Click to toggle navigation menu.

Nation-State Cyber Exclusions in 2025: What Buyers Need to Know

< BACK
Abstract network map with national flags indicating state-linked cyber operations.
  • Since 2023, many cyber policies have adopted clearer language around state-backed attacks (often called “cyber war” or “cyber operations”)—but the details vary a lot by carrier. LloydsDAC Beachcroft
  • Courts and settlements after NotPetya show legacy “war” wording can be too vague—but those cases weren’t cyber policies, and they didn’t settle the issue for modern cyber forms. Read your wording. SecurityWeekInsurance Journal
  • For most buyers, well-written policies still cover the overwhelming majority of incidents. The key is knowing what’s excludedhow attribution works, and what triggers applyDAC BeachcroftWTW

What changed since 2023?

  • Lloyd’s bulletin Y5381 required clearer treatment of state-backed cyber operations on standalone cyber policies from March 31, 2023, prompting wide adoption of model clauses. Lloyds
  • The LMA then issued updated model “cyber war/cyber operations” exclusions (replacing LMA5564–5567 with new versions) to meet Y5381 requirements; some include explicit attribution language, others (the “B” versions) remove it. DAC Beachcroft
  • In 2024, Lloyd’s Y5433 noted progress and refined expectations as the market implemented those models. Translation: more consistency, but still meaningful differences across policies. DAC Beachcroft

Bottom line: today’s exclusions are more explicit than the pre-2023 “war/hostile acts” boilerplate—but there isn’t a single universal clause. The specific model/version you have matters. WTW

What these clauses usually try to do (plain English)

Modern exclusions aim to carve out large-scale, state-linked cyber operations akin to warlike activity. Typical levers you’ll see:

  • Who/what is behind it (state or state-backed actor; sometimes tied to an official attribution).
  • Scale and effect (e.g., widespread impairment of a state’s functioning or critical infrastructure).
  • Where the loss occurs (primary target vs. bystander collateral damage).
  • Attribution mechanics (whether a “competent authority” or the insurer can determine it).

Different models scale from broader to narrower exclusions; “A” versions often include attribution wording while “B” versions omit it. Ask which form and version your policy uses. WTW

What courts have (and haven’t) settled

The famous NotPetya disputes (Merck; Mondelez) dealt mostly with property/all-risk policies, not modern cyber forms. Merck ultimately settled in 2024 after lower courts found legacy war wording too narrow to bar coverage; Mondelez settled in 2022—so neither created definitive precedent for today’s cyber clauses. Still, they show old “war” language struggled to fit cyber reality. Insurance JournalSecurityWeekCSO Online

Practical impact for buyers

For most organizations, these exclusions don’t affect everyday ransomware, BEC, or vendor-related incidents. They’re aimed at extreme, state-scale events. But wording matters at the margins—especially for concentrated third-party events (think mass-exploitation of widely used software or cloud platforms). Recent waves like MOVEit (2023) and the 2024 Snowflake customer compromises highlight why clarity on “systemic, widespread, or state-linked” matters. CISAWIRED+1

Red flags (and green lights) in the fine print

Watch for:

  • Vague triggers like “widespread” impairment without thresholds or definitions.
  • Attribution shortcuts that treat any government statement as dispositive.
  • Over-broad ‘state-backed’ language that could capture ordinary criminal ops.

Reassuring signs:

  • Clear definitions of “cyber operation,” “state,” “widespread,” and “critical functions.”
  • Attribution that requires credible, competent authority (and allows contrary evidence).
  • Carvebacks preserving cover for bystander organizations not directly participating in a conflict. DAC BeachcroftWTW

Questions to ask your broker/carrier

  1. Which exact clause/version is on my policy? (Ask for the form number and “A” vs. “B” version.) DAC Beachcroft
  2. How is attribution determined? Who counts as a competent authority and what happens if authorities disagree? WTW
  3. What’s the trigger for ‘widespread’ or ‘significant’ impairment? Is there objective criteria? DAC Beachcroft
  4. Are there carvebacks for collateral damage when my company isn’t the intended target? WTW
  5. How do systemic vendor events get handled (e.g., mass-exploits or cloud tenant abuse)? CISA

Risk & readiness checklist (helps both coverage and outcomes)

  • Identity & MFA everywhere, especially for vendors and admins. (The 2024 Snowflake campaigns hammered non-MFA tenants.) The Hacker NewsThe Register
  • Patch externally exposed tools fast (e.g., RMM/remote access like ConnectWise ScreenConnect; CVE-2024-1709 was actively exploited). CISA
  • Know your critical dependencies (SaaS, MFT, cloud data warehouses) and map data flows; run tabletop exercises for third-party incidentsCISA
  • Align governance to current standards. Map cyber risk management to NIST CSF 2.0 and keep Board-level visibility consistent with SEC disclosure expectations (even if you’re private, the bar is becoming market practice). NISTNIST Computer Security Resource CenterSEC

The 2025 Verizon DBIR highlights continued growth in third-party involvement and vulnerability exploitation—exactly the factors that can enlarge an incident’s footprint. That’s why your policy’s systemic and state-operation language needs to be explicit, and why your controls should reduce blast radius if a supplier is hit. VerizonSecurity Today

FAQs

Does a government-linked actor automatically void my cover?
No. Modern clauses look at intent, scale, and impact—and many require credible attribution or specific triggers. Read your form and ask about carvebacks. DAC Beachcroft

If a mass-exploit hits thousands of companies, is that ‘widespread’ and excluded?
Not necessarily. “Widespread” should be defined. Many forms still cover bystanders unless strict state-operation triggers are met. WTW

Do the NotPetya cases mean insurers must cover state attacks?
No. Those were largely about old “war” wording on non-cyber policies and ended in settlements/limited rulings. Today’s cyber forms use far more specific language. Insurance JournalSecurityWeek

We’re not public—why care about SEC rules?
The SEC rules drive market expectations for governance and incident transparency. Investors, partners, and carriers are watching—good hygiene here helps both resilience and insurability. SEC

What to do next

  • Ask your broker for the exact exclusion form/version and any available carvebacks.
  • Document your MFA posture, third-party risk controls, and incident response playbooks.
  • Review how your policy treats systemic vendor events and attribution.
  • Connect with SeedPod to review your current wording and align controls with underwriting expectations.

References

  • Lloyd’s Market Bulletins & LMA model clauses: Y5381; updated guidance and replacement clauses; attribution differences across A/B versions. LloydsDAC Beachcroft
  • NIST CSF 2.0 (Feb 2024): official release + CSRC publication. NISTNIST Computer Security Resource Center
  • SEC cybersecurity disclosure rules (effective Dec 18, 2023) and practitioner summaries. SECKPMG
  • Systemic events context: MOVEit (CISA/FBI advisory; reporting); Snowflake 2024 (investigator and media analyses). CISAWIREDIANSThe Hacker News
  • Verizon DBIR 2025 (official report + coverage). Verizon
Thinking
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.