The widening cyber dimension of the Middle East conflict is emerging as a material exposure for insurers and their clients well beyond the region, according to Kennedys partners Arran Roberts and Joshua Mooney, and senior associate Alexandra O'Hare.
They noted that Iranian state‑sponsored actors and a large ecosystem of pro‑Iranian hacktivist groups have been conducting espionage and disruptive operations against Gulf energy infrastructure and US networks since at least early 2025. Activity escalated sharply during the 12‑day hostilities and has since broadened to Western commercial, financial, energy and critical infrastructure organisations.
Recent incidents attributed to Iranian or Iran‑aligned groups include an attack claimed against a North American medical device company, an attempted intrusion targeting Poland’s nuclear sector, DDoS campaigns against Gulf Cooperation Council infrastructure, and phishing campaigns masquerading as official alert applications across the region. The UAE Cyber Security Council has also warned organisations to adopt a “shields up” posture against wiper malware, which is designed to permanently erase data rather than encrypt it for ransom.
The most exposed sectors map closely to classes that already attract heavy cyber and property‑cat capacity – energy and utilities, financial services with Middle Eastern links, aerospace, defence and logistics, healthcare, cloud and telecoms, and critical national infrastructure such as water utilities. Opportunistic targeting means organisations with no direct connection to Israel, the US or the conflict can still be hit, particularly if they are high‑profile or symbolically significant.
The attack toolkit combines familiar techniques with more destructive and physically oriented elements. The Kennedys team pointed to spear‑phishing and credential harvesting, exploitation of VPNs and edge devices, wiper malware, DDoS attacks, hack‑and‑leak operations, supply‑chain compromise of cloud and managed‑service providers, and smishing and fake application campaigns aimed at civilians. They also highlight “AI‑enhanced operations”, with groups deploying AI‑assisted phishing tools to increase both volume and credibility.
The most striking development is the use of physical force against digital infrastructure, including drone strikes on Amazon Web Services data centres in the UAE and Bahrain that caused structural damage and cloud service disruption. The line between cyber and physical attack is no longer theoretical.
One of the most immediate insurance implications lies in sanctions and compliance. Iranian APT groups often use infrastructure that may be controlled, directly or indirectly, by sanctioned entities. Paying a ransom or transferring any value that ultimately benefits a sanctioned party can itself constitute a sanctions violation, even where the payer is a victim.
Under US law, including the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA), US organisations, wherever located, are prohibited from engaging in transactions “directly or indirectly” with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List. That prohibition can extend to directing a non‑US affiliate to make a payment on their behalf, with civil fines that can reach the greater of a per‑violation cap or twice the amount of ransom paid, as well as potential criminal exposure for management.
For cyber insurers and breach‑response vendors, this raises clear operational risks. Policies that contemplate ransom reimbursement or extortion negotiation need tight sanctions wording and robust screening, and incident‑response playbooks must flag the need for legal advice before any payment is even contemplated.
The Kennedys team also warned that a single serious incident can trigger overlapping regulatory reporting duties across multiple jurisdictions, regardless of whether a state actor is involved.
Personal‑data breaches will usually require notification to data‑protection authorities and, in some cases, affected individuals. Operators of essential services and digital‑service providers in the UK and EU face separate reporting under NIS/NIS2 regimes. Telecoms and certain digital‑infrastructure operators in the UAE must report to the national regulator, and financial institutions and healthcare providers have their own sector‑specific notification rules. Critical‑infrastructure operators could also face enhanced duties under forthcoming legislation such as the UK’s Cyber Security and Resilience Bill.
That multiplies the regulatory‑investigation component of cyber claims and increases the value of pre‑incident advisory work and panel counsel with cross‑border expertise.
Wiper malware and destructive DDoS attacks are designed to cause operational shutdown. Because wipers permanently destroy data, recovery may be impossible without offline, immutable back‑ups, making loss scenarios closer to catastrophic hardware failure than to a recoverable ransomware event.
Roberts, Mooney and O’Hare flagged several knock‑on exposures, including contractual liability where organisations cannot perform obligations and must examine force‑majeure clauses; supply‑chain liability where a compromised supplier causes downstream customer losses, as illustrated by the AWS data‑centre attacks; and potential director and officer liability where boards have failed to implement reasonable controls, such as patching known VPN vulnerabilities. In some Middle Eastern jurisdictions, failure to meet cyber‑security duties can even carry criminal sanctions for individuals.
Meanwhile, large‑loss data suggests these are not edge cases. AXA XL’s recent analysis found that large claims account for 88% of the value of its global cyber losses, with ransomware involved in more than half of those large cases. Allianz Commercial reported that ransomware accounts for about 60% of the value of large cyber claims over €1 million in early 2025, with data theft present in 40% of large losses, up from 25% in 2024.
The Middle East conflict is intersecting with a broader market push to clarify war and systemic‑risk language in cyber policies. Following events such as NotPetya, Lloyd’s has pressed for explicit war and systemic‑event exclusions in syndicate wordings to reduce ambiguity around state‑backed attacks.
Most major carriers now include some form of cyber war exclusion, forcing brokers to navigate where cover for nation‑state operations may still respond and where it will not.
At the same time, the global cyber market has moved into a more stable pricing phase after sharp corrections in 2020–21, but underlying risk is still building. US market commentary suggests premiums have “stabilised from a price perspective” off a higher base, even as systemic exposures continue to compound and carriers brace for the next large‑scale supply‑chain or cloud‑outage event. Allianz’s latest Risk Barometer ranks cyber incidents as the top business risk worldwide for 2026, ahead of natural catastrophes and business interruption, reflecting concern about both direct attacks and cascading outages across highly concentrated cloud and digital‑infrastructure providers.
Despite the heightened threat environment, cyber insurance penetration remains uneven. Outside the US, experts noted that many SMEs still do not buy stand‑alone cyber, leaving a “real gap in protection” even as ransomware attacks have risen roughly 33% to 34% year on year in some portfolios and global cybercrime costs are projected to reach nearly US$14 trillion by 2028.
According to the trio, the cyber front of the Middle East conflict is “not a contained regional matter” but an active and escalating risk for businesses, infrastructure operators and their insurers across Europe and North America. The mix of state‑directed APT activity, ideologically driven hacktivism, AI‑enabled operations and a demonstrated willingness to damage physical digital infrastructure creates one of the most complex threat environments the market has faced.
For underwriters, brokers and risk managers, that translates into a need to reassess exposure to Iran‑aligned cyber activity, tighten sanctions and reporting protocols, and stress‑test both cyber and property programmes against scenarios that blend data destruction, cloud outage and cross‑border regulatory scrutiny.
In a market where pricing may look stable but large‑loss data and geopolitical risk are flashing red, the Middle East cyber conflict is less an outlier and more a live test of how well cyber insurance can handle genuine systemic stress.
