*6 min read · Last updated July 02, 2026*
In this article
– What the war exclusion actually says now – Why attribution is the trap – The widespread event exclusion is the quiet cousin – What to check before you buy, and before you file – FAQ
When ransomware locked every file at a nine-person accounting firm on a Tuesday in March, the owner did the one thing he had bought insurance for. He filed a cyber claim for the $190,000 it took to rebuild the servers, notify clients, and cover three weeks of lost billing. Four months later the denial letter arrived. The strain that hit his firm had since been attributed by researchers to a state-linked group. His policy excluded losses from a “hostile or warlike action” by a nation-state. The firm paid the $190,000 out of retained earnings.
He was not targeted by a foreign government. His firm was collateral damage in a spray attack that hit thousands of small businesses. It did not matter. The exclusion did not ask who the attacker meant to hit. It asked who the attacker was.
What the war exclusion actually says now
Older cyber policies had thin war language borrowed from property insurance. That changed after 2022. Lloyd’s of London, the market that reinsures a large share of cyber risk worldwide, issued model exclusion clauses that took effect for policies written on or after March 31, 2023. The clauses require insurers to exclude losses arising from “war” and from “state-backed cyber operations” that meet certain triggers. Many US carriers wrote parallel language into their own wordings.
In plain terms: if your loss traces back to a cyberattack that a government or a recognized authority attributes to a nation-state, your insurer may treat it the same as a bomb dropped in a declared war. The check they were going to write disappears.
The exclusion usually turns on two ideas. First, whether the attack is “attributable” to a state. Second, whether it caused a “major detrimental impact” to a country’s functioning or its security capabilities. The problem for a small business is the first idea. Attribution is decided long after your files are locked, by governments and security firms, using evidence you never see.
Why attribution is the trap
Small businesses rarely get attacked on purpose by a foreign government. They get caught in wide, automated campaigns that scan the internet for any unpatched system. The same ransomware family can hit a hospital in one city and a two-truck plumbing company in another.
Here is the trap. When a strain later gets tied to a state-sponsored group, the label attaches to the whole campaign, not just the intended targets. Your plumbing company’s loss now sits inside an event a researcher has called state-backed. The insurer points to the exclusion and the attribution report and declines the claim.
You cannot control any of this. You cannot audit the attacker. You cannot appeal the government’s finding. The one variable that decides whether you get paid is entirely outside your reach.
The “widespread event” exclusion is the quiet cousin
Watch for a second clause that does similar damage: the “widespread event” or systemic-risk limitation. Insurers added it because a single attack, like a compromised software update pushed to thousands of companies at once, could bankrupt the whole market if every victim collected in full.
So the policy caps or reduces what it pays when your loss is part of a large, correlated event affecting many insureds at the same time. Read the definition. Some policies scale your payout down based on how big the overall event was. Others impose a separate, much lower sublimit. A “sublimit” is a smaller cap that applies to one category of loss inside your larger policy limit. You can carry a $1 million policy and discover a $100,000 sublimit is all that applies to a widespread event.
What to check before you buy, and before you file

Do not wait for a claim to read these clauses. Ask your broker four questions in writing, and keep the answers.
First: Does my policy contain a war or hostile-act exclusion, and does it reach cyberattacks? Second: Does it exclude or reduce coverage for “state-backed” or “state-sponsored” operations, and how is attribution decided? Third: Is there a “widespread event” or systemic-risk clause, and what sublimit applies? Fourth: Who bears the burden of proof – does the insurer have to prove the attack was state-backed, or do I have to prove it was not?
That last question matters most. A wording that puts the burden on the insurer, and that requires a formal government attribution rather than a private security-firm blog post, is far safer for you. Some insurers now sell buy-back endorsements that narrow the exclusion. An “endorsement” is an add-on that changes your base policy. If your firm holds sensitive client data, the buy-back is worth pricing.
For the broader picture of how these policies pay and where they fall short, see our guides on how cyber liability insurance protects small businesses, the ransomware payment coverage gap, and the social engineering fraud coverage gap.
See what a real small-business cyber policy covers – and what it excludes
Compare business insurance options and check the war and widespread-event language before you bind.
Compare business insurance coverageFrequently asked questions
Can my cyber insurer deny a ransomware claim just because the attacker was foreign? Not for being foreign alone. The denial hinges on whether the attack is formally attributed to a nation-state and meets the policy’s war or state-backed trigger. Read the exact wording, because the trigger language varies widely between carriers.
How do I know if my policy has a nation-state cyber exclusion? Search your policy for the words “war,” “hostile,” “state-backed,” “state-sponsored,” and “attributable.” Ask your broker to point to the exact clause and explain what would trigger it. If they cannot, get a different quote.
What is a widespread event sublimit in cyber insurance? It is a lower cap that applies when your loss is part of a large attack affecting many companies at once. Even with a $1 million policy limit, a widespread-event sublimit might pay only a fraction of that for a correlated event.
Can I buy back coverage for state-backed attacks? Some insurers offer endorsements that narrow the exclusion or restore limited coverage. These cost more, but for a firm holding sensitive client data they can be worth the premium. Ask your broker to price the buy-back specifically.
Who decides if an attack was state-sponsored? Governments and private security researchers, usually months after the incident. You have no role in that finding and no ability to appeal it, which is why the exclusion is so risky for small businesses.
A cyber policy is only as strong as its exclusions. If you have never read the war and widespread-event language in your own wording, you are one attribution report away from paying your worst day out of pocket. Read it now, while the choice is still yours.
























