Cyber war clauses

Following Lloyd’s Bulletin Y5381 that confirmed a number of Lloyd’s requirements for clarity in insurance policies regarding state backed cyber-attack exposure, the LMA has conducted a review of sample clauses that have been submitted for consideration.

The LMA is not providing advice as to whether any of these clauses will be effective as an exclusion or the extent to which it will provide coverage or the extent to which it will apply to any particular set of facts. This will amongst other things depend upon the applicable law and jurisdiction and also the dispute resolution mechanism selected.  It is for underwriters to decide whether or not any contractual language is acceptable on any given risk.  If in doubt, Underwriters should take their own legal advice to satisfy themselves that the clause is appropriate.

Following this review, the LMA can confirm which carriers’ clauses are compliant with the Lloyd’s requirements set out in the bulletin. Underwriters should therefore be able to use or follow knowing that the cyber language is compliant with the Lloyd’s requirements.

Link to Clause Notes Clause Type (per Lloyd's Attestation Letter) 
LMA5564A, LMA5564B
  1. The lack of attribution in the 'B' version means that, in order for managing agents to be compliant, they will need to articulate to Lloyd's how they expect attribution to be addressed.
  Type 1
LMA5565A, LMA5565B, LMA5566A, LMA5566B
  1. The lack of attribution in the 'B' version means that, in order for managing agents to be compliant, they will need to articulate to Lloyd's how they expect attribution to be addressed.
  Type 2
LMA5567A, LMA5567B
  1. The lack of attribution in the 'B' version means that, in order for managing agents to be compliant, they will need to articulate to Lloyd's how they expect attribution to be addressed.
  Type 3
LMA5567 - Variant None  Type 3
LMA5567A - Variant (Hamilton) None   Type 2
LMA5567B - Variant
  1.  The lack of attribution means that, in order for managing agents to be compliant, they will need to articulate to Lloyd’s how they expect attribution to be addressed.
  2. The definition of impacted state is drafted such that the cyber operation causing an impacted state exclusion (clause 1.3) is not triggered where the cyber operation solely impacts the insured. We understand that Lloyd’s will seek to understand the underwriting controls managing agents have in place when providing such coverage.
  Type 3
Cyber ERM Policy (US) - Chubb
  1. The assessment of compliance has been based on usage of the ERM Policy (US or International) with the ERM General Amendatory Endorsement applied to the US wording (noting the provisions of that endorsement are included in the International wording).
  2. When a managing agent elects to use the Widespread Event Endorsement, we would encourage them to monitor and manage the limits offered. We understand that Lloyd’s will seek to understand the underwriting controls managing agents have in place when providing such coverage.
  Type 5
Cyber ERM Policy (international) - Chubb
Cyber ERM General Amendatory Endorsement – Chubb
Cyber ERM Widespread Event Endorsement (US)- Chubb
Cyber ERM Widespread Event Endorsement (International) - Chubb
LMA5567A – Variant (Stream)
  1. The writeback for cyber operations that cause a state to become and impacted state includes those cyber operations which only impact a single entity.
  Type 3
War and Cyber War Exclusion - Beazley
  1. The lack of attribution means that, in order for managing agents to be compliant, they will need to articulate to Lloyd’s how they expect attribution to be addressed.
  Type 3
War and State Cyber Operation Exclusion - AIG  None  Type 3
War and State Cyber Operation Exclusion (no carveback) - AIG  None  Type 2
War & Cyber Operation Exclusion - Marsh
    1.  The lack of attribution means that, in order for managing agents to be compliant, they will need to articulate to Lloyd’s how they expect attribution to be addressed.
    2. This clause includes a writeback for losses incurred following a cyber operation as part of a war, where such losses are located outside a sovereign state that is party to that war. When a managing agent elects to provide this coverage, we would encourage them to monitor and manage the limits offered. We understand that Lloyd’s will seek to understand the underwriting controls managing agents have in place when providing such coverage.
    3. The definition of impacted state is drafted such that the cyber operation causing an impacted state exclusion (clause 1.3) is not triggered where the cyber operation solely impacts the insured or any one essential services provider. We understand that Lloyd’s will seek to understand the underwriting controls managing agents have in place when providing such coverage.
    		  Type 4
    War Exclusion - Arch  None  Type 3
    CyberAcuView Base Policy  
    1.  The assessment of compliance has been based on the usage of the CyberAcuView Base Policy with Extension No. 21 - War and Extension No. 6 - Infrastructure Exclusion. The addition of Extension No. 20 - Widespread Event where used as an exclusion further addresses REQUIRMENT B.
    2. When a managing agent elects to use Extension No. 20 - Widespread Event as a coverage grant, we would encourage them to monitor and manage the limits offered. We understand that Lloyd's will seek to understand the underwriting controls managing agents have in place when providing such coverage.
    		  Type 5
    CyberAcuView Extension No. 6 - Infrastructure 
    CyberAcuView Extension No. 20 - Widespread Event
    CyberAcuView Extension No.21 - War

