Exclusions are the provisions in an insurance policy where the insurer says: even if this loss appears to fall within the coverage we described, we will not pay for it. Every insurance policy has exclusions. They are not buried in fine print by accident — they define the actual boundaries of coverage, and understanding them is just as important as understanding what the policy covers. A business that reads only the coverage provisions of its cyber policy and ignores the exclusions does not have a complete picture of what it has purchased.

Cyber insurance policies have several exclusions that are particularly significant and that have been the subject of major legal disputes. In some cases, these disputes have involved hundreds of millions of dollars and have reached appellate courts. In other cases, they have been resolved through settlements whose terms suggest that neither side was confident in its position. The resulting case law and market evolution have shaped how modern cyber policies are written, but the exclusions that generated those disputes still exist in various forms in most policies today.

Understanding your policy’s exclusions before a loss occurs is one of the most practical and valuable things a business owner or their attorney can do. By the time you are attempting to file a claim after a major cyber incident, it is too late to negotiate the exclusions. The time to identify gaps — and to decide whether to seek coverage elsewhere or accept the uninsured exposure — is when you are choosing and renewing your policy. This page covers the most significant exclusions in cyber insurance policies and explains what they mean for your business.

The War Exclusion — and Why It Matters for Cyber

Insurance policies have excluded losses caused by war and acts of war for centuries. The rationale is straightforward: war creates potentially unlimited, correlated losses that no private insurer could absorb. If every business in the path of a military campaign could file an insurance claim, the financial exposure would be incalculable. For most of insurance history, the war exclusion was uncontroversial — it applied to physical combat, and the distinction between a covered loss and a wartime loss was usually obvious.

Cyberattacks shattered that clarity. In June 2017, malicious software known as NotPetya spread globally from what researchers concluded was a cyberattack by the GRU, Russia’s military intelligence service, initially targeting Ukrainian infrastructure. NotPetya escaped those initial targets and spread to companies around the world, causing an estimated $10 billion in total damages. Individual company losses were staggering: shipping giant Maersk lost an estimated $300 million; pharmaceutical company Merck reported losses of approximately $870 million; food company Mondelez reported losses exceeding $180 million. When these companies submitted claims under their property and cyber insurance policies, several insurers denied coverage, invoking the war exclusion on the grounds that NotPetya was a state-sponsored cyberattack.

The resulting litigation produced landmark decisions. In the Merck case, a New Jersey appellate court ruled in 2022 that Merck’s insurer could not invoke the war exclusion because the property policy at issue did not clearly state that the exclusion applied to cyberattacks — and in insurance law, ambiguous exclusions are typically construed against the insurer. In the Mondelez case, the company and its insurer Zurich ultimately reached a confidential settlement after years of litigation. These cases sent a clear signal to the insurance industry: the traditional war exclusion language, drafted before cyberattacks existed, did not reliably exclude state-sponsored cyber losses.

The market response was significant. Lloyd’s of London mandated in 2023 that all cyber policies written by Lloyd’s syndicates must include a specific, clearly worded exclusion for losses arising from cyberattacks attributed to nation-states. Today, most cyber policies include an explicit war exclusion that is drafted to encompass cyberattacks by or at the direction of a sovereign government or state-sponsored actor. Many policies also include a companion exclusion for cyber operations that are part of an armed conflict, even if not formally attributed to a state.

The practical challenge for businesses is attribution. When your systems are encrypted by ransomware, you almost certainly do not know in the first hours, days, or even weeks whether the attackers are independent criminal actors or state-sponsored. Formal attribution of major cyberattacks to specific nation-states often takes months or years, involves classified intelligence, and is sometimes contested or uncertain. If your insurer subsequently asserts that the attack was state-sponsored and invokes the war exclusion to deny your claim, you are in a difficult legal position. Businesses should understand exactly what their policy’s war exclusion says, ask their broker and counsel to evaluate the breadth of the exclusion and its current market context, and understand what evidence would be required to invoke or contest it.

Prior Knowledge and Known Loss Exclusions

Insurance is designed to cover unexpected losses — events that have not yet occurred and that the policyholder does not know about at the time coverage is purchased. The prior knowledge exclusion, sometimes called the known loss exclusion, enforces this principle by denying coverage for losses that arise from events or circumstances that the policyholder knew about before the policy was bound.

