Lloyd’s of London has done something unexpected: they’ve rewritten cyber insurance policies to explicitly exclude losses from state-backed cyber operations linked to war. This is a radical departure from the vague war exclusions of the past. In a world where cyber warfare is increasingly state-sponsored, businesses are now faced with a stark reality: their coverage might not protect them when they need it most.
What Matters Most
- Lloyd’s of London has revised cyber insurance policies to exclude state-backed cyber operations linked to war.
- The NotPetya attack exposed the flaws in traditional war exclusions, leading to major settlements for companies like Merck & Co. and Mondelez.
- With tensions high, particularly involving Iran, companies must urgently reassess their cyber risk exposure and insurance coverage.
- Businesses can no longer assume their policies cover state-sponsored incidents; scrutinizing policy language is now a necessity.
- This shift means companies might unknowingly be self-insured against their worst-case scenarios.
Why This Is Happening Now
The intersection of cyber insurance and geopolitical tensions is more pressing than ever. The Russia-Ukraine conflict prompted Lloyd’s of London to enforce stricter requirements for standalone cyber policies, altering how businesses evaluate their risk exposure. In 2024, Lloyd’s specifically excluded losses from war-related cyber operations, a decision influenced by the NotPetya ransomware attack, which inflicted over $10 billion in damages and led to extensive litigation for companies like Merck and Mondelez. This new policy framework leaves organizations vulnerable unless they adapt and reassess their coverage.
How to Choose
| Situation | Best move | Why | Watch-out |
|---|---|---|---|
| Your company is exposed to geopolitical risks | Review and potentially renegotiate insurance policies | New exclusions can leave you under-protected | Don’t assume previous coverage applies |
| Existing policies include generic war exclusions | Consult with a broker about specific language | Language matters more than ever in claims | Be prepared for potential higher premiums |
| You rely on outdated policy terms | Align with current geopolitical realities | Policies are being rewritten; stay informed | Past experiences may not predict future coverage |
The New Reality of Cyber Insurance
The aftermath of state-sponsored cyber incidents like NotPetya is reshaping the cyber insurance field. It not only highlighted the inadequacy of traditional war exclusions but also led to significant payouts and legal battles for major corporations. Merck secured around $1.4 billion from insurers after a lengthy dispute, while Mondelez settled for $100 million. This shift indicates that cyber insurance is no longer just about covering data breaches; it’s about understanding whether your policy can withstand the storm of state-sponsored attacks.
With the Iran conflict now prominent, Lloyd’s has effectively forced businesses to confront a harsh truth: many policies might not cover the very risks they were designed to mitigate. The takeaway? Simply having coverage isn’t enough — companies must closely examine their policy language to ensure they aren’t left exposed.
Where to Go Deeper
- When Cyber Insurance Meets Cyber War, Coverage Becomes Conditional - Insightful analysis on the evolving landscape of cyber insurance.
- Lloyd’s of London Cyber Insurance Updates - Official updates on policy changes and requirements.
- NotPetya and Corporate Liability - A case study on the financial impact of cyber warfare.
What to Do This Week
Open your current cyber insurance policy documents. Identify any language related to war exclusions or state-backed operations. If your coverage lacks clarity or seems outdated, schedule a meeting with your insurance broker to discuss potential updates or renegotiations. Don’t wait for a cyber event to expose your vulnerabilities.
What Most People Get Wrong
Many believe that having cyber insurance means they’re protected against any attack. This is a dangerous misconception, especially in a world where state-sponsored cyber warfare is common. Conventional wisdom suggests that generic war exclusions are enough, but the reality is these exclusions are changing. Since the Russia-Ukraine conflict, insurers have tightened policy language to shield themselves from claims related to state-sponsored attacks.
The key takeaway is that businesses clinging to outdated assumptions about their coverage may be blindsided. Like NotPetya, which changed how companies view liability, ongoing conflicts are ushering in a new era of cyber insurance — one where the fine print often dictates whether a company can recover from devastating attacks or if they are left to self-insure.