The War Exclusion in Your Cyber Policy: Why Being Collateral Damage Might Not Be Covered
Wednesday 8 April 2026
Hello, Mauven here.
I spent several years working in government cyber analysis before moving into the private sector. One of the things that shapes how I see the cyber insurance market is a particular understanding of how nation-state cyber operations actually work. They are not surgical. They are not targeted at specific small businesses in Bristol or Dundee. But they can reach those businesses anyway, through supply chains, through shared infrastructure, through malware that spreads beyond its intended target population.
That reality is precisely why what I want to discuss today matters. There is a clause in most UK cyber policies placed through the Lloyd’s market that could void your cover if you happen to be in the path of a state-backed campaign. Most SMB policyholders have never read it.
Important note. This article is for information and educational purposes only. It does not constitute regulated insurance advice. If you have questions about your specific policy or coverage position, please speak with a qualified, FCA-authorised broker.
Lloyd’s Market Bulletin Y5381
In August 2022, Lloyd’s issued Market Bulletin Y5381, which requires all standalone cyber-attack policies placed through the Lloyd’s market to include an exclusion for losses arising from state-backed cyber operations. The requirement came into effect from 31 March 2023, at the inception or renewal of each policy.
This is not a fringe development. A substantial proportion of UK commercial cyber insurance is placed through the Lloyd’s market. If your policy was placed or renewed after March 2023, and it is a standalone cyber policy through a Lloyd’s syndicate, it almost certainly contains some version of this exclusion.
The minimum requirements set out in Y5381 are that the exclusion must:
- Exclude losses arising from war, whether declared or not, where the policy does not already have a war exclusion
- Exclude losses from state-backed cyber-attacks that significantly impair the ability of a state to function, or that significantly impair a state’s security capabilities
- Set out a clear basis for how a state-backed attack will be attributed
The wording you will find in policies is typically something like “losses directly or indirectly arising from a state-backed cyber operation.” That phrase, “directly or indirectly,” is doing a great deal of work.
What Is a State-Backed Cyber Operation?
The Lloyd’s requirements define the concept in terms of attacks carried out by or on behalf of a government, aimed at causing harm or disruption. The focus is on attacks with major detrimental impact on essential services, energy grids, health systems, and financial infrastructure.
The implicit assumption is that this protects insurers from catastrophic systemic losses, where a single state-sponsored campaign could generate claims across thousands of policyholders simultaneously. That is a legitimate concern. The global cyber insurance market simply cannot absorb the financial consequences of a sophisticated, sustained nation-state attack on critical infrastructure.
The problem is the gap between that intent and how the exclusion is drafted.
The Collateral Damage Problem
The NotPetya malware, which security agencies including NCSC attributed to the Russian military’s GRU intelligence directorate, was deployed in June 2017. Its primary targets were Ukrainian organisations, particularly those involved in financial, energy, and government sectors. It caused significant disruption to Ukrainian infrastructure.
It also caused approximately $1.4 billion in losses to Merck, the US pharmaceutical company. It disrupted shipping operations at Maersk. It cost TNT Express hundreds of millions. These were not the targets. They were collateral damage, caught because they operated in or had connections to the affected infrastructure.
If a campaign of similar scale occurred today, under policies that include the Y5381 exclusion, the question of whether those collateral losses are covered would be genuinely uncertain. The exclusion wording in most policies does not cleanly distinguish between targeted victims and unintended bystanders. “Losses directly or indirectly arising” could, depending on how a court interprets it, sweep in organisations that had no particular connection to the state actor’s objectives.
For context, Merck’s insurers initially attempted to invoke a traditional war exclusion to avoid paying its claim. A New Jersey court ruled in 2022 that the existing war exclusion wording did not apply to the cyber attack in question. The parties settled the matter confidentially. That outcome will not necessarily be replicated under the new Y5381 wordings, which are specifically drafted to address the gap that the Merck case exposed.
The Attribution Problem
Here is where the legal uncertainty becomes particularly acute, and where my background in government cyber analysis is relevant.
The exclusion requires the parties to agree on how a state-backed attack will be attributed. But attribution in practice is extremely difficult. Nation-states regularly use third-party criminal groups as proxies. Evidence of state involvement is often classified. Governments may attribute attacks for political reasons that have nothing to do with the available technical evidence. And two different governments may reach opposite conclusions about the same incident.
The Y5381 wording relies on “objectively reasonable evidence” of state attribution. In many cases, that evidence will be a public statement by the UK government or an intelligence agency. But what happens when the attack is ambiguous? When a criminal ransomware group is suspected to have state connections but no government has made a formal attribution? When the attribution is disputed between states?
Lawyers who specialise in this area are already describing the attribution question as the issue most likely to generate disputes in future claims. I agree with that assessment. This is going to end up in the courts, probably more than once, and the outcomes are not predictable.
