Cyber insurance: when do war exclusions apply?

Cyber-attacks are now a central battleground in modern geopolitics. What once began with relatively basic forms of espionage has evolved into large-scale coordinated attacks, perpetrated by state- and non-state actors alike. Against a backdrop of persistent geopolitical tension, organisations now face an elevated and increasingly complex cyber risk landscape.

Despite this, standard Cyber Insurance policies typically exclude incidents relating to war or war-like action. As a result, it is essential that organisations understand when exclusions might be triggered, and what they do – and do not – cover.

Why do cyber policies exclude war?

The scale of potential losses arising from war are catastrophic, potentially threatening the viability of the global insurance market. As such, war-linked cyber-attacks are excluded under cyber policies. For the most part, this includes undeclared war and/or war-like action.

Over the last few years, war exclusions have undergone significant refinement. The industry has moved not only to define what constitutes “war” in the cyber context, but also to introduce concepts such as a “cyber operation”, which is generally defined by insurers as a cyber-attack carried out by, or at the direction of, a sovereign state.

Who decides whether an exclusion is triggered?

When handling claims under war exclusions, the burden of proof remains with the insurer. In practice, this means that to prove that the war exclusion applies, the insurer must demonstrate (based on typical exclusionary language) that a given cyber-attack:

  • Was carried out by, or at the direction of, a sovereign state; and

  • Has been conducted as part of war; or

  • Has caused a “major detrimental impact” to the functioning or the security of a state – either due to the disruption of essential services, or the state’s security or defence.

These thresholds are not intended to help insurers evade legitimate claims. Instead, they are intentionally stringent – reflecting the complexity of attribution, and the significant implications that would likely follow if an exclusion were invoked. As a result, it may be incredibly difficult for an insurer to prove any of the above. However, even if the above cannot be proved, the need for insurers to gather evidence as part of the attribution process may cause delays to policy payments. This may carry knock-on consequences for the organisations affected.

What is an “essential service”?

Lloyd’s Market Association (LMA) clauses provide examples of services which may qualify as essential, such as financial market infrastructure, health services, or utilities. But this list is not exhaustive. For attacks on other core services – such as transportation or telecommunications networks – whether an exclusion is triggered will be subject to interpretation, with the outcome depending on the insurer’s analysis of the specific attack in question.

Do exclusions require a formal declaration of war?

A formal declaration of war is generally not required to trigger an exclusion. As above, cyber insurers largely rely on an analysis of the impact and nature of specific attacks and events in applying war exclusions. Nevertheless, a declaration of war may factor in insurers’ decisions about the applicability of a war exclusion.

Cyber-war exclusions in practice

To help our clients better understand how insurers may intend to apply the war exclusion, we have outlined some hypothetical scenarios which are reasonably likely or unlikely to be covered:

Scenario 1

State A is at war with State B. A threat actor which is believed to be operating at the direction of State A launches a cyber-attack against a large weapons manufacturer in State B. Owing to the possible link between the war and the manufacture of weapons, the attack is likely to be classed as a “cyber operation”. The insurers will have to prove that the exclusion applies, and that the link clearly exists.

Scenario 2

State A is at war with State B. A threat actor which is believed to be operating at the direction of State A launches a cyber-attack against a large drink manufacturer in State B. Because the link between war and the drinks manufacturer is less evident, this attack is unlikely to fall within the exclusion. Insurers will have to prove that the exclusion applies, and that a link clearly exists between the threat actor and the war.

Scenario 3

State A is at war with State B. A company is domiciled in State C, which is not at war with A and B, but has some offices in State B. A state cyber-attack is launched from State A and affects the firm’s offices in State B. The malware spreads laterally within the company and all offices worldwide are down. In this case, it is likely that the part of the loss which occurred in State B would be excluded (if there is an established connection with the war) but the collateral losses incurred elsewhere may not be excluded as there is no direct connection to the war.

As noted, the above scenarios are hypothetical. We are not currently aware of any claims under a Cyber Insurance policy that have been denied on the basis of a war exclusion.

Talk to us

To limit the damage of a potential cyber-attack, consult your brokers to review your existing Cyber policy and discuss its wordings regarding cyber exclusions. There may be opportunities to craft policy language that could affect when and how exclusions are invoked, and which better reflect your tolerance for risk.

For more information, contact a member of our Cyber and Technology (opens a new window) team.

Our latest Cyber and Technology insights

Conceptual image of Earth with data streams and digital overlays, ideal for themes involving artificial intelligence, big data, and global tech innovation.
(World Map Courtesy of NASA: https://visibleearth.nasa.gov/view.php?id=55167)
Articles

Global cyber threat report: 2026