Definition:State-backed cyber attack exclusion

🛡️ State-backed cyber attack exclusion is a policy exclusion found in cyber insurance contracts that removes coverage for cyber incidents attributed to or carried out on behalf of a nation-state or sovereign government. As the frequency and severity of state-sponsored cyber operations have escalated — targeting critical infrastructure, financial systems, and corporate networks — insurers have moved to ring-fence this category of risk, which many consider systemic and fundamentally uninsurable through traditional private-market mechanisms. The exclusion gained prominence after high-profile disputes, most notably litigation surrounding the NotPetya attack, which forced the market to reckon with ambiguous "act of war" language in legacy property and cyber policies.

⚙️ In practice, the exclusion operates through carefully drafted contractual language that defines what constitutes a state-backed attack and establishes the evidentiary threshold an insurer must meet to invoke it. Lloyd's of London issued market bulletins in 2022 and 2023 requiring all Lloyd's syndicates to include some form of state-backed cyber attack exclusion in their standalone cyber policies, offering several model clauses with varying degrees of breadth. Some versions exclude only attacks that form part of a declared war, while others capture hostile cyber operations below the threshold of armed conflict — a critical distinction that determines whether events like espionage campaigns or infrastructure sabotage fall inside or outside coverage. Underwriters typically pair the exclusion with an attribution framework, often referencing determinations by government agencies or specifying a process the insurer must follow before denying a claim.

💡 The stakes surrounding this exclusion are enormous for policyholders, brokers, and carriers alike. For buyers, particularly large enterprises and operators of critical infrastructure, the scope of the exclusion can determine whether a policy responds to the most catastrophic cyber scenarios they face. Brokers must scrutinize clause wording and negotiate carve-backs — such as "war impact" provisions that restore coverage when a state-backed attack produces collateral damage to non-targeted entities. For the broader cyber insurance market, standardizing this exclusion is part of a larger effort to build actuarial clarity around aggregation risk and ensure that reinsurers can accurately model their exposure to correlated, large-scale cyber events.

Related concepts: