By Ryan Windt | Head of Growth Marketing | Updated March 2026
Most cyber insurance policies now include specific language excluding losses from state-backed cyber operations. The intent is to carve out large-scale, warlike cyber events from standard coverage. The problem is that the wording varies significantly from policy to policy, the attribution mechanics are often unclear, and buyers rarely scrutinize these clauses until they need to file a claim.
This post focuses on how to read that fine print: what the clauses actually say, what triggers them, where the gaps are, and what questions to ask before renewal. For the broader threat landscape context including geopolitical risk, third-party spillover, and practical security controls, see our companion post on Geopolitical Cyber Risk and Cyber Insurance.
What Changed After 2023
Before 2023, most cyber policies used generic “war” or “hostile acts” exclusion language borrowed from property insurance. That language was written for physical conflict and was never designed to handle cyber events. The NotPetya cases exposed this clearly.
Lloyd’s Bulletin Y5381 changed the landscape. Effective March 31, 2023, Lloyd’s required all standalone cyber policies to include clearer, more specific treatment of state-backed cyber operations. This prompted widespread adoption of the LMA model clauses across the market.
The LMA released updated model war and cyber operation exclusions, replacing the earlier LMA5564 through LMA5567 forms with new versions. Two variants exist: A versions include explicit attribution language tied to a competent authority determination, while B versions remove the attribution requirement. The version on your policy matters because it determines how a claim would be evaluated in a disputed scenario.
In 2024, Lloyd’s Bulletin Y5433 noted progress in market implementation and refined expectations further. The result is more consistency than existed before 2023, but meaningful differences across carriers and forms remain. There is still no single universal clause.
What These Clauses Are Actually Trying to Do
Modern war exclusions aim to carve out large-scale, state-linked cyber operations that function as a form of warfare. They are not designed to exclude ordinary ransomware, business email compromise, or vendor-related incidents. Understanding the four levers these clauses use helps you evaluate whether a given policy is well-written or problematic.
Who or what is behind the attack. Most clauses require state or state-sponsored attribution. Some tie coverage to whether a competent authority has made a determination; others allow the insurer to make its own attribution call. The difference is significant when attribution is ambiguous, which it usually is during an active incident.
Scale and effect. Many clauses require the attack to have caused widespread impairment of a state’s critical functions or infrastructure. The word “widespread” is where vague drafting creates the most risk for buyers, because it is left undefined in many forms.
Where the loss occurs. The strongest clauses preserve coverage for bystander organizations that were not the intended target of a state operation. If your business was caught in spillover from an attack directed at someone else, a well-drafted carveback protects you. A poorly drafted clause may not.
Attribution mechanics. Whether attribution requires a formal government determination, a competent authority finding, or only an insurer’s own assessment makes a substantial difference in how disputes are resolved. Clauses that give the insurer unilateral attribution authority with no evidentiary standard create the most exposure for buyers.
What the NotPetya Cases Actually Settled
The Merck and Mondelez cases are frequently cited in discussions of cyber war exclusions, but their relevance to modern cyber policies is limited and often overstated.
Both cases involved property and all-risk policies, not modern cyber forms. The war exclusion language in those policies was legacy language written for conventional military conflict. Courts found it too vague and too narrow to apply cleanly to a state-sponsored cyber operation. Merck settled in 2024 after lower courts found in its favor; Mondelez settled in 2022. Neither created binding precedent for today’s cyber-specific exclusion language.
The takeaway is not that insurers must cover state-sponsored attacks. The takeaway is that ambiguous exclusion language tends to favor the policyholder in court, which is exactly why carriers updated their forms after 2023. Today’s cyber-specific clauses are far more explicit than the language in either NotPetya case.
Red Flags and Green Lights in Exclusion Wording
When reviewing your policy, look for these signals.
Red flags worth escalating to your broker:
Vague “widespread” or “significant” impairment language without objective thresholds or definitions. Attribution shortcuts that treat any government statement as dispositive with no room for contrary evidence. Overly broad “state-backed” definitions that could capture ordinary criminal operations using tools or infrastructure with any government connection. No carveback for bystander organizations caught in spillover from an attack directed at someone else.
