Lawmakers and witnesses debate whether cyberattacks can qualify as ‘terrorism’ under TRIA, cite attribution and intent challenges

Members of the House Financial Services subcommittee explored how TRIA applies to cyber incidents and whether cyberattacks should be treated similarly to kinetic terrorism events for insurance purposes.

Representative Ritchie Torres asked for clarity on the distinction between cyberattacks, cyberterrorism and cyberwar. Barrett Weibel of the Congressional Research Service answered that the statute focuses on the "intent of the actor" and that attribution in the cyber context is often difficult. "The decision to certify is a political decision, not a legal decision," Weibel said, noting the secretary of the Treasury has sole, unreviewable discretion to certify acts for TRIA purposes.

Witnesses noted that TRIA covers insured property‑casualty losses that are contracted in private policies; if an event is certified as terrorism and the underlying policy covers the loss, TRIA would apply. Several witnesses cautioned about practical limits: nation‑state attacks can raise "acts of war" exclusions and attribution may be unclear, complicating whether Treasury could or would certify a cyber event as terrorism.

Members raised consequences for critical infrastructure, including water systems, energy grids and airports, and asked whether a separate federal cyber backstop might be warranted. Some witnesses warned that rolling cyber into TRIA without careful drafting could create contractual and market uncertainty; others said existing TRIA language can cover cyber terrorism where intent and attribution permit certification. The panel did not endorse a single legislative approach but recommended that Congress consider cyber attribution, the potential for war exclusions, and the need for clear rules if TRIA's scope is to cover more cyber risk.