Cyber War Risk Insurance in India: Coverage Gaps and Attribution Challenges

In August 2022, Lloyd's of London issued a market bulletin requiring all standalone cyber policies written on Lloyd's paper to include a specific war exclusion that goes beyond the legacy war exclusion language inherited from property policies. The mandate took effect for policies incepting from 31 March 2023. Four model clause sets were developed jointly by Lloyd's and the Lloyd's Market Association: LMA5564, LMA5565, LMA5566, and LMA5567. Each addresses state-attributed cyber attacks with slightly different definitions of what constitutes a cyber war event and how attribution is determined.

The immediate trigger for this change was the NotPetya malware attack of 2017. NotPetya was initially distributed through compromised Ukrainian accounting software and spread globally, causing an estimated USD 10 billion in damage across shipping (Maersk), pharmaceuticals (Merck), food manufacturing (Mondelez), and logistics (FedEx). The US, UK, EU, and Australian governments formally attributed NotPetya to the Russian military intelligence service (GRU) in 2018. When affected companies sought coverage under their property or cyber policies, insurers asserted war exclusions. Litigation followed in multiple jurisdictions. The US and UK courts reached different conclusions on whether the legacy war exclusion language, designed for physical armed conflict, applied to a cyberattack attributed to a state actor.

Lloyd's 2022 bulletin was a deliberate response to this legal uncertainty. By mandating specific cyber war exclusion language, Lloyd's aimed to ensure that its syndicates had clear contractual grounds to exclude state-attributed cyber war events rather than relying on courts to interpret legacy clauses. The four model clauses differ primarily in how they handle attribution: some require a formal government attribution; others define cyber war by the character of the attack (attacks targeting critical national infrastructure or designed to cause significant damage to the target state are treated as cyber war regardless of formal attribution).

For Indian policyholders, the 2023 mandate is significant because Indian cyber policy wordings, particularly those backed by Lloyd's reinsurance, have progressively incorporated the new exclusion language. Non-Lloyd's backed policies in the Indian market, issued by IRDAI-licensed domestic insurers without Lloyd's reinsurance, may still carry the older, less precisely defined war exclusions. Buyers should confirm which version of the exclusion their policy contains.

The central practical difficulty with cyber war exclusions is attribution. To trigger the exclusion, an attack must be attributable to a state or state-affiliated actor. Attribution in cybersecurity is probabilistic and contested. Technical indicators, malware code signatures, infrastructure reuse, operational patterns, and targeting priorities, can suggest a source with high confidence, but they rarely constitute proof in the legal sense required to resolve an insurance dispute.

The NotPetya precedent is the clearest example of the problem. When Merck and Mondelez litigated their respective war exclusion claims, the core dispute was whether government attribution constitutes a legal finding of state involvement sufficient to activate a war exclusion. Merck's case in New Jersey ultimately held (in 2023 at the Appellate Division level) that the legacy war exclusion in Merck's policy required actual warlike action in a traditional military sense and did not extend to a cyberattack even with state attribution. Mondelez settled with Zurich on undisclosed terms. The UK courts, hearing separate cases under English law, are applying the new LMA clauses to more recent attacks with different results.

For Indian companies, the attribution problem has several dimensions. Technically sophisticated threat actors who operate in service of state objectives often use infrastructure and tools that are not definitively linked to any single government. India-targeted attacks attributed to Pakistan-nexus groups, including threat actors associated with the Transparent Tribe (APT36) cluster and Sidewinder, have been documented in open-source intelligence reports from CERT-In, private threat intelligence firms, and academic research. China-nexus attribution for attacks on Indian government, defence, and financial sector targets has been claimed by multiple intelligence agencies and research groups. But cyber insurance claims are not resolved in intelligence community forums; they are resolved in courts or arbitration, where technical attribution evidence faces cross-examination by insurer-retained experts.

The implication for Indian policyholders: even where the Indian government, CERT-In, or a private threat intelligence firm assesses an attack as state-attributed, that assessment alone may not be sufficient to activate the war exclusion from the insurer's perspective, nor is it sufficient to establish coverage under an exception to the exclusion that requires the company to prove the attack was non-state. The evidentiary standard for attribution that satisfies both parties is unclear, and in practice most claims will settle rather than litigate to a judicial determination.

India occupies a specific position in the global state-attributed cyber threat landscape. Its border tensions with Pakistan and China, its status as a significant emerging-market economy, and its growing defence technology sector make it a target for both espionage-focused and disruptive cyberattacks from multiple state-nexus actors.

