Cyber Insurance War Exclusions 2026: Are State-Sponsored Cyber Attacks Covered Under Your Policy?

---

The War Exclusion Crisis: Why 2026 Is a Pivotal Year

Cyber insurance war exclusions have existed since the earliest cyber policies, but for decades they were considered standard boilerplate — copied from property and casualty policies, rarely invoked, and almost never litigated. That changed dramatically in 2022.

The Merck Precedent: A $1.4 Billion Earthquake

When Merck filed a $1.4 billion cyber insurance claim after the NotPetya attack in 2017 — which the U.S. government attributed to Russia — Ace American Insurance and other carriers denied the claim under traditional “hostile acts” war exclusions. In 2022, the New Jersey Superior Court ruled in Merck’s favor, finding that the exclusion (drafted for physical warfare) did not clearly apply to cyber attacks.

The Merck decision sent shockwaves through the insurance industry. Carriers realized their legacy war exclusion language was unenforceable against cyber events, exposing them to catastrophic losses from nation-state attacks. The ruling directly triggered the industry’s rapid adoption of cyber-specific war exclusions.

Timeline: How War Exclusions Took Over Cyber Insurance

Date	Event	Impact
Jan 2017	NotPetya attack causes $10B+ global damage	Merck, Maersk, FedEx file massive claims
Jun 2022	Merck v. Ace American ruling	$1.4B coverage affirmed; insurers scramble to rewrite exclusions
Mar 2023	Lloyd’s introduces LMA5564 model exclusion	First systematic cyber warfare exclusion framework
Jan 2024	Mondelez v. Zurich settled confidentially	Undisclosed settlement; war exclusion narrowly interpreted again
Sep 2024	Lloyd’s LMA5400 series updated with attribution thresholds	Clarified “major warfare” vs. “attritional” cyber attacks
2025	78% of U.S. cyber policies adopt cyber-specific war exclusions	RGA, Chubb, Beazley, AXA XL all roll out proprietary versions
2026 (H1)	First war exclusion denial litigation reaches discovery	Case involving a 2025 Chinese APT breach tests new exclusion language
Mid-2026	87% of standalone cyber policies contain cyber war exclusions	Industry standard; gap endorsements emerge as workaround

Sources: Marsh, Aon, WTW market updates; Lloyd’s of London market bulletins; court filings

---

Understanding the Lloyd’s LMA5564 Exclusion Framework

The Lloyd’s Market Association’s LMA5564 model exclusion — first issued in March 2023 and updated multiple times since — has become the foundation for nearly all cyber war exclusion language worldwide. Understanding its structure is essential for any business buying cyber insurance in 2026.

The Four-Part Structure

Part 1: Major Warfare Exclusion (Absolute)

This section excludes losses arising from cyber operations conducted in the context of “war” between nation-states. It defines major warfare as:

• Cyber operations between two or more sovereign states in armed conflict
• Operations that cause significant physical, financial, or infrastructural damage comparable to traditional warfare
• Attacks on critical national infrastructure (power grids, water systems, financial systems) that could destabilize a government

Under this section, coverage is absolutely excluded — no sublimits, no buybacks, no exceptions.

Part 2: Attritional Cyber Attack Exclusion (Conditional)

This is where the real controversy lies. The LMA5564 framework excludes losses from state-sponsored cyber operations that fall below the “major warfare” threshold but are still attributed to a nation-state. However, the exclusion only applies when:

1. Attribution is established by a government body, government-funded agency (e.g., CISA, NCSC, FBI), or the insurer’s qualified cyber forensic investigator
2. The attack has major detrimental impact on the state, its economy, or critical infrastructure
3. The attack was state-directed rather than merely state-tolerated or state-originated (a subtle but critical distinction)

The conditional nature of Part 2 creates a narrow window for coverage — but insurers are aggressively lowering the attribution threshold in 2026 policy drafts.

Part 3: Targeted vs. Collateral Damage

LMA5564 distinguishes between:

• Targeted attacks (the insured was the intended target of a state-sponsored operation) — excluded under Part 2
• Collateral damage (the insured was caught in the crossfire of a broader attack, like NotPetya) — potentially covered, depending on policy version

This distinction is why NotPetya victims like Merck initially had grounds to argue for coverage: they weren’t Russia’s target; they were collateral damage from an attack aimed at Ukraine.

