What “Act of War” Means for Your Cyber Insurance Coverage

Let me ask you something directly: When was the last time you actually read your cyber insurance policy?

Not the summary your broker emailed you. The actual policy. The exclusions section, specifically.

If you haven't, there's a good chance you're carrying a false sense of security that could cost your business everything. I've spent more than 25 years in cybersecurity and risk management, and the single most dangerous assumption I see business owners make right now is this one: "We have cyber insurance, so we're covered."

You may not be. And the gap in your coverage isn't buried in fine print, it's hiding in plain sight under three words: Acts of War.

The Clause Your Insurer Is Counting On

Cyber insurance policies almost universally contain an "Acts of War" exclusion. In traditional insurance, this language was written to protect carriers from catastrophic, uninsurable events, think physical warfare, bombs, mass destruction. The logic was straightforward: no insurer can price a policy against the full costs of a world war.

But the world has changed. War no longer requires soldiers crossing borders. Today, nation-states wage highly effective, deeply damaging campaigns through keyboards, targeting critical infrastructure, financial systems, supply chains, and yes, private businesses like yours.

The problem is that the old exclusion language has followed us into this new reality. And insurers are using it.

When a cyberattack can be attributed, or even plausibly linked, to a foreign government, your insurer may have grounds to deny your claim entirely. It doesn't matter how much you paid in premiums. It doesn't matter how devastating the damage is. If they can make the case that the attack was state-sponsored, you may be on your own.

This isn't a theoretical risk. We have a landmark case that proved it.

NotPetya: The $10 Billion Wake-Up Call

In June 2017, malware known as NotPetya tore through global networks with a speed and ferocity that stunned even seasoned security professionals. It started in Ukraine, initially disguised as ransomware, but it wasn't really ransomware. It was a weapon designed to destroy.

Within hours, NotPetya had jumped borders and infected networks at some of the world's largest companies. Shipping giant Maersk lost an estimated $300 million. Pharmaceutical company Merck was hit for $870 million. FedEx's European subsidiary TNT suffered $400 million in damages. The total global damage estimates reached $10 billion.

The U.S. and U.K. governments officially attributed NotPetya to Sandworm, a cyberunit of Russian military intelligence. That attribution set off a legal battle that would redefine what cyber insurance actually covers.

When Merck filed a $1.4 billion claim under its property insurance, its insurers denied it, citing the Acts of War exclusion. Merck fought back, and after years of litigation, a New Jersey court ultimately ruled in Merck's favor in 2023, finding that the exclusion as written didn't clearly apply to cyberattacks. It was a significant win.

But here's what that story actually tells me: Insurers tried to use the exclusion. They will try again. And they've been rewriting their policies ever since to make sure the language sticks the next time.

Lloyd's of London began requiring its syndicates to exclude state-backed cyberattacks from standalone cyber policies in 2023. Other major carriers have followed. The direction of travel in the insurance industry is unmistakable, they are narrowing what they cover, not expanding it.

Why This Is Especially Urgent Right Now

We are living through an era of unprecedented nation-state cyber activity. Russian, Chinese, North Korean, and Iranian threat actors are conducting ongoing operations against Western businesses, not just governments and defense contractors.

The construction firms I advise. The hospitality groups. The financial services companies. The nonprofits. These are not targets that sound like military objectives, but they are absolutely in the crosshairs, for intellectual property, for supply chain access, for financial disruption, and sometimes simply to cause chaos.

And here's the uncomfortable truth: you don't have to be the intended target to be devastated by a state-sponsored attack. NotPetya proved that. Companies around the world were collateral damage. Their insurers still reached for the exclusion.

In an environment where attribution is increasingly possible, and increasingly used, the Acts of War clause is no longer a dormant provision in your policy. It's a loaded clause, and nation-states are pulling the trigger more often every year.

What Insurance Can't Do (And Was Never Designed to Do)

I want to be clear: cyber insurance is a legitimate and valuable tool. I'm not telling you to cancel your policy. What I'm telling you is to stop treating it as your primary defense.

Insurance is a financial recovery mechanism. It's designed to help you rebuild after a loss. But it has three fundamental limitations that no policy language can fix:

1. It doesn't prevent the attack. A policy doesn't stop malware from encrypting your files, exfiltrating your customer data, or taking down your operations for weeks. It might, might, help you pay to recover. But the damage to your reputation, your customer relationships, and your competitive position? That's not on any claims form.

2. It doesn't guarantee payment. As NotPetya demonstrated, even a well-funded company with experienced legal counsel can face years of litigation before seeing a dollar. Can your business survive that uncertainty?

