For the best part of a decade, the cyber insurance market has grappled with the war exclusion. Originally drafted to address kinetic conflict and territorial aggression, these traditional clauses proved fundamentally unsuited to a threat landscape defined by state-proxy actors and non-physical hostilities. This disconnect reached a breaking point with the Merck v. Ace litigation, where the ambiguity of ‘warlike action’ in a digital context exposed a critical lack of contract certainty across the Lloyd’s and company markets.

The core question was historically binary: Is this war, or is it not? However, in a threat landscape defined by ‘grey zone’ operations, this binary framing created unsustainable underwriting volatility. 

Lloyd’s response, via Market Bulletin Y5381 and the LMA5567A/B series, has not been to soften the market’s stance on systemic risk, but to professionalize the mechanics of exclusion. It moved the needle decisively from the ‘War’ debate to the ‘Threshold’ debate. Today’s specialist brokers and complex claims handlers are no longer arguing over whether a state was involved; they are litigating temporal proximity (immediate preparation), functional consequence (significant impairment), and geographic server mapping (the impacted state).”

As we enter 2026, understanding LMA5567A/B requires mastering the contractual physics of attribution and the evidentiary shortcuts that can make or break a high-value claim. For the specialist, this is where “coverage confidence” is won or lost.

From “Is It War?” to “Did It Meet the Threshold?”

For decades, the pivot point of a cyber-war dispute was the definition of “hostilities” or “warlike action.” Under the LMA5567A/B framework, that ambiguity has been displaced. The central question for a claims handler is no longer a philosophical debate on the nature of conflict, but a technical interrogation of functional consequence:

“Did the cyber operation significantly impair the state’s ability to function or defend itself, and does the insured’s loss fall within that excluded impact?” 

This shift from “War” to “Threshold” is a direct result of regulatory necessity. While Lloyd’s Market Bulletin Y5381 mandates the exclusion of attacks that “significantly impair” a state, the LMA5567 clauses operationalize this through the contractual definition of an “Impacted State.” Specifically, the wording requires a “major detrimental impact” on essential services or national security.

This is not a mere semantic choice; it is a high-bar evidentiary requirement. It is designed to ensure that routine cybercrime – even that with geopolitical undertones – remains covered, while catastrophic, state-level shocks are ringfenced.

For brokers, underwriters, and claims handlers operating at the complex end of the Lloyd’s market, this raises the stakes significantly. Coverage disputes have moved from the courtroom of international law to the theatre of fact-intensive, technical forensics. Every word in the definition of “Essential Services” – from financial market infrastructure to the integrity of the power grid – is now a potential litigation point. Understanding the mechanics of this threshold analysis has therefore become a core professional competency required to maintain contract certainty in a volatile threat environment.

Key Differences between LMA5567A and LMA5567B

At a headline level, LMA5567A and LMA5567B appear deceptively similar. Both exclude loss arising from war and from state-backed cyber operations that cause an “impacted state,” defined by a major detrimental impact on essential services or national security capabilities. Both preserve a carve-back for systems not physically located in the impacted state. And both sit within the broader Lloyd’s mandate to remove exposure to non-physical, systemic cyber war.

The distinction lies in attribution mechanics.

Attribution Mechanics: Procedural Rigor (LMA5567A) vs. Strategic Uncertainty (LMA5567B) 

The structural distinction between the ‘A’ and ‘B’ variants is the primary source of drafting friction in the current market. While both clauses target the same systemic outcomes, they diverge fundamentally on the subject of legal burdens of proof.

LMA5567A Narrows Attribution Disputes at Claim Stage

LMA5567A introduces an explicit attribution framework. While the clause is careful to state that the insurer’s burden of proof remains unchanged, it contractually obliges both parties to consider “objectively reasonable evidence.”

Notwithstanding the insurer’s burden of proof, which shall remain unchanged by this clause, in determining attribution of a cyber operation to a state, the insured and insurer will consider such objectively reasonable evidence that is available to them. This may include formal or official attribution by the government of the state in which the computer system affected by the cyber operation is physically located to another state or those acting at its direction or under its control.

This framework narrows the room for the “unilateral determinations” that often plague high-severity cyber claims. By specifically citing “formal or official attribution by the government” as a valid source, the clause provides a baseline of evidence that prevents a claim from stalling in a purely speculative vacuum.

For a broker, this variant offers procedural rigor. It ensures that a defensible conclusion requires a documented, reasoned assessment rather than a carrier’s opaque internal forensic report.