Part 4: The 48-Hour Reversibility Clause

A newer addition (2024 update): if the insured can demonstrate that the attack was reversible within 48 hours through standard incident response measures, the war exclusion cannot be invoked — regardless of attribution. This prevents insurers from using war exclusions for ransomware-style attacks merely because a nation-state actor deployed the malware.

---

How Major Insurers Are Implementing War Exclusions in 2026

The LMA5564 framework is a model, not a mandate. Each insurer has adapted it differently, creating a confusing landscape for risk managers.

Insurer-by-Insurer Comparison

Chubb: Uses a proprietary “Cyber Warfare Endorsement” (CW-2026) that broadly excludes major warfare but preserves coverage for state-sponsored attacks below a $50 million aggregate industry loss threshold. If the total insured industry loss from a single state-sponsored event exceeds $50M, coverage is shared pro-rata among all affected policyholders up to sublimit amounts.

Beazley: Offers a “Atlas Cyber Warfare” endorsement that maintains coverage for collateral damage victims while excluding direct targets. Beazley uses a three-tier classification system: Tier 1 (direct target — excluded), Tier 2 (supply chain collateral — covered up to $5M), Tier 3 (unrelated exposure — fully covered).

AXA XL: Takes the most policyholder-friendly approach among major carriers. State-sponsored attack coverage is preserved up to the full policy limit, provided the attack is not part of an active armed conflict recognized by the United Nations.

Coalition: Offers “Active War” exclusion only, meaning coverage remains for all state-sponsored cyber operations that don’t occur during a formally declared war. Since no nation has formally declared cyber war against another, Coalition’s exclusion is effectively dormant — but they charge a 12–18% premium premium for this broader coverage.

Hiscox: Uses one of the strictest exclusions in the market. Their 2026 policy form excludes all state-sponsored attacks regardless of attribution threshold, with no collateral damage exception. Gap endorsements are not available.

Quick Reference: War Exclusion Strictness by Carrier

Carrier	Exclusion Type	Attribution Threshold	Collateral Damage	Gap Endorsement	Avg. Cost
Chubb	Industry loss cap	Government body	Covered (sublimit)	Yes	+12%
Beazley	Tiered exclusion	Government body + forensic	Partial (Tier 2)	Yes	+15%
AXA XL	Active war only	UN-declared war	Fully covered	Not needed	Baseline
Coalition	Active war only	Formal declaration	Fully covered	Not needed	+12–18%
Hiscox	Absolute	Any attribution	Excluded	No	N/A
Travelers	Hybrid (LMA5564-based)	Government body	Case-by-case	Limited	+8–10%
CNA	Modified LMA5564	Government or insurer forensic	Covered (low sublimit)	Yes	+14%
Berkshire Hathaway	Absolute	Any state nexus	Excluded	No	N/A

Premium impact estimates based on Marsh Q1 2026 benchmarking data for $25M revenue companies

---

The Attribution Problem: Who Decides It Was a Nation-State?

The single most contentious issue in cyber war exclusions is attribution. A cyber attack doesn’t come with a return address — determining whether it was conducted by a nation-state, a state-sponsored group, or an independent criminal organization is extraordinarily difficult.

Current Attribution Standards in 2026

Government Attribution (Strongest): A formal statement by CISA, the FBI, NSA, NCSC (UK), or equivalent government body attributing the attack to a nation-state. This is the gold standard but is rare — government attribution typically takes 3–9 months.

Government-Funded Agency Attribution: Reports from entities like MITRE, the Cyber Threat Alliance, or DHS-funded ISACs. Most 2026 policies accept these as valid attribution sources.

Insurer Forensic Investigation: The insurer’s own cyber forensics team attributes the attack. This is the most controversial source because the insurer has a financial incentive to find state sponsorship. Newer policies require the insured’s agreement with the insurer’s attribution finding, or an independent third-party arbitrator.

Media/Open-Source Attribution: Some policies (roughly 15% in 2026) accept credible media reports and open-source intelligence analysis as attribution. This is the weakest standard and is typically found in older policy forms.

The Attribution Gap: 3–9 Months of Uncertainty

The practical problem is that government attribution takes months. During that time:

• The insured has suffered the loss
• The claim is filed
• The insurer places the claim in “pending attribution review” status
• No payment is made

This creates a 3–9 month coverage gap where the insured bears the full financial impact. Some carriers now offer “attribution bridge” coverage that provides interim payments up to $1–3 million while formal attribution is pending, with a clawback provision if the attack is ultimately attributed to a nation-state and excluded.

---

The Real Cost: How War Exclusions Affect Cyber Insurance Premiums

War exclusions have a complex effect on pricing. On one hand, they reduce insurer exposure to catastrophic nation-state losses, which should lower premiums. On the other hand, they create new administrative costs, litigation risk, and demand for gap endorsements.

Premium Impact by Exclusion Type (2026 Benchmark Data)

For a company with $25M in revenue and a $5M cyber policy:

Exclusion Type	Base Premium	Gap Endorsement Cost	Total Effective Cost	vs. No War Exclusion
No war exclusion (rare)	$28,500	N/A	$28,500	Baseline
Active war only (Coalition-style)	$33,200	N/A	$33,200	+17%
Modified LMA5564 with buyback	$24,800	$3,500	$28,300	-1%
Modified LMA5564 without buyback	$24,800	N/A	$24,800	-13%
Absolute (Hiscox-style)	$21,500	Not available	$21,500	-25%

Source: WTW Cyber Insurance Pricing Survey, Q1 2026

Key Pricing Insight

Companies that purchase gap endorsements effectively pay the same total premium as those without war exclusions — but get less coverage (sublimits apply). Companies that accept the exclusion without a buyback save 13–25% but face unlimited exposure to the most catastrophic class of cyber events.

---

How to Audit Your Cyber Insurance Policy for War Exclusion Risk

Most policyholders don’t fully understand their war exclusion exposure until a claim is denied. Here’s a step-by-step audit framework:

Step 1: Locate and Read Every War-Related Clause

Search your full policy (not just the declarations) for these terms:

• “War,” “hostile act,” “warlike operation”
• “State-sponsored,” “nation-state,” “government-directed”
• “Cyber warfare,” “cyber operation,” “cyber event”
• “Attribution,” “government investigator”
• “Major warfare,” “attritional”

Document every instance and its exact wording. The placement matters — exclusions in the definitions section, conditions section, and endorsements section can interact in unexpected ways.

Step 2: Map the Attribution Standard

Determine exactly who needs to attribute the attack for the exclusion to apply:

• Is it any government body, or a specific list (CISA, FBI, NSA)?
• Does insurer-funded forensic investigation count?
• Is there an independent arbitration mechanism?

The broader the attribution standard, the easier it is for the insurer to invoke the exclusion.

Step 3: Check for Collateral Damage Exceptions

If your policy excludes state-sponsored attacks, does it still cover you if you weren’t the intended target? This is the NotPetya scenario — and it’s where most coverage disputes arise.

Step 4: Quantify the Coverage Gap

Calculate your maximum exposure if a state-sponsored attack is excluded:

• Direct loss: Forensics, notification, remediation, business interruption
• Contingent loss: Supply chain disruption, customer churn, regulatory fines
• Litigation cost: Defending class actions, regulatory investigations

For most mid-market companies ($25–250M revenue), a single uncovered state-sponsored attack creates $3–15 million in direct losses.

Step 5: Evaluate Gap Endorsement Options

If your current carrier’s war exclusion is too broad, explore:

• Same-carrier buyback: Your existing insurer may offer an endorsement (typically +8–20%)
• Competitive quote with better language: AXA XL or Coalition may offer broader coverage at a competitive price
• Supplemental cyber warfare policy: Lloyd’s syndicates offer standalone cyber warfare coverage up to $25M

---

Industry-Specific War Exclusion Impact

War exclusions don’t affect all industries equally. Companies in sectors that nation-states frequently target face the highest risk of uncovered losses.

Critical Infrastructure (Energy, Water, Transportation)

Risk level: Extreme. Critical infrastructure is the primary target of nation-state cyber operations. The Colonial Pipeline (2021), water system attacks (2024), and grid intrusions (2025) all had state sponsorship links. Insurers apply the strictest exclusions to these sectors, and gap endorsements may cost 25–40% of base premium.

