War Exclusion in Cyber
Cyber policy exclusion barring coverage for cyber events attributed to nation-state actors or occurring as part of armed conflict.
What It Is
The war exclusion in cyber insurance policies bars coverage for cyber events that constitute or arise from acts of war, including cyber operations conducted by or on behalf of nation-states. This exclusion has become one of the most debated provisions in cyber insurance since the NotPetya attack of 2017, which caused over $10 billion in global losses and was attributed to the Russian military.
Lloyd's issued Market Bulletin Y5381 in 2022 requiring all cyber policies to include a state-backed cyberattack exclusion effective March 2023. Lloyd's provided four model exclusion clauses ranging from broad (excluding any state-backed attack) to narrow (excluding only attacks that are part of an actual armed conflict). The US market has followed with varying approaches, and exclusion language differs significantly between carriers.
The core challenge with war exclusions in cyber is attribution. Unlike a missile strike, a cyberattack's origin is often unclear, disputed, or classified. Policies must address who determines attribution (governments, intelligence agencies, the carrier), what standard of proof applies, and what happens during the often-lengthy period before attribution is established. Some policies include a carve-back that provides coverage during a waiting period while attribution is pending.
Why It Matters for Brokers
Nation-state cyberattacks increasingly cause collateral damage to private businesses that are not the intended target. The NotPetya attack disrupted companies like Maersk, Merck, and FedEx despite targeting Ukraine. Brokers must compare war exclusion language across carriers because the breadth of the exclusion varies enormously. A broad exclusion could deny coverage for any attack attributed to a state actor, even if the insured was collateral damage, while a narrow exclusion only applies during active armed conflict.
Real-World Example
A US food distributor suffers $4.8M in losses from a wiper malware attack that the US government later attributes to a nation-state actor. Carrier A's broad war exclusion denies coverage because the attack was state-backed. Carrier B's narrow exclusion, which only applies to attacks occurring as part of a declared or acknowledged armed conflict between states, covers the claim because no armed conflict existed. Same loss, same premium tier, opposite coverage outcomes based solely on war exclusion language.
Common Mistakes
- 1Treating all cyber war exclusions as equivalent when the language varies dramatically between carriers, from near-total state-actor exclusions to narrow armed-conflict-only exclusions.
- 2Not discussing the war exclusion with clients, who may assume that any cyberattack they experience will be covered regardless of who launched it.
How brokerageaudit.com Handles This
brokerageaudit.com's Policy Checker categorizes the war exclusion language in each cyber policy on a spectrum from broad to narrow, enabling brokers to compare exclusions side-by-side across carrier quotes. The system highlights whether the exclusion includes a carve-back for collateral damage, an attribution waiting period, or a government-determination requirement.