The prior knowledge exclusion operates in two principal ways. First, it excludes coverage for losses that flow from a specific incident or breach that was already underway or already known when the policy took effect. If a company experienced a breach in January, discovered it in February, and then purchased a cyber policy in March without disclosing the breach, the insurer would likely deny claims related to that breach on the grounds that it was a known event predating coverage. This scenario occurs more often than might be expected: attackers frequently maintain access to a victim’s systems for months before the victim discovers the intrusion, and a policy purchased during that period may be subject to a known-loss challenge.

Second, and more broadly, most cyber insurance applications ask the applicant to certify that they are not aware of any circumstances, events, or conditions that might reasonably give rise to a claim under the policy. This representation is incorporated into the policy, and if it proves inaccurate — even if the inaccuracy was inadvertent rather than fraudulent — the insurer may have grounds to deny coverage or rescind the policy entirely. A company that received a security alert it did not fully investigate, that knew of a reported vulnerability it had not patched, or that had received a threat communication it dismissed, may find that those facts are characterized as “known circumstances” that should have been disclosed.

The practical lesson is twofold. When applying for cyber insurance, involve an attorney in the process and disclose everything you are aware of that could conceivably be relevant. The application is a legal document, and completing it carelessly creates coverage risk. And when renewing a policy, go through the renewal application with the same care — the renewal cycle is when prior knowledge questions are often asked again, and failing to disclose a security incident that occurred during the previous policy period can be as damaging as failing to disclose one when initially applying.

Infrastructure Failure and Systemic Risk Exclusions

As businesses have migrated critical operations to cloud platforms, third-party software providers, and shared digital infrastructure, insurers have become increasingly concerned about the systemic risk that this concentration creates. A significant outage at a major cloud provider, or a widely exploited vulnerability in a piece of software used by thousands of companies simultaneously, could generate insurance claims from an enormous number of policyholders at once — the kind of correlated, catastrophic loss that private insurance markets struggle to absorb.

Many cyber policies address this concern through exclusions for losses arising from the failure of shared infrastructure. These exclusions typically cover failures of electrical power grids, telecommunications networks, and internet infrastructure that are outside the insured’s control and affect businesses broadly. A widespread internet outage caused by a failure at a major backbone provider, for example, might trigger this exclusion even if the outage caused significant business interruption losses for your company.

The treatment of cloud service provider outages is particularly important for modern businesses. Many cyber policies include some form of dependent business interruption coverage that extends to cyber events at vendors and cloud providers — but with important limitations. Some policies will cover a business interruption caused by a cyberattack on your cloud provider but will exclude an outage caused by the provider’s own internal failure or error. Others exclude cloud-related BI entirely, or impose sublimits that make the coverage less meaningful in practice. Given that many businesses now depend on a small number of cloud platforms for critical operations, understanding exactly how your policy treats cloud-related outages is essential.

Systemic risk exclusions are an emerging and evolving area of cyber insurance policy language. Some insurers and reinsurers have sought to exclude or limit coverage for events that affect a large number of policyholders simultaneously — a major ransomware campaign exploiting a common vulnerability, for instance, or a supply chain attack that infiltrates widely used software. The market has not yet settled on standard language for these exclusions, and their scope varies significantly from policy to policy. This is an area where working with a specialist broker who follows the market closely is particularly valuable.

Contractual Liability Exclusions

Cyber insurance policies, like most liability insurance policies, exclude liability that the insured has assumed by contract beyond what would exist at common law. This is the contractual liability exclusion, and it has significant practical implications for technology companies, managed service providers, and any business that enters into contracts containing broad indemnification obligations or specific performance guarantees.

The exclusion operates on a straightforward principle: if you voluntarily agreed to take on greater liability than the law would otherwise impose on you, the insurance company did not price your coverage to include that voluntarily assumed obligation, and it will not cover losses flowing from it. In plain terms, if your contract contains a promise that goes beyond what you would owe absent the contract, and a cyber event causes you to break that promise, the cyber policy may decline to cover the resulting claim.

Common examples include software-as-a-service contracts that guarantee specific uptime percentages or specific security standards. If your SaaS contract promises 99.9% uptime and a ransomware attack causes an outage that breaches that guarantee, the client’s claim against you for that breach may be characterized as a contractual liability — an obligation you assumed by contract rather than one imposed by law — and excluded from coverage. Similarly, if your contract includes an indemnification clause that obligates you to hold your client harmless for any losses arising from your security failures, the breadth of that contractual indemnification may exceed what the law would independently require, creating potential exclusion issues.