3. It covers less than you think. Between Acts of War exclusions, sub limits on specific types of losses, requirements for security controls you may not have documented properly, and waiting periods, many businesses discover at the worst possible moment that their coverage has significant gaps.

The businesses I've worked with that have come through major cyber incidents with their operations intact had one thing in common: they had invested in getting ahead of the threat before the incident occurred.

That's where a virtual Chief Security Officer comes in.

What a vCSO Actually Does for Your Business

A Chief Security Officer, CSO or CISO, is the executive responsible for an organization's entire security posture: strategy, operations, compliance, vendor risk, incident response, and more. At a large enterprise, this is a full-time C-suite role commanding a six-figure-plus salary.

Most small and mid-sized businesses can't justify that investment. But they still face the same threat landscape. That gap is exactly what a virtual CSO (vCSO) is designed to fill.

A vCSO brings experienced, senior-level security leadership to your organization on a fractional or retainer basis. Here's what that actually looks like in practice:

Strategic security leadership. A vCSO develops and owns your organization's security strategy, not just a list of tools, but a coherent program aligned to your specific business risks, your regulatory environment, and your operational realities. Security stops being a technical problem that gets handed off to IT and starts being a business function that gets managed like one.

Risk assessment and prioritization. One of the biggest mistakes I see is companies spending money on the wrong protections while leaving critical gaps unaddressed. A vCSO conducts honest, thorough assessments, vulnerability discovery, penetration testing, architecture reviews and prioritizes investments based on actual risk, not vendor sales pitches.

Insurance defensibility. This is critically important and often overlooked. A vCSO helps you build and document the security controls that insurers require, and builds the evidence trail that supports your claims if an incident occurs. When a carrier looks for reasons to deny your claim, a well-documented security program gives you the ground to stand on.

Incident response readiness. Most organizations have no tested incident response plan. When an attack hits, they're improvising under pressure, which is when costly mistakes happen. A vCSO builds, tests, and maintains a response plan so that your team knows exactly what to do when seconds matter.

Ongoing threat intelligence. The threat landscape changes fast. A vCSO keeps watch, translates what's happening in the broader security world into specific, actionable guidance for your business, and adjusts your defenses accordingly.

In short: a vCSO does what insurance cannot. It keeps you from needing to file the claim in the first place and puts you in the strongest possible position when you do.

The Business Case Is Simple

Let me put this in terms that matter to you as a business leader.

A nation-state cyberattack that takes down your operations for two weeks costs you more than most companies recover from. If your insurer invokes an Acts of War exclusion and denies your claim, or if you spend two years in litigation before seeing any payment, the business may not survive.

A vCSO program, delivered fractionally through a firm like Netready, gives you strategic security leadership at a fraction of the cost of a full-time hire. It builds the defenses that make an attacker look for a softer target. It gives you documented, defensible security controls that actually support your insurance coverage rather than leaving it to chance.

And it gives you something that no policy document can: an expert in your corner, aligned to your business goals, whose job is to make sure you never have to test whether your insurer honors the fine print.

This Isn't Hypothetical Anymore

I wrote Exposed to Secure because I kept watching businesses operate on assumptions about their security that weren't grounded in reality. The assumption that cyber insurance is a safety net is one of the most dangerous of those, and right now, in 2026, with nation-state cyber operations running at unprecedented levels and insurers actively tightening their exclusions, it's more dangerous than ever.

The businesses I've watched come out of incidents intact weren't lucky. They were prepared. They had thought through their risks, built layered defenses, and critically, they had security leadership that treated their protection as an ongoing program, not a checkbox.

Ready to Close the Gap?

If you're not sure whether your current security posture would hold up under a serious attack, or whether your insurance coverage has the gaps we've been talking about, I'd welcome a conversation.

At Netready, our vCSO engagements are built around your business: your industry, your risk profile, your goals. We work with clients in financial services, construction, hospitality, and the nonprofit sector who need real security leadership without the overhead of a full-time hire.

This isn't about selling you more tools or more coverage. It's about building something that actually works.

Reach out to Netready to start a conversation about vCSO services. No pressure, no jargon, just an honest look at where you stand and what it would take to give you genuine peace of mind.

Because when the attack comes, and in today's environment, it's a matter of when, not if—you'll want more than a policy number to fall back on.

Zac Abdulkadir is the CEO of Netready and the author of Exposed to Secure, an Amazon bestseller on cybersecurity for business leaders. With 25+ years of experience in cybersecurity and risk management, he has been featured as a contributor to the film Cyber Crime Investigations and advises organizations across the financial, construction, hospitality, and nonprofit sectors.