The Fine Print: Exclusions and Endorsements
Exclusions: The Boundaries of Risk
In the world of cyber insurance, exclusions are not 'fine print' traps; they are the essential boundaries that keep the insurance market solvent. Without these limits on systemic risk, a single global event could collapse the entire industry.
Welcome to the fine print. For a CISO, the value of a policy is defined as much by what it excludes as what it covers. Think of exclusions not as tricks, but as the standardized boundaries of systemic risk transfer. Without these, the insurance market couldn't survive a global catastrophe. Today, we'll decode these boundaries and learn how to use endorsements to move them in your favor.
- Exclusions define the limits of what an insurer can realistically cover.
- They prevent 'uninsurable' systemic collapses from catastrophic events.
- Understanding these boundaries allows a CISO to identify where self-insurance or risk mitigation is required.
The Evolution of Cyber War Clauses
The legacy War Exclusion was built for kinetic conflict. After the Merck v. ACE litigation regarding NotPetya, the market shifted to more precise LMA clauses (LMA5564–LMA5567).
The NotPetya attack, which cost Merck over a billion dollars, proved that 'warlike action' was too vague for the digital age. In response, the Lloyd’s Market Association introduced new clauses like LMA 5567. These clauses move away from philosophical debates about war and toward technical thresholds: Did the attack significantly impair a state's essential services?
- Distinguishes between 'War' (armed conflict) and 'Cyber Operations' (state-backed).
- Introduces the 'Impacted State' concept for threshold-based exclusions.
- Clarifies the burden of proof for attribution.
Scenario: The Attribution Dilemma
Test your understanding of the Bystander/Spillover Carve-back. Determine if your coverage holds in three different nation-state scenarios.
Let's put the LMA framework to the test. You are a CISO whose firm has been hit by a state-sponsored actor. Click on each scenario to see if your policy's 'spillover carve-back' keeps you covered. In Scenario A, your firm is the intended target of a state-backed operation. Under LMA5564, this is likely excluded because you are the primary target of a cyber operation. In Scenario B, you are collateral damage in an attack on another country's power grid. Because you are a 'bystander' outside the impacted state, your carve-back maintains coverage.
- State-sponsored does not automatically mean excluded.
- Coverage often remains for 'collateral damage' (bystanders).
- The 'Impacted State' threshold is the pivot point for modern claims.
Systemic Risk: Why DNS is Excluded
Insurers cannot act as a backstop for the entire internet. Infrastructure exclusions apply to failures of core utilities and protocols like DNS and BGP.
Insurers are terrified of 'mass cyber events.' This is why most policies exclude the failure of core internet infrastructure—like DNS or BGP—and the power grid. They aren't just protecting their bottom line; they're preventing a market-wide failure where no one gets paid. As a CISO, this means your Disaster Recovery plan must account for these 'uninsurable' outages.
- Core utilities (power, water) are generally excluded.
- Core internet protocols (DNS, BGP, Satellite) are seen as systemic risks.
- Cloud provider outages (AWS/Azure) are increasingly subject to sub-limits.
The Endorsement Toolbox
Customize your policy by 'buying back' coverage through endorsements. Drag the right endorsement to cover the specific risk gap.
Standard policies have gaps. But you can use endorsements to buy back coverage. Try dragging the correct endorsement onto the risk scenarios below to fill the gaps in your defense. Excellent. Malware that destroys hardware—not just data—is called 'bricking.' Standard policies often ignore the hardware, but this endorsement ensures your servers are replaced. Correct. Business Email Compromise involves 'voluntary' fund transfers, which are excluded by default. This endorsement is critical for modern fraud protection.
- Endorsements modify the base policy to fit your profile.
- Bricking covers physical hardware replacement.
- Dependent Business Interruption (DBI) covers vendor failures.
Negotiating the Fine Print
Review this Patching Clause. As a CISO, diagnose the operational risk and propose a more realistic alternative.
Look at this clause: 'The insured must apply all Critical patches within 48 hours of release.' Is this realistic for your environment? Write a short diagnosis of why this might lead to a claim denial and suggest a better phrasing.
- Aligning policy requirements with operational reality.
- Avoiding 'Breach of Warranty' denials.
- Negotiating SLAs that match your organization's capacity.
Checklist for the Claim-Ready CISO
Use this technical audit checklist when reviewing your next cyber insurance proposal.
We've covered the boundaries of risk. Before you sign your next policy, run this technical audit. Ensure your attribution standards are formal, your sub-limits are sufficient, and your security attestations—like MFA and patching—are 100% accurate. In the next lesson, we'll look at how to master the underwriting questionnaire itself.
- Verify Attribution: Prefer formal government determination.
- Audit Sub-limits: Ensure BEC coverage matches wire transfer risk.
- Align Safeguards: Ensure MFA and Patching requirements are operationally true.