What War Exclusions Are
A war exclusion is a standard clause in insurance contracts that removes coverage for losses directly or indirectly caused by war, invasion, insurrection, revolution, military force, or related events. The clause exists in some form in nearly every property and casualty insurance policy written in the past century.
The standard war exclusion typically covers:
- Declared war between sovereign nations
- Undeclared war - hostile acts between nations without a formal declaration
- Civil war, insurrection, and rebellion within a country
- Revolution and coup d'etat
- Military action by any government or sovereign power
- Confiscation, nationalization, and seizure by government authority
The critical ambiguity lies in what constitutes an "act of war" versus an "act of terrorism." The distinction matters because terrorism is often covered (especially in the U.S. under the Terrorism Risk Insurance Act), while war is excluded. Most modern conflicts - cyberattacks, proxy wars, hybrid warfare - blur these categories in ways that insurance contracts written decades ago never anticipated.
The Cyber War Exclusion Problem
Cyberattacks by state-sponsored groups have created the most significant coverage gap in modern insurance. The problem is straightforward: nation-states launch cyberattacks that damage private businesses, and insurers invoke war exclusions to deny claims.
Lloyd's Market Bulletin Y5381
In March 2023, Lloyd's of London mandated that all syndicates include explicit state-backed cyberattack exclusions in standalone cyber policies. The bulletin requires one of four model exclusion clauses, ranging from narrow (excluding only attacks attributable to a state that cause major detrimental impact to the functioning of a state) to broad (excluding any cyberattack attributable to a state).
The practical impact: businesses purchasing cyber insurance through Lloyd's syndicates - which account for a significant share of the global specialty insurance market - now face explicit exclusions for the fastest-growing category of cyber threat. State-sponsored groups linked to Russia (Sandworm, APT28), China (APT41, Volt Typhoon), North Korea (Lazarus Group), and Iran (APT33) conduct the most damaging and costly cyberattacks, and these are precisely the attacks most likely to trigger the exclusion.
The Attribution Problem
War exclusions require attribution - determining who launched an attack and whether they acted on behalf of a state. In cyber operations, attribution is technically difficult and politically contentious. An attack by a Russian-speaking group operating from Russian territory, using infrastructure linked to Russian intelligence, may still face disputed attribution. This ambiguity creates uncertainty for both insurers and policyholders, often leading to prolonged legal disputes.
Key Legal Cases
Several landmark cases have shaped how courts interpret war exclusions in the context of modern conflict:
Merck v. Ace American Insurance (2024)
The most significant war exclusion case in recent history. In June 2017, the NotPetya cyberattack - attributed to Russian military intelligence (GRU) - caused approximately $1.4 billion in damages to pharmaceutical company Merck. Merck's property insurers denied coverage, invoking the war exclusion. A New Jersey appellate court ruled in Merck's favor in May 2023, finding that the traditional war exclusion was not intended to apply to cyberattacks on private companies, even when perpetrated by a nation-state. The case settled for approximately $1.4 billion in 2024 after the insurers chose not to appeal to the state Supreme Court.
Mondelez v. Zurich (2022)
Snack manufacturer Mondelez International suffered $100 million in NotPetya damages. Zurich denied the claim under the "hostile or warlike action" exclusion in Mondelez's property policy. The case settled confidentially in 2022, but the litigation prompted the insurance industry - particularly Lloyd's - to draft clearer cyber war exclusion language rather than rely on traditional property war clauses.
Implications for Policyholders
These cases established an important principle: traditional war exclusions drafted for kinetic conflict do not automatically apply to cyberattacks. However, the Lloyd's Y5381 response specifically addresses this gap with new, cyber-specific exclusion language. Policies written or renewed after March 2023 with Lloyd's syndicates contain much clearer (and broader) cyber war exclusions than the language that courts rejected in the Merck and Mondelez cases.