The implication for business owners is that both your contracts and your insurance policies need to be reviewed in relation to each other. An attorney who understands your contractual obligations can identify the specific commitments that create risk under the contractual liability exclusion. A broker who understands your policy can advise on whether the exclusion has exceptions or limitations that might preserve coverage for certain types of contractual liability. Leaving these two documents in separate silos — reviewed only by whoever handles each individually — creates a meaningful and unnecessary gap.

Unencrypted Data and Security Control Warranties

The modern cyber insurance underwriting process is substantially more rigorous than it was five years ago. Insurers now ask detailed questions about security controls as part of the application process: Does your organization require multi-factor authentication for remote access and privileged accounts? Is sensitive data encrypted at rest and in transit? Do you maintain immutable backups stored offline or in a separate environment from your primary systems? Do you have endpoint detection and response tools deployed across your environment? How do you manage third-party vendor access to your systems?

These questions are not merely informational. The answers are incorporated into the insurance policy as warranties or representations, and if they are inaccurate — either because you misrepresented your security posture when applying, or because the controls you had in place at the time of application subsequently lapsed — the insurer has grounds to deny coverage. This is one of the most serious risks in cyber insurance, and it is one that many business owners do not fully appreciate.

The unencrypted data issue deserves specific attention. Many cyber policies include provisions that limit or eliminate coverage for breaches involving sensitive data that was not encrypted. If your company stores customer payment card information, Social Security numbers, or health records without encrypting them, and that data is compromised in a breach, your insurer may invoke an unencrypted data limitation to reduce or deny your claim. This creates a direct link between your security practices and your insurance coverage: the technical choices your IT team makes are not just a security matter, they are an insurance matter.

The lesson for business owners is to treat the security representations in a cyber insurance application as legal obligations, not as a questionnaire to be completed quickly. Before completing an application, work with your IT team to verify that the controls you are representing exist and are actually functioning. After the policy is bound, treat the maintenance of those controls as a continuing obligation — because it is. If your organization loses multi-factor authentication coverage for a period, or lets endpoint protection lapse on a subset of devices, and a breach occurs during that period, you have created a coverage dispute that was entirely avoidable.

Bodily Injury and Property Damage Exclusions

Cyber insurance covers financial harm and liability arising from digital events. It is not designed to cover physical harm to people or physical damage to property, and most cyber policies include explicit exclusions for bodily injury and property damage even when those physical harms were caused by a cyberattack. This exclusion is straightforward in the context of traditional cyber risks — a data breach does not cause bodily injury, and there is no coverage dispute to be had. But for businesses whose operations involve physical systems that are networked and digitally controlled, the exclusion creates a meaningful gap.

Consider a hospital whose patient care systems are disrupted by a ransomware attack, resulting in delayed treatment and patient harm. The cyber insurance policy will cover the hospital’s incident response costs, business interruption losses, and regulatory exposure. But if a patient or their family brings a claim for bodily injury resulting from the disruption to care, that claim falls under the bodily injury exclusion and is not covered by the cyber policy. The claim would need to be addressed under the hospital’s general liability or medical malpractice coverage — policies that may themselves have exclusions for cyber-related events, potentially creating a gap between the two.

The same dynamic applies to industrial and operational technology environments. A cyberattack that disrupts a manufacturing facility’s control systems and causes physical equipment damage, or one that compromises utility infrastructure in ways that cause physical harm, may generate losses that fall outside both the cyber policy’s coverage and the property policy’s coverage — the former because of the bodily injury and property damage exclusion, the latter because of the property policy’s cyber exclusion. For businesses with significant operational technology — manufacturers, energy companies, transportation operators, healthcare systems — this intersection of cyber and physical risk requires specialized legal and insurance advice that goes beyond the scope of a standard cyber policy review.


The exclusions in your cyber insurance policy are not fine print to be skimmed. They define the actual boundaries of your coverage, and several of them — the war exclusion, the prior knowledge exclusion, the contractual liability exclusion, and the security control warranty provisions — have each been the basis for significant denied claims that resulted in expensive litigation. The way to protect yourself is straightforward: read the exclusions in full before a loss occurs, involve a knowledgeable attorney and an experienced cyber insurance broker in that review, and make sure the coverage you believe you are purchasing reflects the coverage your policy actually provides. An investment of a few hours in this process today could prevent a multimillion-dollar surprise when you can least afford it.