Cyber war coverage for state-sponsored attacks went on sale April 27, 2026, when Canopius Group unveiled a specialty add-on product that directly addresses the coverage void Lloyd’s mandatory war exclusion clauses have carved out of commercial cyber policies. The specialty insurer is positioning itself as the lead primary underwriter for multinationals left exposed by a geopolitical risk landscape that standard cyber policies explicitly exclude.
The launch is narrow by design: Canopius describes the product as “limited availability,” a signal that actuarial conservatism rather than absent demand is governing the rollout. That caution is understandable — global cyber premiums reached $15.6 billion in 2025 and are projected at $16.4 billion for 2026 according to Swiss Re, yet systemic cyber war events remain fundamentally uninsurable at scale without public-private backstops that do not yet exist.
How Lloyd’s War Exclusions Created the Multinational Coverage Gap
The proximate cause of the market gap is well-documented. Lloyd’s introduced mandatory state-backed cyber war exclusion clauses in 2021 and tightened them further in 2024 after the NotPetya attack demonstrated how a nation-state cyberattack could generate roughly $10 billion in commercial damages — Maersk alone absorbed an estimated $250–$300 million, FedEx Europe around $400 million — without a formal declaration of war. That ambiguity proved existential for underwriters relying on traditional war exclusions, and Lloyd’s acted to remove aggregate exposure from the market’s balance sheet.
The consequence for multinationals has been a structural coverage gap. Swiss Re data suggests 80% of large corporates carry cyber insurance, yet the policies they hold now explicitly exclude the category of event most likely to produce a large, correlated loss: a state-directed or state-sponsored attack targeting critical infrastructure or supply chains. Companies in energy, telecommunications, semiconductors, and financial services — sectors disproportionately targeted in geopolitical cyber operations — have been operating without viable transfer options for this risk category for the better part of two years.
What the Canopius Product Actually Covers
Canopius’s cyber war coverage operates as an add-on overlay to a primary cyber policy, not a standalone replacement. The product covers both conflict and non-conflict scenarios involving state-aligned or state-sponsored attacks, a broader scope than early-stage war exclusion carve-backs that typically required active armed conflict as a trigger. Camilla Walker, Head of Cyber and Technology at Canopius UK, led the product development, and the insurer is functioning as lead primary carrier in a co-insurance model designed to aggregate capacity across qualified risk partners.
Underwriting eligibility criteria are strict. Canopius is targeting multinationals with verifiable geopolitical exposure — companies operating across multiple jurisdictions in sectors with documented state-targeted risk profiles. Prospective insureds should expect detailed supply chain geography and digital infrastructure assessments as part of the placement process. This selectivity is consistent with Canopius’s track record in specialty lines but also limits the product’s near-term addressable market to sophisticated risk managers at large corporates.
Attribution: The Litigation Risk Inside Every Claim
The central operational challenge for any cyber war product is attribution. Establishing that an attack was state-sponsored — rather than criminal, hacktivist, or opportunistic — requires forensic evidence, geopolitical context, and in many cases a government attribution statement. NotPetya attribution by the US, UK, and Australian governments took over three months after the initial attacks. During that interval, Merck Pharmaceuticals found itself in protracted litigation with property insurers who invoked war exclusions, a legal battle that reached the New Jersey courts and ended with a ruling in Merck’s favor in 2022 on the narrow grounds that the exclusion language was ambiguous.
Canopius’s product will need robust attribution protocols in its policy language to avoid replicating those disputes. Brokers placing this coverage should expect to negotiate forensic investigation riders that define the standards of evidence, the timeline for attribution determinations, and the role of government classifications in triggering or denying coverage. For large multinational clients exposed to war risk premiums across geopolitically sensitive corridors, this contractual precision will be the difference between a workable product and one that produces litigation rather than loss recovery.
Capacity Limits and the Case for a Public-Private Backstop
Lloyd’s 2025 systemic risk scenario modeled $3.5 trillion in potential global economic losses from a major cyberattack, a figure that no private insurance market can absorb at anything close to current premium levels. Swiss Re has revised its cyber premium CAGR downward to 5% through 2026 (from an earlier 6% forecast) — a signal that capacity constraints are already limiting market growth even before war risk is brought back into scope. Canopius’s “limited availability” framing is the commercially honest acknowledgment that the product cannot scale to full market without structural support.
US Treasury proposals for a federal cyber insurance backstop have remained unresolved as of May 2026. Until a public-private framework equivalent to the Terrorism Risk Insurance Act (TRIA) emerges for cyber war, the specialty market will remain fragmented and capacity constrained. The BMA and Lloyd’s innovation pathway announced in April 2026 offers a regulatory fast track for qualifying innovations, but structural capital questions lie beyond what innovation sandboxes can resolve. For now, Canopius’s product is a meaningful first step in a market segment that will require institutional co-investment to reach meaningful scale. Reinsurers watching the cyber market alongside cyber reinsurance rates dropping 32% in traditional segments will need to assess whether cyber war capacity represents margin differentiation or concentration risk in their own books.
