Exclusions for war are normal and expected in almost every insurance policy. Usually, they present no cause for worry. But in Cyber policies, war exclusions have become troublesome.

Standard policies exclude war. ISO policies even exclude undeclared war, civil war, warlike action, rebellion, revolution, etc. It is understandable, as war conditions are too unpredictable and perilous for a standard policy to anticipate coverage. Coverage can be purchased, but a policy off the rack will never cover. So most people did not foresee a problem with cyber policies also containing war exclusions.

Unfortunately, in the last decade, cyber hackers acting on behalf of states which are unfriendly to the interests of the United States (particularly China and Russia) have made intrusions into systems of U.S. government and government contractors. While these hackers are not necessarily in the direct employ of foreign states, it is clear they are acting in the states’ interests.

After the SolarWinds attack in 2020, some members of Congress called it an “act of war.” Others, including most IT experts, called the attack espionage. But this event brought the war exclusion to the front of discussions.

In 2023, the New Jersey Supreme Court decided in Merck v. Ace American Insurance Company that the war exclusion did not apply to a Cyber policy. Merck was seeking coverage for a 2017 attack called NotPetya, and Ace had disclaimed, based on the war exclusion.

The case was closely watched, because it is the only relevant court case, and there are few cases overall which address war exclusions for any coverage type. Understanding the court’s decision is beyond the scope of this post, but unfortunately the decision did not resolve many issues regarding war exclusions.

In 2021, the Lloyds Marketing Association issued a series of mandatory war exclusions for cyber policies. These forms exclude “use of a computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer system of or in another state.” In the words of this writer, cyber warfare is excluded.

To avoid such exclusions, go back to basics . . . read the policy! Or better, read the quoted forms before the policy is bound. War will be excluded, but the key is to look at the definition of war. Best is to see a definition requiring armed conflict involving physical force, foreign military, or declaration of war between nations. That is the traditional type of exclusion that has been expected for centuries. Many carriers are carving out coverage so that only traditional warfare is excluded.

If your insured is in an industry which connects to geopolitics, such as critical infrastructure or finance, the company could especially be considered a wartime target, and the exclusion is even more vital to understand.