LMA5567B Presents a Great Opportunity for Sophisticated Insureds

LMA5567B omits the attribution framework entirely. This is not a cosmetic difference; it’s a shift in litigation strategy.LMA5567B remains silent on methodology, leaving the entire attribution process outside the policy wording.

In high-severity claims, where losses are largest and scrutiny is highest, this lack of a roadmap increases uncertainty. However, for a sophisticated insured with the resources to mount a robust legal challenge, the silence of “Variant B” can be an advantage. Without the “contractual shortcut” of agreed-upon government evidence, the insurer is forced to meet the evidentiary burden from scratch under common law standards, which are often more exacting than the “objectively reasonable” threshold in Variant A.

“Immediate Preparation”: Espionage vs. War Under LMA5567A/B

A critical, yet often overlooked, component of LMA5567A/B is clause 1.2, which excludes losses arising from a cyber operation carried out as part of a war, “or the immediate preparation for a war.”

Notwithstanding any provision to the contrary in this insurance, this insurance does not cover that part of any loss, damage, liability, cost, or expense, of any kind: 

1.1. directly or indirectly arising from a war, and/or 

1.2. arising from a cyber operation that is carried out as part of a war, or the immediate preparation for a war, and/or 

1.3. arising from a cyber operation that causes a state to become an impacted state.

For the complex claims handler, this is perhaps the most legally fraught territory in the entire wording. In the physical world, “immediate preparation” is observable—the massing of troops or the fueling of aircraft. In the digital world, the line between state-sponsored espionage (often covered) and pre-positioning for conflict (excluded) is nearly invisible.

Untested Precedent: If a state actor breaches a power grid to install “sleeper” malware intended for use only if kinetic war breaks out, does the initial breach count as “immediate preparation”?

Mastery of this clause requires an understanding of intent and proximity. Most specialist wordings distinguish between traditional “reconnaissance” and “active preparation.” Without clear temporal or functional proximity to an actual conflict, insurers struggle to invoke this limb. However, as geopolitical tensions rise, we expect carriers to scrutinize the nature of the tooling used (e.g., destructive “wiper” malware vs. “stealthy” data exfiltration tools) as evidence of preparatory intent.

The Interaction of Y5381 and Traditional War Provisions

It is also critical to situate LMA5567A/B within the broader war exclusion landscape. Market Bulletin Y5381 is explicit: state-backed cyber exclusions must be in addition to any war exclusion, not a replacement.

This distinction matters because war exclusions remain anchored in physical force and traditional conflict concepts. LMA5567A/B fills the gap left by those clauses. 

The industry’s challenge has never been identifying a “hot” war. It has been managing everything that falls short of it, yet still threatens insurability at scale. LMA5567A/B represents the market’s most sophisticated attempt to date to draw that line contractually, ensuring that:

1. War Exclusions handle kinetic, state-on-state violence.
2. State-Backed Cyber Exclusions handle systemic, non-kinetic disruptions that meet the “Major Detrimental Impact” threshold.

By maintaining both layers, Lloyd’s ensures that a carrier isn’t forced to rely on a “War” definition to deny a claim that was clearly a state-sponsored cyber operation designed to paralyze a nation’s economy without firing a single shot.

Limitations of LMA5567A/B: Geographic Carve-Back

One of the most consequential elements of LMA5567A/B is the geographic carve-back. The exclusion applies only to losses arising from cyber operations that impact computer systems physically located in the impacted state. Systems located elsewhere, even if indirectly affected by the same operation, may remain covered. This is not an accident. It is Lloyd’s attempt to balance systemic risk exclusion with commercial reality.

The NotPetya attack remains the canonical example. While widely attributed to a state-backed operation targeting Ukrainian infrastructure, the most severe insured losses occurred far outside Ukraine. Global enterprises suffered catastrophic disruption through collateral damage, not direct targeting.

If a state-backed attack targets Ukraine (the ‘Impacted State’) but the virus spreads and hits your servers in London or New York, the insured is still covered. Even though the attack was an ‘act of state,’ the insured is considered ‘collateral damage’ outside the conflict zone, and the policy is designed to protect them in that scenario.

Under LMA5567A/B, those distinctions matter. Coverage turns on server location, network architecture, and dependency mapping. 