War Exclusions by Insurance Type
| Insurance Type | War Exclusion Scope | Key Considerations |
|---|---|---|
| Property Insurance | Broad - excludes damage from war, military action, and often terrorism (unless TRIA applies) | Physical damage from military conflict is excluded. Applies to homes, businesses, and commercial property. |
| Cyber Insurance | Expanding - post-Lloyd's Y5381, explicit state-backed attack exclusions are now standard | The most actively changing category. Exclusion language varies significantly between carriers. |
| Travel Insurance | Broad - excludes claims arising from travel to active conflict zones | Some policies exclude "known events" - if a conflict existed before purchase, related claims are denied. |
| Life Insurance | Varies - many policies contain war clauses that void coverage for death in military service or conflict zones | U.S. military members receive SGLI (Servicemembers' Group Life Insurance) as an alternative. Civilian deaths in conflict zones may or may not be covered. |
| Business Interruption | Broad - war, sanctions, and government-ordered shutdowns often excluded | Sanctions compliance can itself cause business interruption (losing access to suppliers or customers) but is typically not covered. |
| Marine/Cargo Insurance | Separate war risk coverage required - standard marine policies exclude war | War risk premiums for Red Sea transit increased from 0.07% to over 1% of cargo value due to Houthi attacks. |
Alternatives and Gap Coverage
Several products and programs exist to fill the gaps created by war exclusions:
- Terrorism Risk Insurance Act (TRIA): U.S. federal program that provides a backstop for insured losses from certified acts of terrorism. Requires the Secretary of the Treasury to certify an event as an "act of terrorism" - a political determination that has never been made for a cyberattack. TRIA does not cover acts of war.
- Standalone war risk insurance: Available primarily for marine cargo, aviation, and political risk. Lloyd's and specialty markets offer war risk policies, though premiums have increased sharply since 2022. Coverage typically follows the Joint War Committee's listed areas of perceived risk.
- Political risk insurance: Covers losses from government actions including expropriation, political violence, currency inconvertibility, and contract frustration. Available from private insurers and the Multilateral Investment Guarantee Agency (MIGA, a World Bank Group member). Relevant for businesses operating in or near conflict zones.
- Parametric insurance: Pays a fixed amount when a defined trigger event occurs (e.g., a cyberattack lasting more than 72 hours, a specific index reaching a threshold). Avoids the attribution and causation disputes that plague traditional war exclusion claims.
- Captive insurance: Larger organizations self-insure through captive insurance entities for risks that the commercial market excludes or prices prohibitively. Cyber war risk is increasingly retained through captives.
Frequently Asked Questions
Does my homeowners insurance cover damage from a military conflict?
No. Standard homeowners insurance policies contain war exclusions that remove coverage for damage caused by armed conflict, invasion, insurrection, or military action. If a conflict resulted in physical damage to your property, the war exclusion would almost certainly apply. Separate coverage for political violence or terrorism may be available as an endorsement but is not standard.
If a Russian cyberattack disables my business, will cyber insurance pay?
It depends entirely on your policy's war exclusion language and whether the attack is attributed to the Russian state. Under older policy language (pre-2023), courts sided with policyholders in the Merck case, finding that traditional war exclusions did not apply to cyberattacks. Under the new Lloyd's Y5381 exclusion language (post-March 2023), state-backed cyberattacks are explicitly excluded in most Lloyd's syndicate policies. Non-Lloyd's carriers vary - some have adopted similar language, others maintain broader coverage. Read your specific policy's cyber war exclusion carefully.
What is the difference between a war exclusion and a terrorism exclusion?
War exclusions remove coverage for acts committed by or on behalf of sovereign nations. Terrorism exclusions address acts by non-state groups motivated by political, religious, or ideological objectives. The distinction matters because terrorism may be covered (especially in the U.S. under TRIA), while war is almost universally excluded. However, the line between state-sponsored terrorism and acts of war is increasingly blurred - Houthi attacks on shipping, for example, involve a non-state group backed by a state (Iran), creating classification disputes.