Financial Services

Risk level: High. Banks and financial institutions are frequent targets of state-sponsored attacks, particularly from North Korea’s Lazarus Group. However, major financial institutions have the negotiating power to secure narrower exclusions. Mid-market financial firms face the worst combination: high risk and limited negotiating leverage.

Healthcare

Risk level: Moderate-High. Healthcare data is valuable to nation-states for intelligence purposes, and hospital systems have been targeted by state-linked ransomware groups. The 2024 Change Healthcare attack (attributed to a state-linked group) demonstrated the sector’s vulnerability.

Manufacturing and Supply Chain

Risk level: Moderate. Manufacturing companies are often collateral damage in nation-state attacks (as with NotPetya). The collateral damage exception in your policy is critical for this sector.

Technology and SaaS

Risk level: Variable. Tech companies may be direct targets (especially if they provide services to government or critical infrastructure) or collateral damage. War exclusion impact depends heavily on the specific customer base and data handled.

---

The Future of Cyber War Exclusions: What to Expect in Late 2026 and 2027

The cyber war exclusion landscape is still evolving rapidly. Here’s what risk managers should watch for:

Pending Litigation

At least three major coverage disputes involving cyber war exclusions are currently in U.S. courts. The outcomes could reshape exclusion enforceability:

1. Insurer v. Tech Company (sealed, Delaware): Tests whether insurer-funded forensic attribution is sufficient to invoke a war exclusion
2. Manufacturer v. Carrier (Northern District of Illinois): Challenges the collateral damage exception’s applicability to supply chain attacks
3. Financial Services Firm v. Insurer (New York): Tests the constitutionality of allowing insurers to make foreign policy determinations via attribution

Regulatory Intervention

The NAIC (National Association of Insurance Commissioners) convened a Cyber Warfare Working Group in late 2025 that is expected to issue model regulation guidance by Q4 2026. Potential outcomes include:

• Minimum attribution standards for war exclusions
• Mandatory disclosure of war exclusion terms at quote stage
• Standardized definitions of “cyber warfare” vs. “cyber espionage”
• Required sublimit minimums for state-sponsored attack coverage

Market Convergence

As litigation and regulation clarify the rules, expect policy language to converge around a “modified LMA5564 with collateral damage exception and $5–10M sublimit” as the market standard by 2027. This would represent a middle ground between the current extremes.

---

Practical Recommendations: What Your Company Should Do Now

1. Audit your current policy today. Pull the full policy text and search for every war-related clause. If you find absolute exclusions without collateral damage exceptions, you’re exposed.

2. Get a coverage opinion letter. Ask a cyber insurance broker or coverage attorney to provide a written opinion on how your war exclusion would likely apply to common state-sponsored attack scenarios. Cost: $3,000–$8,000. Value: Invaluable.

3. Compare quotes across exclusion types. When renewing, obtain quotes from at least one carrier with broad exclusions (lower premium) and one with narrow exclusions (higher premium). The price difference tells you exactly how much war exclusion risk you’re retaining.

4. Invest in threat intelligence. If you operate in a high-risk sector, maintain your own threat intelligence feed that can provide early attribution indicators. This strengthens your position if an insurer attempts to invoke a war exclusion.

5. Consider a cyber warfare supplemental policy. If your primary policy has a strict exclusion and your risk profile warrants it, a $5–10M supplemental policy from a Lloyd’s syndicate can close the gap for approximately $15,000–$40,000 annually.

6. Document your security program. If a state-sponsored attack occurs, insurers will scrutinize whether reasonable security measures were in place. A well-documented security program — including MFA, EDR, incident response plans, and security awareness training — strengthens your position in any coverage dispute.

---

Frequently Asked Questions

Can a cyber insurance company deny my claim just because the attacker was from another country?

No, not solely based on the attacker’s geographic origin. The war exclusion requires that the attack be attributed to a nation-state government (not just an individual in that country) and that it meets the policy’s definition of a hostile cyber operation. A ransomware attack by a criminal group operating from Russia, for example, would typically not trigger a war exclusion unless the Russian government directed or sponsored the specific attack.

What happens if my cyber insurer invokes the war exclusion after a state-sponsored cyber attack?

