As reported on the Threat Post website (https://threstpost.com/lloyds-cyber-insurance/exclusions/176669/) and other sources, Lloyd's of London will no longer cover nation-state sponsored cyber attacks under their cyber insurance policies.
Four new Cyber War and Cyber Operations Exclusion clauses have been released. While the full text was in not included in the post, "cyber war" is defined as operations carried out as part of a war, retaliatory acts between specified states, or a cyber operation that has a major detrimental impact on the functioning of a state. ("Specified states" are China, France, Japan, Russia, the United Kingdom and the United States. Missing from the list: Iran and North Korea.)
According to the article, the definition leaves "plenty of latitude" for Lloyd's to refuse to pay. Essential services could be finance, healthcare or utilities. The exclusions also allow Lloyd's to attribute an attack to a nation-state if a government does not make that attribution.
To provide some context, as a general rule war risk is uninsurable. One exception has been a cyberterrorism exception to the war exclusion in many cyber insurance policies. Whether and to what extent these exclusions nullify that exception is a question yet to be answered.
There are other unanswered questions. We know governments engage in cyber espionage and attacks against each other; at what point does it rise to the level of "cyber war"? Can we always distinguish a criminal ransomware attack from government-sponsored cyber war? (In some countries there's a fine line at best between government and criminals.) How widespread does an attack have to be to become a "war"? Suppose Lloyd's declares an attack to be a war, and a government denies it?
At this point we are in uncharted territory. We haven't seen actual exclusions in policies and don't know if these exclusion will be adopted by American insurers, and how much pushback there will be from brokers and insurers. This story does not yet have a conclusion.