Pakistan-nexus threat activity targeting Indian entities has been documented by multiple sources. The Transparent Tribe cluster (also tracked as APT36, Mythic Leopard, and COPPER FIELDSTONE by different intelligence vendors) has been associated with spear-phishing campaigns targeting Indian defence personnel, government officials, and civil society organizations. While Transparent Tribe activity appears primarily focused on intelligence collection rather than destructive attacks, the same operational infrastructure and techniques are used by more destructive Pakistan-nexus actors. CERT-In's annual reports through 2023 and 2024 have noted increases in phishing and malware campaigns originating from Pakistan-linked IP infrastructure.

China-nexus activity targeting India spiked measurably following the 2020 Galwan Valley clash. Microsoft Threat Intelligence and Recorded Future both published reports in 2020 and 2021 documenting increased scanning and intrusion attempts against Indian power grid infrastructure (attributed to groups linked to the People's Liberation Army Strategic Support Force), port systems, and financial sector entities. The 2021 Mumbai power outage remains under official investigation, but Recorded Future's analysis suggested Chinese state-nexus infrastructure was present in operational technology networks in the Maharashtra power grid prior to the outage. Whether that presence caused the outage remains contested.

For the Indian Banking, Financial Services, and Insurance (BFSI) sector, both state-nexus espionage and criminal ransomware represent active threats. The RBI's 2023 Cyber Security Framework for Banks requires banks to maintain information security practices to counter both. For insurance purposes, the relevant distinction is between criminal ransomware (which has no clear state attribution, is typically covered under a standard cyber policy's ransomware or extortion extension, and is not subject to the cyber war exclusion) and state-attributed destructive malware deployed by state-nexus actors (which may trigger the war exclusion under the new LMA clauses).

Telecom infrastructure is a specific target category because disrupting communications affects all other sectors simultaneously. India's telecom networks, particularly the transport layer connecting government and defence users, have been identified in multiple threat intelligence reports as targets for both Chinese and Pakistani nexus actors. A successful attack on telecom exchange infrastructure that triggers cascading outages across BFSI and power sector communications networks creates an aggregated insurance loss that could simultaneously affect multiple cyber policyholders. The aggregation risk for insurers in a state-attributed telecom sector attack is one reason why the new LMA clauses include language about attacks designed to affect the target state's critical national infrastructure.

IRDAI issued its first dedicated guidelines on cyber insurance products in 2020 (Circular Ref: IRDA/NL/GDL/MISC/117/07/2020), establishing minimum coverage requirements for cyber indemnity products. The 2020 circular specified mandatory inclusions (data breach liability, cyber extortion, business interruption following a cyber event) and minimum exclusions (war, nuclear, intentional acts). However, the 2020 circular predates the Lloyd's 2023 mandate and does not specify a standard war exclusion format.

The IRDAI has not yet issued a specific circular defining cyber war or mandating specific war exclusion clause language for cyber policies. This creates divergence in the Indian market: some policies backed by Lloyd's reinsurance carry the new LMA model clauses with their precise attribution language; policies with non-Lloyd's reinsurance or those placed entirely within the Indian market retain older, less precisely defined war exclusion language. The older language typically follows property policy conventions and reads as exclusion of loss arising from war, invasion, act of foreign enemy, hostilities, civil war, rebellion, or military power. Whether a cyberattack attributed to a state actor with no accompanying physical military action falls within this language is legally contestable.

For buyers, this market divergence is both a risk and an opportunity. A policy with the older, vaguer war exclusion may provide broader coverage because the insurer has a harder evidentiary burden to establish that the attack constitutes war under the policy language. A policy with LMA5565 or LMA5566 gives more precise definitions but also more precise exclusion mechanisms. The appropriate choice depends on the buyer's specific threat profile and risk appetite.

IRDAI's ongoing product development framework, including the Bima Sugam platform and the regulatory sandbox, does not yet address cyber war coverage specifically. The regulator's 2025 discussion paper on emerging risks flagged state-attributed cyber threats as an area requiring policy development attention, suggesting that more specific guidance may follow in 2026 or 2027. In the interim, buyers should negotiate war exclusion language explicitly at placement rather than accepting standard policy form defaults.

The cyber war exclusion removes state-attributed attacks from coverage but does not remove criminal ransomware, criminal data breaches, or business interruption from criminal cyber events. For most Indian companies, criminal threat actors represent the higher-frequency risk even if state actors represent the higher-severity tail.

Criminal ransomware without state attribution remains covered under the extortion or ransomware extension of a standard cyber policy. The LockBit 3.0 ransomware gang, the ALPHV (BlackCat) group, and the Medusa ransomware operators, which have all been active in India, are not state actors and their attacks do not trigger the cyber war exclusion. Coverage for ransom payment, investigation costs, and business interruption from criminal ransomware remains intact after the LMA clause changes.

Data breach liability coverage remains available for breaches caused by criminal actors. With DPDP Act 2023 enforcement beginning and India's Data Protection Board empowered to impose penalties up to INR 250 crore for data breaches, the liability exposure from criminal data breaches is growing. Cyber policies provide coverage for regulatory investigation costs, mandatory notification costs, and third-party data subject claims arising from breaches with criminal (non-state) attribution.

