Most importantly, what is the mechanism to pay for cyber damage? Many states are wrestling with this problem. Recently New York State has become the first state in the nation to issue regulations for cybersecurity for companies doing business in New York State. The New York State regulation prescribes fines for its full violation, and has already enforced fines against corporations . Other states are reviewing and some are adopting, the National Association Of Insurance Commissioners (NAIC) Model Law. Articles about cybersecurity and cyber insurance appear in this issue of the IRC newsletter. The newest question is whether cyber insurance will become so expensive and unavailable in the private sector, that Congress will need to adopt a TRIA-like solution to provide several layers of cyber insurance. The Terrorism Risk Insurance Act of 2002 (TRIA), and extended several times , now expiring on December 31, 2027, has as its core a concept of several layers of insurance, both private and government. The first layer in TRIA is private insurance, then the second layer is by government, and the third level is by private insurance. This private-public-private insurance concept has allowed insurance to be written on many high-rise construction projects, among others . Without this insurance many large projects in urban areas would never have been able to be obtain insurance covering terrorism. TRIA has worked well , and it is recommended that Congress consider this TRIA-like layered approach for cybersecurity and cyber damage. It is noteworthy that in The Terrorism Risk Insurance Program Reauthorization Act of 2019 (P. L. 116 94), which extends TRIA for seven years through December 31, 2027, acknowledges that Congress is recognizing the important and emerging issue of cyber. The Act requires the U.S. General Accountability Office (GAO) to conduct a study on cyber terrorist risks, including determination of whether the current coverage for cyber under property and casualty insurance is adequate, whether the private insurance market’s ability to adequately price cyber risks, the potential costs of cyber attacks; and to consider whether the TRIA structure [private insurance-government layer -private insurance layer] is appropriate to cover cyber terrorism. As of May 2021 the GAO study has not yet been completed or released. Several “white paper” studies and otherf articles published recently in The Insurance Journal and other media outlets clearly favor a layered private and government insurance program, similar to TRIA. This editorial is in favor of a TRIA-like structure of private and government insurance to cover the growing risk of significant cyber terrorism damage. There must be a solution put in place – soon.