• For underwriters, this places renewed emphasis on understanding insureds’ geographic exposure and digital supply chains. 
• For brokers, it creates a duty to interrogate where critical systems are actually hosted, not where the insured believes them to be.

Carrier Variants of LMA Model War Exclusion Clauses and Broker E&O Risk

Although LMA5567A/B are model clauses, the market has not stood still. Lloyd’s permits revisions provided they remain compliant with Market Bulletin Y5381, and carriers have taken full advantage of that flexibility. For example:

• Chubb purports to exclude coverage for “any malicious computer acts by states or state-sponsored groups that result in a declaration of war, the ordering of actions that constitute the use of force, or is cited as the reason in a resolution or other formal action by the UN Security Council authorizing force or sanctions against another state, or that results in the use of force by NATO or an equivalent alliance.”
• Beazley mirrors the LMA5567 structure but refines key definitions, excluding “any loss arising from a cyber war, which means any harmful act, conducted using a Computer System…directed against one or more Computer Systems committed by or at the direction of a sovereign state that is conducted as part of a war or causes a major detrimental impact on the ability of another state to provide essential services or on the security or defense of that state.” Notably, the exclusion “does not apply where an affected computer system is not physically located in the affected sovereign state.”
• Marsh similarly excludes “any loss resulting from a war, a cyber operation carried out as part of a war, or a cyber operation that causes an ‘Impacted State,’” defined as “a sovereign state in which a cyber operation has had a major detrimental impact on the ability of that state to provide essential services or on the security or defense of that state.” Like LMA5567A/B and Beazley’s drafting, Marsh preserves the carve-back for systems not physically located in the impacted state.

Subtle changes to definitions of “impacted state,” “essential services,” or attribution triggers can materially alter coverage. A broker who treats these clauses as functionally equivalent does so at significant professional risk. This is where E&O exposure becomes real. As the market professionalizes its approach to state-backed cyber risk, expectations on brokers rise accordingly. 

Cyber War Exclusions Are Rarely Used to Deny Claims

Cyber war exclusions are rarely the decisive factor in claims adjudication. Their purpose is clear and narrow:

• Exclude losses arising from kinetic warfare or armed conflict
• Avoid coverage for catastrophic, systemic events that exceed commercial insurability
• Protect insurers from state-on-state conflict scenarios, not everyday cybercrime

In practice, claims handlers report that war exclusions are almost never the sole basis for denying a cyber claim. Nation-state-linked tooling and tactics are now common across ransomware, espionage, and financially motivated attacks. If insurers relied on war exclusions broadly, cyber insurance would become commercially unworkable. Attribution is often inconclusive, making war exclusions impractical as a blanket denial mechanism.

Why a Manufacturing Ransomware Loss Remains Covered While a Power Grid Attack May Not

Consider a conventional ransomware attack against a multinational manufacturer. Even if intelligence suggests the threat actor operates with tacit state tolerance, the incident primarily impacts a private enterprise, not state functions. Essential services continue, national security capabilities remain intact, so this loss appears to sit outside the LMA5567 exclusion.

Contrast that with a coordinated cyber operation against a national power grid or financial market infrastructure. If the operation disrupts electricity supply across regions, destabilizes payment systems, or undermines military communications, the threshold analysis shifts. The claim question becomes not who launched the attack, but what effect it had at the state level.

Here, “significant impairment” is defined by functional consequence, not loss magnitude alone. Claims teams must assess impact against public infrastructure, essential services, and defense capabilities. This threshold is the primary guardrail for LMA5567 exclusions. The clause is not designed to catch ordinary ransomware incidents; it is designed to ringfence losses that resemble systemic shocks.

Conclusion: Professionalizing the Assessment, Not Softening the Exclusion

The Lloyd’s market is not retreating from state-backed cyber exclusions. It is refining them. LMA5567A/B signals a maturation in how systemic cyber risk is identified, assessed, and excluded, shifting the burden from abstract definitions to concrete threshold analysis, attribution discipline, and geographic precision.

For specialist brokers, senior underwriters, and complex claims handlers, this is no longer optional knowledge. It is foundational. This level of technical mastery is precisely what separates confident practitioners from exposed ones. Understanding the framework is not about avoiding difficult coverage conversations, but rather being able to lead them, with contractual confidence and defensible reasoning.

That depth of expertise is a core function of the Certified Cyber Insurance Specialist (CCIS) designation. In a market that is professionalizing its exclusions, the professionals who master them will define the next phase of cyber insurance practice.