For years, cyber insurance relied on generic war exclusions that rarely shaped enterprise decisions. That changed when NotPetya, a Russia‑linked attack, caused billions in collateral damage in a blast radius of unrelated but affected organizations and triggered prolonged legal battles over whether traditional war clauses applied to cyber events. The result was landmark settlements for plaintiffs Merck and Mondelez in the amounts of $1.4 billion and $100 million, respectively.

The start of the Russia-Ukraine War in early 2022 added more pressure. The market response was decisive. In mid-2022, Lloyd’s of London issued requirements for state backed cyberattack exclusions in standalone policies. In 2024, Lloyd’s updated the requirements to further tighten wording for multiple types of exclusion clauses, with one widely used clause explicitly excluding losses arising from war and state‑backed cyber operations connected to war. In the context of an active Iran conflict, the type of clause within a particular cyber insurance policy determines whether a company’s worst‑case cyber scenario is insured or effectively self‑insured. Today, this is no longer a debate about wording but a test of enterprise risk exposure under geopolitical tensions, a top systemic risk.

The Iran War Turned The Fine Print Into A Coverage Trigger

As cyber warfare outpaces static policy language, insurance markets are no longer treating state‑sponsored attacks as edge cases. They are using them to make real‑time decisions about what is covered, what is excluded, where sublimits apply, and how risk is priced at renewal.

Iran is not just another geopolitical headline. It’s a live test shaping how cyber war language will be interpreted, enforced, and tightened across the cyber insurance market with structural implications.

Context, Not Controls, Now Determines Coverage

Coverage now hinges less on the technical aspects of an incident and more on the attribution (who an attack is officially deemed to originate from) and context (the details surrounding the circumstances of a cyber event). Organizations can no longer assume that a cyber policy will cover a cyberattack simply because the event resembles familiar ransomware, outages, or data destruction. The dividing line between a covered loss and an excluded event now runs through war wording, not the security stack.

This marks a fundamental shift in enterprise risk management, where context, not controls, determines whether an incident is covered by insurance.

What To Do Now

Cyber war exclusions are not an insurance technicality or a legal footnote but a mechanism for reallocating catastrophic cyber risk back to the enterprise. Here’s what security and risk pros need to do now:

  • Escalate decisions, not detail, to the board. Boards don’t need clause‑by‑clause walkthroughs. They need scenarios that quantify business impact, clarify what the policy is likely to pay, and expose what it will not. That framing enables explicit direction on risk appetite, acceptable uncovered loss, and willingness to pursue alternative risk transfer.
  • Translate war language into business outcomes. Convert war and state‑backed clauses into a small set of “what if” scenarios that show when coverage applies, when it fails, and which actor thresholds trigger exclusion. CISOs must document the resulting gaps and work with risk pros to make explicit choices: Change insurers, adjust limits, or consciously retain the risk.
  • Stresstest coverage against attribution paths. Insurers have different approaches to attribution. Some defer to government determinations. Others rely on claims processes or courts. Model multiple attribution outcomes (criminal, suspected state‑backed, formally attributed), and test each against current wording to identify where coverage holds, where it becomes disputed, and where it switches off.
  • Operationalize incident readiness for coverage ambiguity. Assume that attribution disputes and delayed coverage decisions will complicate response. Preplan for ransomware and destructive scenarios where insurers may pause, limit, or deny payment by socializing and practicing incident escalation and breach disclosure paths, liquidity access, incident response retainers, and recovery sequencing under partial or no insurance response. Pressure‑test those assumptions through executive‑level ransomware and crisis simulations.

Forrester clients can schedule a guidance session to discuss geopolitical risks, cyber insurance, and incident readiness further.