Cyber Insurance and the Acts of War Exclusion: From NotPetya to Lloyd’s

The intersection of cyber risk and insurance has been one of the most dynamic areas in risk governance over the past four years. What began as a legal dispute over policy wording has evolved into a fundamental restructuring of how the insurance market treats state-linked cyber events.

Where it started: Merck and NotPetya

In 2017, the NotPetya malware caused billions of dollars in damage globally. Pharmaceutical company Merck, among others, suffered significant losses and turned to its insurers. Several insurers, including Zurich, cited exclusions around "hostile or warlike action in time of peace or war" by a "government or sovereign power," arguing that NotPetya was a Russian act of war and therefore excluded from coverage.

Merck challenged this position and lower courts found the legacy war wording too narrow to bar coverage for a cyber event. The case ultimately settled in 2024 without creating definitive precedent, but it exposed a fundamental problem: traditional war exclusion language was not designed for cyber operations, and applying it created unacceptable ambiguity for both insurers and policyholders.

The Lloyd's response

In August 2022, Lloyd's of London published Market Bulletin Y5381, requiring all standalone cyber policies written in the London market to include specific exclusion clauses for state-backed cyber attacks from 31 March 2023. The Lloyd's Market Association drafted model exclusion clauses that required policies to:

• Exclude losses arising from war, whether declared or not.
• Exclude losses arising from state-backed cyber attacks that significantly impair a state's ability to function or its security capabilities.
• Clearly address whether coverage excludes systems located outside the directly affected state.
• Set out a robust basis for how state-backed attacks will be attributed.

This was a significant shift. The old boilerplate "acts of war" language was replaced with cyber-specific exclusion frameworks that attempted to address the unique challenges of attribution and state sponsorship in the digital domain.

Where it stands now

The market has continued to mature. Lloyd's issued a follow-up bulletin (Y5433) in 2024 refining expectations and classifying model clauses into types, with non-compliant clause types progressively banned. From January 2025, the weakest clause types were prohibited entirely.

The exclusions are now more explicit than the pre-2023 language, but meaningful differences remain across policies. The most contentious area continues to be attribution: determining whether a cyber operation is state-backed, when governments rarely claim responsibility and often use proxies, remains inherently difficult. Different model clauses handle this differently, and the specific version in your policy matters.

What directors should be considering

For directors, this evolution carries several practical implications.

First, cyber insurance policy reviews need to go beyond confirming coverage exists. Directors should be asking their brokers for the exact exclusion form and version, understanding how attribution works under their specific policy, and confirming what carve-backs are available for collateral damage from state-linked events.

Second, the insurance market's approach to systemic risk is still developing. Concentrated events affecting widely used platforms or cloud providers, such as the MOVEit exploitation in 2023, test the boundaries of these exclusions. The line between a targeted state operation and collateral damage from one is not always clear.

Third, and most fundamentally, cyber insurance is a risk transfer mechanism, not a risk management strategy. The trajectory of exclusion clauses over the past four years makes clear that the scope of what is insurable is narrowing for the most catastrophic scenarios. This reinforces the case for investing in prevention, detection and response capabilities rather than relying on insurance as the primary mitigation.

The first real-world test: Operation Epic Fury

The Iran conflict that began in February 2026 is providing the first major stress test of the Lloyd's exclusion framework. Iranian-linked groups have conducted cyber operations against Western targets, including a destructive wiper attack against US medical device manufacturer Stryker Corporation in March 2026. The attack was attributed to a group linked to Iran's Ministry of Intelligence and Security operating under a hacktivist persona.

This raises precisely the ambiguity the exclusion clauses were designed to address, and exposes the gaps that remain. Attribution to a state-aligned group operating through a deniable front is not the same as attribution to a state. An attack against a single corporation, however severe, may sit below the systemic thresholds most exclusions require. And the question of whether a coordinated campaign of individual attacks could collectively trigger exclusions remains untested.

With 48 approved Lloyd's exclusion wordings now in the market, the coverage picture for organisations caught as collateral damage is far from clear. For Australian directors, this is not a distant geopolitical concern. Iran-linked groups have previously targeted critical infrastructure including water utilities, and the Australian Government Solicitor has advised organisations to carefully consider how war exclusions in their cyber policies would apply in this environment.

The exclusion framework that began with NotPetya is now being tested in real time. Directors should be asking their brokers a simple question: if our organisation is hit by collateral damage from a state-linked cyber operation, does our policy respond?