Choose from any of our reports and we will be happy to send it/them to you via email at no cost.

    The Insurance War Exclusion

    How does it work? What About Cyber?



    The War exclusion has been on insurance policies since as far back as the 1700s.

    But with nation- to- nation cyber-attacks, it has floated to the top as an issue for Cyber insurance coverage.

    Should we worry?

    The traditional War exclusion has language to this effect:

    The INSURER will not pay for loss or damage caused directly or indirectly by any of the following. Such loss or damage is excluded regardless of any other cause or event that contributes concurrently or in any sequence to the loss.

     War and Military Action.

          1.War including undeclared or civil war;

          2. warlike action by a military force, including action in hindering or defending against an actual or expected attack by any government, or other authority using military personnel or other agents; or

    3. insurrection, rebellion ,revolution, usurped power or action taken by governmental authority in hindering or defending against any of these.

    The Merk case involving NotPetya

    The insurance industry determined early that war was not one of the fortuitous losses they wanted to protect against—it is potentially too massive and falls outside the realm of pure insurable business risk.  But it gets a bit complicated when the war exclusion is applied to a cyber incident. 

    In one case involving coverage for a cyber incident (Merk and International Indemnity v. ACE – NJ Superior Court) the court decided in favor of the insured on the basis that:

     “Insurers did nothing to change the language of the exemption to reasonably put the insured on notice that it intended to exclude cyber-attacks.” 

    The court in this case decided that the exclusion violated the reasonable expectations of the typical insured.  The case involved the NotPetya attack which has been attributed to the Russian government.

    See Cyber Warfare – Battles in the Courts

    In addition to the ambiguity of the exclusion’s intent, it is usually hard to pinpoint where an attack originated from unless a nation-state takes responsibility for it.

    Up till now we’ve managed the existence of War exclusions on Cyber policies this way:

    1. Rely on the ambiguity of the exclusion with respect to Cyber claims – (is a cyber -attack war?) , and
    2. Obtain an exception to the War exclusion for cyber-terrorism (which exception has been available in the market).

    The insurance industry adapts

    The industry usually adapts when adverse rulings come down, and they are doing so now with the War exclusion. 

    Lloyd’s of London has just introduced a “War, Cyber War and Cyber Operation” exclusion which broadens out the exclusion to remove coverage for “Cyber War” and “Cyber Operation” in addition to “War.”

    “Cyber War” is not defined in the exclusion, but “Cyber Operation” is defined as:

                “the use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.”

    What this does is clearly deny coverage for state actions whether typically defined war or not, and whether against another state or even just a computer system in another state.  So, if this language had been in effect Merk would not have had the good result it obtained in court.

    Thrust and Parry


    The insured’s next move

    The insureds win in court and the insurers react with new, broader exclusions.  What’s the insured’s next move?

    In Cyber especially, but valid in all lines of insurance, there is no true standardization of coverage, and there are many insurers offering the product.

    We need a defense to the appearance of increasingly harsh exclusions.

    The first step is awareness.  In the insurance purchase, the broker/insurer count on your accepting the offer based on the 3-5- page summary. Treat the insurance purchase as you would any other contract negotiation:

    1. get the full language as part of your proposal,
    2. read it, understand it, and accept it, or
    3. negotiate the problem out of it, or
    4. move on to the next proposal

    Get more detail on the coverage negotiation process

    Have a risk manager on your side

    The largest companies have entire risk management departments reporting to the CFO.  You need risk management too.


    (c ) Licata Risk & Insurance Advisors, Inc. 2022

    Frank Licata

    mailto:[email protected];   617.718.5901

    Receive our blog by email




    Mar 28, 2022

    Licata Risk Licata Risk & Insurance Advisors, Inc.
    265 Franklin Street
    Suite 1702
    Boston, MA 02110
    617-451-2140   advice@licatarisk
    501 East Las Olas Boulevard
    Suite 300/200
    Fort Lauderdale, FL 33301
    LicataRisk Advisors is an independent risk management and insurance consulting firm. We are not brokers and we do not sell insurance. We are not connected to any insurance company or product in any way and do not receive commissions. This is an important difference as you will have an expert on your side who is only committed to you.

    Licata Risk is not a law firm and does not practice law. General advice and contract input by the consultants, including those who are attorneys, is to provide insight into the risk and insurance aspects. Your attorney should be the final authority on any legal matter.