Cyber warfare: Are you protected?

Beware of the war exclusions!

Following the Lloyds Performance Management Supplemental Requirements & Guidance, published July 2020, all insurance and reinsurance policies written at Lloyd’s must exclude all losses caused by war and nuclear, chemical, biological or radioactive risks (NCBR), except in limited circumstances.[1] This reinforces the exclusion of war and NCBR in hull and cargo and most cyber policies. Both cyber  security data and privacy breach (CY) and cyber security property damage (CZ)[2] polices are among the exempted class of business which would be allowed to write war risks. However, when writing these cyber policies, the terms and scope of the cover must be unambiguously stated. If there is an extension of the policy to include war, that extension must not override any NCBR exclusions contained within the cyber policy. It is customary to follow local law or regulation on how coverage should be provided for in policy documentation and for the exempted classes of business, it is recommended to follow local market practice. In light of these guidelines several war exclusions in varying degree of liability were developed to be endorsed on or attached to commercial cyber policies. It is not yet clear if the same clauses are or will become applicable to non cyber policies but the discussion is relevant considering current geopolitical conflicts and imminent threats to businesses and states.

The exclusions (LMA5564, LMA5565, LMA5566, LMA5567)[3] are very similar in terms of the language used and excludes loss of any kind directly or indirectly occasioned by, happening through or in consequence of war or a cyber operation.  The burden is on the insurer to prove that the exclusion applies. An obvious difference is the causal language used in each clause. ‘Happening through’ is not language commonly used in the marine sector, as such its meaning and what needs to be established to fulfil this causal effect requires clarification. Clauses 3-5 of each exclusion refer to the attribution of a cyber operation to a state and the definition of war and cyber operation are both related to the acts of a state against another state. War is defined as the ‘use of physical force by a state against another state’ thus excluding cyber incidents / attacks which may have the same effect but without physical use of force and not by a state against another state. Cyber operations means ‘the use of computer system by or on behalf of a state to disrupt, deny, degrade, manipulate or destroy information in a computer systems of another state’.[4] The emphasis on ‘states’ means that the exclusion would not be applicable to private acts of civilians who are not acting on behalf of their government or another state. Furthermore it is doubtful whether cyber operation would extend to the damage loss of cargo, vessel or financial losses since the subject of a cyber operation is the ‘information in a computer system’.

In attributing cyber operation to a state, the primary but not exclusive determinant is whether the government of the state in which the computer system affected is physically located has attributed the cyber operations to another state or those acting on its behalf. Pending a decision, the insurer may rely on an inference which is objectively reasonable as to attribution of the  cyber operation  but no loss shall be paid during this time. If the  government of the state in which the affected computer system is located takes too long to decide, or is unable to declare or does not determine attribution, the responsibility shifts to the insurer to determine attribution by using other evidence available to it. There are several problems with the terms of LMA5564, there is no explanation of the type and source of information the insurers should rely on to develop an inference and what will qualify as objectively reasonable and importantly who will sit as ‘objective person’. Furthermore,  the reference to the insurer using ‘such other evidence as is available’ suggest that the insurer is permitted to rely on any source, type / quality of evidence available that will support his position that the exclusion does apply. In other words, the acceptable standard of evidence to support the insurer’s ‘inference’ and to discharge his burden that the exclusion does apply is low and therefore prejudicial to the assured.

The second war, cyber war and cyber operation exclusion (LMA5565) differs from LMA5564  in that LMA5565 clause 1.1 to 1.3 list the conditions under which war and cyber operations are excluded. These are war or cyber operation carried out in the course of war and or retaliatory cyber operations between any specified state (China, France, Germany, Japan, UK or USA) and or a cyber operation that has a detrimental impact on the functioning of the state due to the direct or indirect effect of the cyber operation on  the availability, integrity or delivery of an essential service in that state and or the security or defence of a state. Clause 3 introduces the agreed limits recoverable in relation to loss arising out of one cyber operation and a second limit for the aggregate for the period of insurance. If the limits are not specified, there will be no coverage for any loss arising from a cyber operation. Noteworthy is the fact that similar limits have not been introduced for loss arising from a war or cyber war, so the limit would be based on the insured value of the subject matter insured. The definition of essential service creates uncertainty because what is categorised as ‘essential for the maintenance of vital functions of a state’ may vary across states. While examples are provided which includes financial, health or utility services, unless the parties stipulate and restrict this category to only the services named in the policy, there is potential contention between the parties over what will qualify as an essential service and what is a vital function to a state. It is expected that the marine sector will be among the list of essential services, however it is unlikely that an attack on a commercial private vessel or onshore facilities would qualify as harm to an essential service, vital for function of the state.