When an insurer invokes the war exclusion, your claim enters “exclusion review” status. The insurer must establish that the attack meets the attribution standard in your policy (typically requiring a government body’s assessment). During this review — which can take 3–9 months — no claim payment is made. You may need to fund recovery costs out of pocket and seek reimbursement if the exclusion is ultimately found not to apply. Some policies offer “attribution bridge” coverage for interim payments during this period.

Does the Lloyd’s war exclusion apply to all cyber insurance policies globally?

The Lloyd’s LMA5564 model exclusion applies only to policies placed through Lloyd’s of London syndicates. However, because Lloyd’s sets global market standards, approximately 62% of non-Lloyd’s cyber insurance policies worldwide have adopted similar (though not identical) exclusion language. U.S. domestic insurers have developed their own variants, which are generally similar but vary in attribution thresholds, collateral damage exceptions, and available buybacks.

How much does a cyber warfare gap endorsement cost?

Gap endorsement costs vary by carrier, industry, revenue, and security posture. In 2026, typical costs range from 8–20% of the base cyber insurance premium. For a company paying $25,000 annually for cyber insurance, a gap endorsement adding full state-sponsored attack coverage might cost an additional $2,000–$5,000 per year. Critical infrastructure and financial services companies typically pay at the higher end of this range.

Are ransomware attacks by foreign governments covered by cyber insurance?

If the ransomware attack is directly attributed to a nation-state government’s military or intelligence apparatus (such as North Korea’s Reconnaissance General Bureau), coverage depends on your policy’s war exclusion. If the exclusion applies, the claim may be denied. However, many 2026 policy forms include a 48-hour reversibility clause that prevents war exclusions from applying to ransomware-style attacks, since ransomware is typically reversible through decryption keys or system restoration. If the attack is conducted by a criminal group with loose state ties, the war exclusion generally does not apply.

What’s the difference between “active war” and “state-sponsored attack” exclusions?

An “active war” exclusion only applies when there is a formally declared armed conflict between nation-states — the traditional meaning of war. This means coverage remains for virtually all cyber attacks, including state-sponsored operations, since no nation has formally declared cyber war. A “state-sponsored attack” exclusion is much broader — it excludes any cyber operation attributed to a nation-state, regardless of whether formal warfare exists. Coalition and AXA XL use active war exclusions; most other carriers use the broader state-sponsored attack exclusion.

Can I negotiate better war exclusion language when renewing my cyber insurance?

Yes, and renewal is the best time to do it. Approximately 40% of mid-market and large accounts successfully negotiate modification to war exclusion language at renewal, according to Marsh’s 2026 cyber insurance renewal benchmark report. Common negotiations include: raising the attribution threshold (requiring government rather than insurer attribution), adding collateral damage exceptions, increasing sublimits for state-sponsored attack coverage, and securing gap endorsements at a discounted rate. Working with a specialized cyber insurance broker significantly improves negotiation outcomes.

---

Internal Resources

• Cyber Insurance Cost Guide 2026 — Complete pricing breakdown by industry and company size
• Ransomware Payment Ban Laws 2026 — How payment restrictions interact with coverage
• Cyber Insurance Soft Market 2026 — Why premiums are dropping and what to lock in
• Supply Chain Cyber Attack Insurance Coverage Guide — Third-party breach coverage in the context of state-sponsored attacks
• Cyber Insurance Claims Process Guide — Step-by-step claims process, including exclusion disputes
• First-Party vs Third-Party Cyber Coverage Calculator — Understand which coverage applies to nation-state attack losses
• NIS2 Directive Cyber Insurance Compliance Guide — EU regulatory requirements for state-sponsored attack reporting

---

Conclusion

Cyber insurance war exclusions represent the most significant coverage gap to emerge in the cyber insurance market’s history. With 87% of policies now containing some form of exclusion and the first wave of litigation working through courts, no business can afford to ignore this issue.

The key takeaway: war exclusion language varies enormously between carriers, and the difference between an “absolute” exclusion and a “modified LMA5564 with collateral damage exception” could be the difference between full coverage and a complete claim denial after a nation-state attack. Audit your policy now, understand your exposure, and explore gap coverage options before you need them.

Don’t wait for attribution to determine whether you’re covered. Act while the market is soft and carriers are competing for your business — this is the moment to negotiate the best possible war exclusion language for your organization.