War Exclusions in Insurance Policies

Asking The Right Questions About War Exclusions

The Lloyds market association (LMA) has released updated cyber war and cyber operations clauses. The updated clauses meet Lloyd’s markets requirements and take effect on March 31st 2023 at the inception or renewal of each policy. 

They require that all standalone cyber-attack policies must include a suitable clause excluding liability for losses that arise from any state-backed cyber-attack in addition to any work exclusion unless agreed by Lloyds as an exception. 

The LMA stated that the cyber back cyber-attack clauses must at a minimum exclude: 

  • Losses arising from a war where the policy does not have a separate war exclusion regardless of whether this is a declared war or not. 
  • Losses arising from state-backed cyber-attacks that either significantly impair the ability of a state to function or significantly impair the security capabilities of a state. 
  • Be clear as to whether coverage excludes computer systems located outside any state affected in the manner above. 
  • Set out a robust basis by which the parties agree on how any state-backed cyber tech will be attributed to one or more states. 
  • Make sure all key terms are clearly defined. 

So, what does that mean to you when trying to buy cyber insurance?  There is a need to ask the right questions regarding these exclusions.   

  • What level of “state responsibility” is sufficient for attribution?  
  • What is the threshold for an excluded cyber operation that impairs an “essential service” or the “functioning of a state”? 

This is part of an ongoing dialogue to clarify cyber operations coverage and separate the insurable from the uninsurable. 

Let’s look at the case of Merck. The model exclusions apply to cyber operations that have a “major detrimental impact” on the “functioning of a state”.  This means it has to impair an “essential service” or the “security or defense of a state.” NotPetya, while harmful to Merck and other companies, did not impair an essential service vital to the functioning of a country. If NotPetya had compromised the electrical grid, or disrupted the water supply or a country’s food supply, this type of exclusion could apply.  

As this language continues to evolve, we will be updating our blog with relevant information for our customers.