A third form of the war, cyber war and cyber operations exclusion LMA5566 is identical to LMA5565 except that there is no equivalent to the clause on limits of liability for each cyber operation or aggregate loss in LMA5566. The fourth form of exclusion LMA5567 expounds on the conditions mentioned in LMA5565 and LMA55666, particularly the exclusion or loss from retaliatory cyber operations between any of the specified states leading to two or more of those states becoming impacted states. The exclusion of cyber operation that has a major impact an essential service or the security of defence of a state shall not apply to the direct or indirect effect of a cyber operation on a bystanding cyber asset. LMA5567 introduces the concepts of impacted states and bystanding asset, thus expanding the effect of the exclusion clause. Impacted states means any state where the cyber operation has had a detrimental impact on the functioning of that state due to its effect on essential services  and or the security or defence of that state. The bystanding cyber assets are computer systems used by the insured or its third party provider that is not located in the impacted state but is affected by the cyber operation. As an exemption to the exclusion, the consequence is that the insurer will be exposed to liability for loss to assets that are not owned by the insured or its third party providers. The only requirement being that these bystanding cyber assets / computer systems are used by the insured or its third party providers which could be an extensive list of unidentified assets and liabilities. Another problem with the definition of bystanding cyber asset is it does not declare for what purpose the said asset should be used by the insured or by the third party provider. The presumption is the use should be related to the subject matter / business of the insured but without clarification, there are doubts about the scope and limits of the term.  Interestingly and of concern is the use of the words ‘cyber war’ in the title of each exclusion but is not repeated in any of the four clauses nor is there a description of the meaning of a cyber war and how it differs from a cyber operation and war as defined in the clauses.

A guidance on the correct interpretation of the exclusion clauses was not published and given their deficiencies, the effectiveness of each exclusion clause is reduced. In terms of their application to marine activities, the insurer will find that he is liable to indemnify the assured for his loss from cyber-attack unless there is evidence to attribute the cyber act to a state. The exclusions will be more effective in scenarios where terrorist or political groups are involved. War is limited to acts between states and significant emphasis is placed on damage to essential services of a state. Despite the deficiencies discussed above, the importance and take up of any variation of the exclusion clause will increase as the political security of nation states and businesses continue to be of concern to insurers. The constant threats and warning  in the news of cyber-attacks being used as weapons of war will affect market response and which will sometimes be reflected in strictness of language / variations of the war exclusions used in insurance policies. Other stakeholders must be proactive and ensure that they have adequate insurance protection against cyber war risks and war risks generally and mitigate their risks of loss by implementing and maintaining good cyber hygiene based on industry specific best practices.  

[1] Lloyd’s, ‘Performance Management – Supplemental Requirements & Guidance’ (July 2020) 41 <> accessed 22 March 2022. War and NCBR policies can only be provided where: the exclusion of war is prohibited by local legal or regulatory requirements but this is not inclusive of the writing non-compulsory war risks; where the type of business is within the exempted class and where the syndicates have the express agreement from Lloyds through business planning process.

[2] Lloyd’s, ‘Cyber Risks & Exposures : Market Bulletin Ref : Y4842’ (25 November 2014)

< > accessed 22 March 2022.

[3] LMA, ‘Cyber War and Cyber Operation Exclusion Clauses’ (LMA21-042-PD, 25 November 2021)  

<> accessed 22 March 2022.

[4] Michael N Schmitt,  ‘The Use of Force’ in Tallin Manual 2.0 on the International Law Applicable to Cyber Operations ( 2nd edition Cambridge University Press 2017)The Tallin Manual is nonbinding legal source which explains how international law applies to cyber operations. It is in the process of a five (5) year review for the launch of Tallinn Manual 3.0.

Leave a Reply