Cyber insurance war exclusions, explained
Recent events in the Middle East have left organizations confronting how geopolitical crises can translate into heightened cyber risk. Periods of armed conflict are often accompanied by increased malicious cyber events, ranging from state-on-state attacks to sympathetic hacktivist activity to spillover disruptions affecting organizations far removed from the battlefield. These conditions frequently prompt renewed scrutiny of cyber insurance policies, particularly exclusions related to war and nation‑state activity.
It is critical that companies assess their exposure during the current conflict and future geopolitical crises. To do this, cyber insurance buyers should understand why war exclusions exist in most policies, when they may be triggered, and what they do — and do not — exclude.
The Q&A below addresses commonly raised questions regarding war exclusions in cyber insurance policies.
This material is provided for informational purposes only and does not constitute legal advice. The discussion below is intended to provide high‑level educational context regarding cyber insurance war exclusions and should not be relied upon in connection with any specific claim, loss, or set of circumstances. Cyber insurance policyholders should consult with their own insurance brokers, coverage counsel, or other professional advisors regarding the interpretation and application of policy terms, including war exclusions, as they may apply to their individual facts and risk profiles.
Q: Why does my cyber insurance policy have a war exclusion?
A: War exclusions are designed to ensure the insurance ecosystem remains functional for the risks it was built to address. The reasons for including war exclusions in modern policies are twofold:
War-related risks are systemic and potentially sizable. A single cyber event during a war can impact thousands of policyholders. Insurers generally view war as a state-level event that they cannot accurately price for or absorb. As such, cyber policies — like other property, casualty, and management liability insurance policies — are not designed to protect policyholders against most war-related risks.
By excluding war coverage from policies, carriers can ensure that the cyber insurance market remains viable and solvent. Without being required to respond to potentially catastrophe wartime losses, cyber insurers can instead ensure that policies respond to the everyday needs of policyholders, providing protection against ransomware, business interruption, and data breach events.
Given this, most cyber insurance policies included a war exclusion modeled after those historically used in other property and casualty insurance lines. Over time, insurers recognized that those exclusions were not tailored to cyber risks. Since then, insurers have adopted more cyber-specific war exclusions, often drawing from model language introduced by the Lloyd’s Market Association (LMA) in 2021.
Q: When does a war exclusion typically apply?
A: War exclusions in cyber policies have rarely been invoked and are most likely to apply when a cyberattack is made by a party to an armed conflict against an opposing warring party and is meaningfully connected to the war.
Importantly, war exclusions are not designed to help insurers evade legitimate claims. Litigation relating to war exclusions in connection with other lines of coverage has shown that courts will often interpret the exclusionary language narrowly. As is generally the case across all forms of insurance, the burden of proving that an exclusion applies falls on the insurer.
War exclusions should not apply to:
Criminal exploitations of wartime disruption — for example, via coincidental ransomware attacks.
Hacktivist attacks.
Opportunistic war-themed attacks.
Q: What types of losses are excluded?
A: The most commonly used versions of the LMA war exclusions include two distinct triggers:
Cyberattacks during armed physical conflicts. This includes cyberattacks carried our in the context of active, armed physical conflicts — traditional “war” — during which one or more states are engaged in kinetic military operations. Cyber operations must be meaningfully connected to the conduct of these physical conflicts to trigger war exclusions in policies.
Large-scale nation-state cyberattacks absent physical conflicts. War exclusions can be triggered in the event of significant cyberattacks conducted by nation-state actors separate from declared physical conflicts. This is the more contested and consequential trigger of war exclusions.
Q: Is a formal declaration of war by a government required for war exclusions to be triggered?
A: Generally, a formal declaration of war is not required. Cyber insurers are largely adopting the same approach as the LMA, which relies on an analysis of the impact and nature of specific attacks and events in applying war exclusions and is not contingent on whether a formal declaration of war has been made. However, some individual carriers are taking a different approach; a declaration of war may factor into decisions about the applicability of war exclusions for these insurers.
Q: Does a physical conflict need to begin before a cyberattack by a party to a conflict for the war exclusion to be triggered?
A: It depends on policy language. Some policies may require the outbreak of armed, physical conflict to trigger an exclusion. Other policies may exclude cyberattacks that occur or are part of the immediate run-up to a war.
Q: Is language in war exclusions negotiable?
A: Yes, to some extent. You should discuss appropriate language with your broker based on your industry and the geographies in which you operate.
Your choice of insurer matters: Lloyd’s requires its syndicates to implement compliant solutions, most commonly in line with the model language introduced by the LMA. In addition, some reinsurers are requiring insurance companies to use appropriately written war exclusions.
Q: If our company experiences a loss that could be subject to the war exclusion in our policy, what should we do?
A: Consult with your broker and work with them to review your policy and its applicable exclusions. Depending on your broker’s advice, you would likely report the claim to your insurer.
Q: What else should companies do to mitigate potential cyber risks during the current conflict?
A: As always, companies should focus on cybersecurity and proper cyber hygiene. Amid the current conflict, organizations may wish to emphasize the need for employees to stay vigilant about potential threats. Organizations should also consider how they can learn from unfolding events involving other organizations. For example, the recent attack against medical technology company Stryker — in which cyberattackers used adversary-in-the-middle phishing tactics to steal tokens, access Microsoft Intune portals, and execute a bulk-wipe action — highlighted four key measures organizations should consider:
Protection against phishing-resistant multifactor authentication and tokens.
Using phishing-resistant credentials such as FIDO2 keys or Windows Hello for Business for all administrative accounts can prevent tokens from being valid if stolen, as they are cryptographically bound to real domains. Companies can also consider enforcing conditional access policies that require administrators to use managed, compliant workstations.
Multi-admin authorization (MAA).
MAA is the most critical safeguard against bulk-wipe actions. For example, enabling Intune’s built-in MAA feature can require a second administrator to approve high-risk actions, such as device wipes, retirements, or deletions.With MAA enabled, compromised accounts are unable to initiate mass wipes, which buys time for organizations to detect intrusions.
Just-in-time privileged access.
Instead of allowing administrators to have permanently active “standing” privileges, implementing privileged identify management can ensure that administrators have must explicitly “activate” their roles for a limited time, requiring justification and — ideally — approval.
Behavioral monitoring and alerting.
Organizations should configure their alerts to immediately notify security teams when a high number of devices — for example, five or more — are wiped within a short timeframe. Companies can also allow for faster intervention by regularly auditing admin logs for unusual activity, such as logins from unexpected locations.
Q: What can companies do to ensure they have effective insurance coverage for potential cyber risks arising out of future geopolitical crisis events?
A: Companies should consult with their brokers, particularly to review how exclusions are written. There may be opportunities to craft policy language that could affect when and how exclusions are invoked that reflects an insured’s tolerance for risk.
For more information on war exclusions and how to get the most out of your cyber insurance coverage, contact a member of your Lockton team or visit our cyber webpage here (opens a new window).