    War Exclusion - Mosaic

    1. The lack of attribution means that, in order for managing agents to be compliant, they will need to articulate to Lloyd’s how they expect attribution to be addressed.
    		  Type 3
    War, Cyber Operations, Terrorism and Civil Disturbance Exclusion - TMHCC
    1. Certain terms (Circumstance, Insurer, Insured, Loss, Reported, Cyber Attack, Cyber Event, IT Response Team) are contained in the Cyber Security Insurance policy document and therefore this clause is only compliant with Lloyd's Requirement E (ensure all key terms are clearly defined) when attached to that policy or when a definition of such terms is added to the clause.
    		  Type 2
    War, Cyber Operations, Terrorism and Civil Disturbance Exclusion (with carveback) - TMHCC
    1. Certain terms (Circumstance, Insurer, Insured, Loss, Reported, Cyber Attack, Cyber Event, IT Response Team) are contained in the Cyber Security Insurance policy document and therefore this clause is only compliant with Lloyd's Requirement E (ensure all key terms are clearly defined) when attached to that policy or when a definition of such terms is added to the clause.
    		  Type 3
     Trium War Exclusion  None  Type 3
     War Exclusion 23-01 - AIG
    1. The lack of attribution means that, in order for managing agents to be compliant, they will need to articulate to Lloyd’s how they expect attribution to be addressed.
    2. The definition of impacted state is drafted such that the cyber operation causing an impacted state exclusion (clause 1.3) is not triggered where the cyber operation solely impacts the insured. We understand that Lloyd’s will seek to understand the underwriting controls managing agents have in place when providing such coverage
    		  Type 3
     War Exclusion 23-02 - AIG 
    1. The definition of impacted state is drafted such that the cyber operation causing an impacted state exclusion (clause 1.3) is not triggered where the cyber operation solely impacts the insured. We understand that Lloyd’s will seek to understand the underwriting controls managing agents have in place when providing such coverage
    		  Type 3
     War Exclusion 23-03 - AIG
    1. The lack of attribution means that, in order for managing agents to be compliant, they will need to articulate to Lloyd’s how they expect attribution to be addressed.
    2. The definition of impacted state is drafted such that the cyber operation causing an impacted state exclusion (clause 1.3) is not triggered where the cyber operation solely impacts the insured. We understand that Lloyd’s will seek to understand the underwriting controls managing agents have in place when providing such coverage
    		  Type 3
    AON War and Cyber Operation Exclusion (Aon Amended A)  None  Type 3
    AON War and Cyber Operation Exclusion (Aon Amended B)  None  Type 3
    WTW Type 5 (AcuView)
    (war exclusion with extensions)
    1. The assessment of compliance has been based on the usage of the WTW War Exclusion Endorsement with ‘Extension No. 1 – Attribution of a Cyber Operation’ (where the original policy does not contain attribution language) and ‘Extension No.2 – Infrastructure Exclusion’ (to be used where the original policy does not contain an exclusion that meets the Lloyd’s requirement to exclude ‘significant impairment losses’ or contains an infrastructure exclusion that is narrower than Extension No.2).
    2. When managing agents elect to use this exclusion, we would encourage them to monitor and manage the limits offered. We understand that Lloyd's will seek to understand the underwriting controls managing agents have in place.
    		 Type 5
    WTW War Exclusion Endorsement
    Extension No.1 – Attribution of a Cyber Operation 
    Extension No.2 – Infrastructure Exclusion 
    War or Cyber Operation Excluded Endorsements (U-SPR-1305-A CW (09/23)) (US)
    1. The lack of attribution means that, in order for managing agents to be compliant, they will need to articulate to Lloyd's how they expect attribution to be addressed.
    		  Type 3
    War or Cyber Operation Excluded Endorsements (U-ZPRO-804-A CW (09/23)) (US)
    1. The lack of attribution means that, in order for managing agents to be compliant, they will need to articulate to Lloyd's how they expect attribution to be addressed.
    		  Type 3
    Version A (Global)  None.  Type 3
    Version B (Global)
    1. The lack of attribution in the 'B' version means that, in order for managing agents to be compliant, they will need to articulate to Lloyd's how they expect attribution to be addressed.
    		  Type 3