Many cyber incidents have occurred during acts of war. For centuries, insurance has incorporated exclusions for war-related risks.
In fact, excluding “all war” has been a longstanding prerequisite for insurance policies under Lloyd’s of London. Prior to the late twentieth century, excluding war perils was relatively straightforward. A prime example of such exclusions was NMA 464, which remained unchanged in its wording since before World War II and was widely adopted. The war exclusion was framed around the physical act of a declared war.
In 2014, cyber warfare gained public attention when Russia allegedly sponsored a series of cyber-attacks on Ukrainian organizations, including the NotPetya attack in 2017. NotPetya, a zero-day wiper application exploiting Microsoft OS vulnerabilities, spread quickly, causing extensive damage across various sectors, including Merck, a pharmaceutical giant.
Merck’s insurance claim under an all risks policy was initially denied due to a war exclusion clause. However, a New Jersey court in the United States ruled in early 2022 that insurers must explicitly exclude state-sponsored cyber operations to deny coverage, prompting insurers to develop robust cyber-specific war exclusions for catastrophic cyber losses.