Act-of-War Clauses Cloud Cyber Insurance Coverage

In a feature article in The Wall Street Journal, Woods Rogers’ Principal and Cybersecurity & Data Privacy Chair Beth Waller shares insights on the most complex and rapidly evolving issues in cyber insurance: when a cyberattack may be excluded from coverage as an “act of war.” The article explores a growing challenge for companies and insurers alike: determining when a cyberattack rises to the level of an act of war and may be excluded from coverage.

Beth explained that these determinations are highly nuanced and depend on a detailed factual analysis.

“Most war-exclusion adjudications today involve a fact-intensive analysis of a hacker’s connection to a nation-state engaged in war,” she told the publication. Insurers, she noted, “bear the burden of proving attribution and demonstrating that a hack rises to the level of a targeted wartime cyberattack.”

She further emphasized the limits of attribution alone: “Not every threat actor linked to a nation-state qualifies as a nation-state that is currently engaged in war.”

Expanding on that point, Beth notes that applying a cyber war exclusion requires evaluating both the identity of the threat actor and whether the activity meets the policy’s definition of “war” or “cyber operations.” Even where nation-state ties are suspected, insurers must satisfy both elements for the exclusion to apply.

As cyber threats continue to evolve alongside global tensions, Beth’s insights underscore the importance of careful policy review, disciplined attribution, and coordinated legal and risk strategy.

Subscribers to The Wall Street Journal can read the full article here.