Regulatory & War Exclusion Methodology

v1.0 · April 2026

How DORA / NIS2 / SEC / NY DFS / HIPAA / GDPR / CCPA / PCI scoping works, and how the LMA 5567A/B war exclusion attribution engine applies geo-weighted loss to named state-attributed scenarios.

1. Executive Summary

Three of the highest-stakes underwriting concerns of 2025-2026 in one place: regulatory compliance scoping (with industry × jurisdiction filters), LMA 5567A/B war exclusion attribution (with geographic loss weighting), and OFAC sanctions screening with audit ledger.

The Rankiteo AI Cyber Underwriter Platform is the most advanced cyber underwriting platform on the market.

2. Regulatory Mapping

Each insured is mapped to applicable regimes based on BOTH industry sector AND jurisdiction (country code from headquarters address).

Regime	Industries	Jurisdictions	Max Fine
EU DORA	Bank, financial, insur, fintech, asset, payment	EU only	€10M
EU NIS2	Energy, transport, bank, health, water, telecom, manufactur, food, postal	EU only	€10M / 2% turnover
SEC Item 1.05	Any (US-listed)	US	$25M
NY DFS Part 500	Bank, insur, financial, fintech	US (NY-licensed)	$5M
HIPAA / HITECH	Health, hospital, pharma, biotech	US	$1.9M
PCI-DSS 4.0	Retail, ecommerce, hospital, restaurant, hotel, payment	GLOBAL	$500K
GDPR / UK GDPR	Any	EU + GB	€20M / 4% turnover
CCPA / CPRA	Any	US (CA)	$7.5M
UK FCA Op-Res	Bank, financial, insur, fintech, asset	GB	£20M

3. Jurisdictions

The country code is parsed from the insured's headquarters field (e.g., "Paris, FR" → FR). Insureds without a known country are flagged with a warning banner — they cannot be classified for jurisdictional regimes.

# Industry filter AND jurisdiction filter def regime_applies(regime, country, industry): if regime.industries and not any(kw in industry for kw in regime.industries): return False if "GLOBAL" in regime.jurisdictions: return True if not country: return False # cannot safely flag if "EU" in regime.jurisdictions and country in EU_COUNTRIES: return True if country in regime.jurisdictions: return True return False

4. War Exclusion Engine (LMA 5567A/B)

Replays five named state-attributed scenarios (NotPetya, SolarWinds, Viasat, Grid Attack, hypothetical CrowdStrike-class) against the portfolio. For each insured, the engine determines if it's a target (industry match + geographic exposure), computes the gross loss (coverage × loss%), and applies the LMA 5567A exclusion if the scenario meets the "Impacted State" + essential services + attribution test.

5. Geographic Multipliers

Each scenario has a country exposure config:

NotPetya (2017) — country_exposure: primary: [UA] × 1.0 (full hit) secondary: [EU + US + GB] × 0.55 (spillover) default: others × 0.05 (minimal) SolarWinds (2020): primary: [US] × 1.0 secondary: [GB, CA, EU] × 0.30 default: × 0.05

Gross loss = coverage × loss_per_target_pct × geo_multiplier. Insureds outside the exposure zones contribute zero (or minimal) loss to the scenario, even if their industry matches.

6. OFAC Sanctions Screening

Strict-liability OFAC SDN screen across the portfolio with an immutable audit ledger (timestamp, checker, result, notes). The audit trail is the legal defense against OFAC enforcement actions.

7. Data Sources

Source	Used For
Company profile	Headquarters → country code parsing
Lloyd's Y5381 + LMA 5567A/B	War exclusion clause logic
OFAC SDN list	Sanctions screening (production)

8. Glossary

Term	Definition
DORA	Digital Operational Resilience Act — EU financial entities
NIS2	EU directive for essential and important entities
LMA 5567A	Lloyd's standard cyber war exclusion clause variant A
Impacted State test	The state-attribution + essential services threshold under LMA 5567A

Proprietary to Rankiteo. Contact [email protected].