What This Means for a Plumbing Firm in Wigan
The practical question for the SMB reading this is: does this affect me?
The answer is: potentially, yes, in a way that is easy to miss.
Nation-state malware does not come with a personalised address label. It spreads through shared infrastructure, software supply chains, and managed service providers. If a state-backed campaign compromises a widely used software package, or a major managed service provider, every business that uses that software or MSP is at risk of being swept up.
The M&S and Co-op ransomware incidents in early 2025, attributed in reporting to the DragonForce group, illustrated how a single supply chain attack can cascade across multiple organisations with no direct connection to the original target. If a future campaign of that type is attributed to a state actor, and your policy contains a broad Y5381 exclusion, your claim may be challenged regardless of your own security posture.
The scenario does not require you to be targeted. It requires you to be connected to the affected infrastructure in any way.
The Questions to Ask Your Broker
There are three specific questions I would recommend putting to your broker or insurer:
1. Does my policy contain a state-backed cyber-attack exclusion? If so, ask for the exact wording. Not a paraphrase. The actual clause.
2. How broad is the exclusion? Some wordings are more limited than others. Some try to protect “bystander” businesses that are caught incidentally. Others sweep broadly. The difference matters.
3. How does my policy handle attribution? What evidence is required? What process applies if attribution is disputed? Who makes the determination?
You may not be able to negotiate the exclusion away. It is mandatory for Lloyd’s market policies. But understanding exactly what you are and are not covered for is the starting point for making an informed decision about your risk position.
A Note on Alternative Markets
Not all UK cyber insurance is placed through Lloyd’s. Some policies are issued by non-Lloyd’s carriers who are not subject to Y5381. Some markets are offering affirmative cover for state-backed attack losses as a separate, clearly defined add-on.
This is worth discussing with your broker, particularly if you operate in a sector that is more likely to be targeted or caught in the crossfire of state-sponsored campaigns: financial services, healthcare, legal, government supply chain, energy, or critical infrastructure adjacent businesses.
The coverage options are changing as the market matures. What was unavailable eighteen months ago may now be available at a price.
How to Turn This Into a Competitive Advantage
Understanding the state-backed exclusion, and being able to articulate your coverage position clearly, is a mark of risk management sophistication that most SMBs cannot demonstrate.
If you supply to larger organisations, particularly in regulated sectors, the ability to say “we have reviewed our cyber policy, understand the Y5381 exclusion and its scope, and have discussed our options with our broker” positions you as a supplier who treats risk management seriously. That conversation has real value in procurement and due diligence processes.
How to Sell This to Your Board
Systemic risk. The Y5381 exclusion was introduced because a single nation-state campaign could, in theory, generate claims across thousands of policyholders simultaneously. That systemic risk is real. The board needs to understand that cyber insurance does not transfer all risk, and that state-linked incidents are specifically excluded.
Supply chain exposure. If your business relies on a managed service provider, shared software infrastructure, or cloud services that could be targeted in a state campaign, your exposure to the exclusion is higher than it might appear.
Informed decision-making. Reviewing the exclusion and discussing options with a broker is a low-cost action that produces a much clearer picture of your actual coverage. It should be on the annual risk review agenda.
What This Means for Your Business
Read the exclusion in your policy. Not the summary. The actual wording.
Ask your broker the three questions I listed above. Before your next renewal.
If you operate in a sector that is regularly mentioned in government threat intelligence, or if your supply chain involves organisations that are plausible targets for state-sponsored campaigns, consider discussing whether alternative coverage options exist.
This is not a reason to avoid cyber insurance. It is a reason to buy it with your eyes open.
Listen to the full episode discussion: The Small Business Cyber Security Guy Podcast - Episode 15
Related Posts:
- You Bought Cyber Insurance. Congratulations. Now Read the Bloody Small Print.
- The Proposal Form That’s Building a Landmine Under Your Business
- The RMM Nightmare: How DragonForce Just Showed Us We’re All Sitting Ducks
Sources
| Source | Article |
|---|---|
| Lloyd’s of London | Market Bulletin Y5381: State-backed Cyber-attack Exclusions (August 2022) |
| Lloyd’s of London | Market Bulletin Y5433: Updated State-backed Cyber-attack Requirements (May 2024) |
| Clifford Chance | Lloyd’s Cyber War Exclusion: Key Issues and Attribution Challenges |
| DWF Group | Lloyd’s Requirements for State-backed Cyber-attack Exclusions |
| Kennedys Law | New Lloyd’s Market Bulletin Addresses State-backed Cyber Attacks |
| NCSC | NCSC Threat Reports |
| legislation.gov.uk | Insurance Act 2015 |