Cyber crime coverage, which addresses fraudulent fund transfers, social engineering attacks, and invoice fraud, also remains unaffected by the war exclusion. Social engineering frauds, where employees are tricked into wire-transferring funds to fraudulent accounts, are criminal acts without state attribution and are covered under the cyber crime extension of most Indian cyber policies.

The residual concern after the war exclusion is spillover attacks: malware originally deployed by a state actor that spreads to unintended victims, as NotPetya did. The new LMA clauses attempt to address this by creating a carve-back for collateral damage, specifically, losses to companies that are not the intended target of the state actor's attack and are not in the target state (India, if the attacker is targeting India specifically). The carve-back is limited and contested, but it preserves some coverage for Indian companies caught in the crossfire of an attack not specifically directed at them.

Three approaches are available to Indian companies seeking to fill the coverage gap left by cyber war exclusions.

The first is political risk and war insurance from the specialty market. Political risk and war insurers, primarily operating through Lloyd's political violence syndicates and Bermuda market carriers, write insurance against losses caused by state action. Some political risk policies can be extended to cover cyberattack losses caused by state actors, framed as an act of a foreign government rather than a cyber war event. The political risk market definition of covered state action is different from the cyber war exclusion definition, and there is genuine complementarity. A company whose cyber policy excludes state-attributed attacks but whose political risk policy covers losses from acts of a foreign government may have coverage in the gap zone through its political risk programme. This requires active coordination of both policy wordings by a broker who understands both specialty lines.

The second approach is specialist cyber war products from specific Lloyd's syndicates. Despite the Lloyd's 2023 mandate excluding cyber war from standard policies, a small number of Lloyd's syndicates have sought and received approval to write standalone cyber war coverage as a separate product, not bundled into the standard cyber policy. These products are structured as affirmative cyber war cover and explicitly insure losses from state-attributed cyber attacks. Premium is substantially higher than standard cyber insurance and reflects the severity and frequency of state-level cyber threats. For Indian companies in sectors with elevated state actor targeting, specifically BFSI, defence supply chain, pharmaceuticals, and critical infrastructure, these products warrant evaluation.

The third approach is operational risk management that reduces dependence on insurance recovery for state-attributed attacks. Cyber war events typically have characteristics that differ from criminal ransomware: they target specific operational technology or control systems, they aim at disruption or destruction rather than ransom, and they are often designed to be deniable and persistent. Operational controls, network segmentation between IT and OT environments, offline backup architectures, and crisis response planning reduce both the probability of successful attack and the recovery time after an attack that does succeed. For a state-attributed attack where insurance recovery is uncertain, faster operational recovery from good incident response planning is the primary risk management lever.

A structured risk management approach for Indian companies facing state-attributed cyber threats should integrate insurance analysis with operational security planning and incident response preparation.

Start by assessing whether your sector and operations place you in a high-priority target category for state-attributed attacks. Companies in BFSI, defence supply chain, critical infrastructure (power, water, telecom), and strategic technology sectors face materially higher state actor targeting probability than companies in retail, hospitality, or consumer goods. The assessment should reference CERT-In's published sector-specific advisories and threat bulletins, which provide government-sourced intelligence on active threat campaigns targeting Indian sectors.

For high-priority target companies, commission a detailed review of existing cyber policy war exclusion language. Identify which LMA model clause applies (or whether the older, vague war exclusion applies) and model the coverage outcomes under three scenarios: a criminal ransomware attack (covered); a state-attributed destructive attack on IT systems (likely excluded under LMA clauses); and a spillover event where state malware reaches the company without being specifically targeted at it (partially covered under carve-backs). This scenario modelling gives the CFO a clear picture of what the cyber programme covers and what it does not.

For companies that decide to fill the war exclusion gap, engage a broker with specialty market access for political risk and cyber war products. The London market, specifically Lloyd's political violence syndicates, is the primary source of these products. Indian brokers with Lloyd's correspondent relationships or a dedicated London office can access this market. The placement process typically takes 60 to 90 days and requires detailed information about the company's IT infrastructure, sector, and geographic exposure.

For incident response preparation, develop a specific cyber war incident response protocol separate from the criminal ransomware response protocol. The two scenarios have different legal and regulatory implications, different forensic requirements (attribution evidence must be preserved and documented for any subsequent claim dispute), different communications requirements (a state-attributed attack may have national security dimensions requiring coordination with CERT-In and potentially the National Critical Information Infrastructure Protection Centre), and different recovery priorities. Having a single generic cyber incident response plan that treats all attacks as equivalent leaves companies unprepared for the specific demands of a state-attributed scenario.