The Fine Print: Exclusions and Endorsements

Exclusions: The Boundaries of Risk

In the world of cyber insurance, exclusions are not 'fine print' traps; they are the essential boundaries that keep the insurance market solvent. Without these limits on systemic risk, a single global event could collapse the entire industry.

Welcome to the fine print. For a CISO, the value of a policy is defined as much by what it excludes as what it covers. Think of exclusions not as tricks, but as the standardized boundaries of systemic risk transfer. Without these, the insurance market couldn't survive a global catastrophe. Today, we'll decode these boundaries and learn how to use endorsements to move them in your favor.

The Evolution of Cyber War Clauses

The legacy War Exclusion was built for kinetic conflict. After the Merck v. ACE litigation regarding NotPetya, the market shifted to more precise LMA clauses (LMA5564–LMA5567).

The NotPetya attack, which cost Merck over a billion dollars, proved that 'warlike action' was too vague for the digital age. In response, the Lloyd’s Market Association introduced new clauses like LMA 5567. These clauses move away from philosophical debates about war and toward technical thresholds: Did the attack significantly impair a state's essential services?

Scenario: The Attribution Dilemma

Test your understanding of the Bystander/Spillover Carve-back. Determine if your coverage holds in three different nation-state scenarios.

Let's put the LMA framework to the test. You are a CISO whose firm has been hit by a state-sponsored actor. Click on each scenario to see if your policy's 'spillover carve-back' keeps you covered. In Scenario A, your firm is the intended target of a state-backed operation. Under LMA5564, this is likely excluded because you are the primary target of a cyber operation. In Scenario B, you are collateral damage in an attack on another country's power grid. Because you are a 'bystander' outside the impacted state, your carve-back maintains coverage.

Systemic Risk: Why DNS is Excluded

Insurers cannot act as a backstop for the entire internet. Infrastructure exclusions apply to failures of core utilities and protocols like DNS and BGP.

Insurers are terrified of 'mass cyber events.' This is why most policies exclude the failure of core internet infrastructure—like DNS or BGP—and the power grid. They aren't just protecting their bottom line; they're preventing a market-wide failure where no one gets paid. As a CISO, this means your Disaster Recovery plan must account for these 'uninsurable' outages.

The Endorsement Toolbox

Customize your policy by 'buying back' coverage through endorsements. Drag the right endorsement to cover the specific risk gap.

Standard policies have gaps. But you can use endorsements to buy back coverage. Try dragging the correct endorsement onto the risk scenarios below to fill the gaps in your defense. Excellent. Malware that destroys hardware—not just data—is called 'bricking.' Standard policies often ignore the hardware, but this endorsement ensures your servers are replaced. Correct. Business Email Compromise involves 'voluntary' fund transfers, which are excluded by default. This endorsement is critical for modern fraud protection.

Negotiating the Fine Print

Review this Patching Clause. As a CISO, diagnose the operational risk and propose a more realistic alternative.

Look at this clause: 'The insured must apply all Critical patches within 48 hours of release.' Is this realistic for your environment? Write a short diagnosis of why this might lead to a claim denial and suggest a better phrasing.

Checklist for the Claim-Ready CISO

Use this technical audit checklist when reviewing your next cyber insurance proposal.

We've covered the boundaries of risk. Before you sign your next policy, run this technical audit. Ensure your attribution standards are formal, your sub-limits are sufficient, and your security attestations—like MFA and patching—are 100% accurate. In the next lesson, we'll look at how to master the underwriting questionnaire itself.