Several weeks into the U.S./Israel-Iran conflict, cyber insurance claims are being denied at an unprecedented rate. The culprit? War exclusion clauses that many organizations never knew existed in their policies. It’s a sobering reminder that in today’s interconnected world, the phrase “I’ve got insurance” may offer less protection than CIOs and tech leaders assume.
We’ve seen this movie before. Remember the post-COVID scramble when insurance policies suddenly excluded pandemic-related losses? Organizations that thought they were covered discovered their policies contained exclusions for “global disruptions” they never imagined would apply to them. Today, as Iranian state-sponsored cyber groups launch attacks across the digital landscape, we’re witnessing the sequel: the rapid expansion of war exclusions in cyber insurance policies.
The New Reality: War Exclusions Go Digital
The landscape shifted dramatically in February 2026. Iranian-linked cyber groups have launched over 700% more state-sponsored attacks since June 2025, according to West Point’s Lieber Institute analysis. These aren’t opportunistic criminals—they’re military operations with geopolitical objectives. And insurance companies are responding accordingly.
The challenge for organizations isn’t just the attacks themselves; it’s proving that an attack wasn’t an act of war. As CyberCube’s threat intelligence director William Altman notes, distinguishing between “activity that may align with state interests and activity that is merely conducted by Iranian actors without formal sanction” has become nearly impossible without detailed forensic analysis.
Meanwhile, according to Mitigata, “even incidents occurring in peacetime may fall within the exclusion if a government is implicated.” Industry analysts warn that with “48 approved Lloyd’s versions of war exclusion wordings at last count, it’s easy to see a chaotic coverage picture emerging in the event of widespread attacks.”
Learning from the Pandemic Playbook
The insurance industry’s response to COVID-19 offers a blueprint for what’s happening now. Pre-pandemic, few organizations scrutinized their policies for “global disruption” exclusions. When lockdowns hit, companies discovered that business interruption coverage—which they’d faithfully paid for—suddenly didn’t apply to “pandemics” or “government-mandated closures.”
The result was swift policy evolution. By 2021, pandemic exclusions became standard, and companies had to purchase separate coverage or accept the risk. We’re seeing the same pattern with cyber insurance and war exclusions, but at an accelerated pace. The geopolitical situation has compressed years of gradual policy evolution into weeks of rapid change.
The Attribution Challenge
Consider the recent AWS data center strike in the Middle East. Physical destruction of cloud infrastructure represents uncharted territory for cyber insurance. Is data loss from kinetic damage to a cloud provider an act of war? What about the cascading cyber effects when critical infrastructure is targeted?
The landmark Merck vs. Ace American Insurance case, involving the NotPetya malware attributed to Russian military operations, established that attribution is both challenging and legally complex. The court ruled in Merck’s favor, but only because the war exclusion language was deemed ambiguous. Insurers have since significantly tightened their language.
Beyond Cyber Insurance: The MDR Imperative
Given these evolving exclusions, the best cyber insurance isn’t insurance at all; it’s prevention. This is where Managed Detection and Response (MDR) becomes critical. While insurance companies debate attribution and exclusions, MDR services provide real-time threat detection, incident response, and damage mitigation.
MDR offers something insurance cannot: proactive protection. When Iranian cyber groups launch reconnaissance attacks (as CrowdStrike documented in early March) MDR teams can detect, contain, and neutralize threats before they become insurance claims. This isn’t just about preventing financial losses; it’s about maintaining business continuity when traditional coverage falls short.
Moreover, many insurers now require documented security controls as a condition of coverage. Organizations with robust MDR implementations often receive better terms and fewer exclusions. In essence, MDR becomes both a protective measure and an insurance optimization strategy.
What CIOs Need to Do Now
- Audit Your Policy Language
Don’t assume your cyber policy covers state-sponsored attacks. Review war exclusion clauses with legal counsel, and understand how “attribution” is defined in your specific policy. Ask whether kinetic damage to cloud infrastructure is covered. - Implement Defense in Depth
Ensure multi-factor authentication, endpoint detection and response systems, and documented incident response procedures are in place. These controls not only improve security but also often influence insurance terms and pricing. - Diversify Your Risk Strategy
Consider geographic distribution of cloud workloads, backup systems that operate independently of primary infrastructure, and documented failover procedures that have been tested within the last 90 days. - Invest in Proactive Security
Deploy MDR services that provide 24/7 monitoring and rapid response capabilities. In an environment where insurance coverage is uncertain, prevention becomes your most reliable protection strategy.
Protecting Your Organization During Tumultuous Times
The comfortable assumption that “I’ve got insurance” provides comprehensive cyber protection is being challenged in real-time. As insurers expand war exclusions and attribution becomes increasingly complex, organizations must shift from reactive.
In this new landscape, the organizations that thrive won’t be those with the best insurance policies—they’ll be those that don’t need to file claims in the first place.
Emerge provides comprehensive cybersecurity solutions, including MDR services designed to protect organizations in today’s complex threat environment. Contact us to learn how proactive security measures can complement your cyber insurance strategy especially during times of war and conflict.