Reassuring signs:
Clear definitions of “cyber operation,” “state,” “widespread,” and “critical functions” that give the clause predictable scope. Attribution requirements tied to a credible, named competent authority with a mechanism for challenging the determination. Explicit carvebacks preserving coverage for organizations that were not the intended target of the state operation. Separate treatment of systemic vendor events versus state-directed attacks.
Systemic Events: The Gray Area That Matters Most
The exclusion language most likely to affect a typical business is not about being targeted by a nation-state. It is about whether a mass-exploitation event that happens to involve a state-sponsored actor could trigger the exclusion even for uninvolved bystanders.
The MOVEit wave in 2023 and the Snowflake customer compromises in 2024 are useful mental models. Both involved criminal groups exploiting widely-used platforms, affecting thousands of organizations that had no direct connection to any geopolitical conflict. Whether a clause treating those events as “widespread” state operations could void coverage for bystanders depends entirely on how “widespread” and “state operation” are defined in your specific form.
This is the question to press hardest on with your broker. Ask specifically how your policy handles a scenario where a mass-exploitation event affecting thousands of companies is later attributed, even loosely, to a state-linked actor.
Questions to Ask Before Renewal
These are the questions that reveal whether your war exclusion language is well-drafted or problematic:
- Which exact clause and version is on our policy, including the form number and whether it is an A or B version?
- How is attribution determined under our specific clause, and who counts as a competent authority?
- What happens if competent authorities disagree about attribution, or if attribution is contested?
- What is the specific definition of “widespread” or “significant” impairment in our form?
- Are there explicit carvebacks for bystander organizations that were not the intended target?
- How does our policy handle systemic vendor events where a mass-exploit is later attributed to a state-linked actor?
- Are there sublimits or separate retentions that apply when a systemic event is declared?
Practical Readiness: Controls That Reduce Your Exposure Either Way
The best defense against a disputed war exclusion claim is never needing to invoke it. Strong controls reduce the likelihood that any incident reaches the scale or severity that triggers exclusion scrutiny.
Enforce phishing-resistant MFA across all administrator accounts, remote access, and vendor connections. The 2024 Snowflake customer compromises specifically targeted tenants without MFA. Patch externally-exposed tools on accelerated timelines; ConnectWise ScreenConnect CVE-2024-1709 was actively exploited within days of disclosure. Know your critical SaaS and data dependencies, map where your data lives, and run tabletop exercises specifically for third-party incident scenarios. Align your governance to NIST CSF 2.0, which now includes a formal Govern function that maps directly to the board-level oversight documentation carriers are increasingly requiring.
FAQs
Does a government-linked actor automatically void my coverage?
No. Modern clauses look at intent, scale, and impact, and many require credible attribution through a formal process. Read your specific form and ask about carvebacks before assuming exclusion applies.
If a mass-exploit hits thousands of companies, is that “widespread” and excluded?
Not necessarily. “Widespread” should be defined in your policy. Many forms preserve coverage for bystanders unless strict state-operation triggers are met. If your policy does not define “widespread,” that ambiguity is worth addressing at renewal.
Do the NotPetya cases mean insurers must cover state attacks?
No. Those cases involved legacy war wording on property policies, not modern cyber forms, and ended in settlements rather than definitive rulings. Today’s cyber-specific exclusion language is far more precise.
We are a private company. Do SEC disclosure expectations affect us?
Not directly. But investors, partners, and carriers increasingly benchmark governance expectations against the SEC’s cybersecurity disclosure framework. Private companies that can demonstrate board-level cyber oversight and incident response readiness fare better in underwriting conversations.
For a broader look at geopolitical cyber risk, third-party spillover, and the practical controls that reduce your exposure to state-scale events, see our Geopolitical Cyber Risk and Cyber Insurance guide.
SeedPod Cyber specializes in cyber and Tech E&O coverage for businesses of all sizes. Contact us for a coverage review or quote.