-Ed – Proposed Uber Bill Keeps Public And TNC Drivers at Risk

By Brian Boucher

COVID-19 Business Interruption Claims | Massachusetts

May A Mass. Statute Bar COVID-19 Business Interruption Claims?

By Owen Gallagher

Agency Checklists, MA Insurance News, Mass. Insurance News

A Fond Farewell: Frank Mancini Addresses The Big Event Attendees At The Arbella Gourmet Luncheon

By Owen Gallagher

Agency Checklists, MA Insurance News, Mass. Insurance News

InsurOp-Ed: How to Explain Coinsurance to Clients

By Bill Wilson

View All

In Memoriam

Gordon Elliott Taylor, longtime owner of the Blackmer Insurance Agency in Shelburne, Massachusetts, who served the local insurance community for decades.

In Memoriam: Gordon Elliott Taylor

William R Berkley founder of W R Berkley Corporation and leader in commercial insurance industry

W. R. Berkley Corporation Announces the Passing of Its Founder and Executive Chairman, William R. Berkley

Michael R Quinn longtime leader of Allan M Walker Insurance Agency in Taunton Massachusetts

Taunton Insurance Leader Michael R. Quinn Dies at 70

Footer

Contact us

We offer a variety of ways to get help promote your company or product.

Announcements
Email Sponsorships
Partnerships
Custom Collaborations

*Affiliate Disclosure

Please note that any of Agency Checklists’ articles might contain one or more affiliate links. This means that any subsequent purchase resulting from these links may result in a commission for us, but at no additional cost to you. For example, as an Amazon Associate, Agency Checklists earns a commission from all qualifying purchases. By working with affiliates we can continue to keep Agency Checklists subscription free. Thank you for your support.

Explore Our Archives

Copyright © 2026 · Agency Checklists · All rights reserved.

Loading Comments...