The US-Iran conflict has pushed cyber risk back into sharp focus for insurers, brokers and insureds far beyond the Middle East. For the market, the immediate issue is not simply whether war triggers a surge in spectacular attacks but whether geopolitical tension quietly increases the odds that routine weaknesses are discovered, exploited and turned into insured losses. That is the pressure point now facing cyber stakeholders: a more volatile backdrop, heavier scrutiny of aggregation and state-linked exposures and renewed urgency around the controls and policy wording that determine whether a headline-grabbing event becomes a portfolio problem.
Two cyber specialists, drawing on their different operational roles, offer contrasting but likely complementary views on how much the cyber risk landscape has shifted for insurers, brokers and their clients.
“We are seeing a clear change in the threat environment, even though the conflict is thousands of kilometres away from most insureds,” said Scott Walsh (pictured left), security researcher at Coalition. Scott Bailey (pictured right), head of global cyber underwriting at CFC, has a different lens.
“From a cyber risk perspective, we haven’t seen a fundamental shift in the threat landscape for insurers, brokers or the majority of their clients,” said Bailey. “What tends to happen during periods of geopolitical tension is an increase in background cyber “noise,” rather than a step change in risk exposure.”
The difference is less a disagreement than a matter of perspective. Coalition sees the conflict more through a threat-monitoring viewpoint with a focus on the rise in scanning, probing and reconnaissance that can increase the chances of known weaknesses being found and exploited. CFC is looking through an underwriting lens, focusing on whether that activity has actually changed the claims outlook for insurers, brokers and most clients. So Walsh is pointing to a shift in the threat environment, while Bailey is saying that has not yet translated into a fundamental change in insured risk.
That may also reflect their market emphasis. Coalition’s model is closely tied to live telemetry and attack-surface monitoring, making it more sensitive to early warning signs, while CFC’s perspective is more rooted in portfolio outcomes and the experience of mainstream insureds, particularly SMEs, where the main drivers of loss still tend to be phishing, credential theft and unpatched systems. Read that way, the two views are complementary: one is describing rising risk signals, the other is judging how far those signals have so far turned into material loss exposure.
Walsh’s view is that the conflict has already produced a measurable operational change, and that brokers and carriers should not dismiss it as distant geopolitical theatre. Coalition’s telemetry picked up a one-day surge of about 392,000 events from Iranian IP space on February 18, which he characterised as the kind of reconnaissance wave often seen around periods of geopolitical unrest, when threat actors race to map internet-facing systems before deciding what to exploit next.
More significantly for the insurance market, Walsh said the activity looked less like random digital clutter and more like broad, deliberate reconnaissance. During the peak week of February 16 to 22, Coalition’s US honeypots saw more than 2.5 times the Iranian-origin scanning pressure of Canadian honeypots and roughly five times that of Australian ones, suggesting that allied digital infrastructure is firmly within scope even when companies have no physical footprint in the conflict zone.
So the practical insurance issue is not an abstract debate about “cyber war”, but a sharper likelihood that attackers will find old weaknesses first. In Walsh’s telling, misconfigured remote-access tools, exposed internet-facing services and legacy systems become more dangerous in this environment because they are more likely to be discovered and tested. That translates into a higher probability of claims arising from familiar failure points rather than exotic nation-state tradecraft.
“Our clearest signal so far is the uptick in scanning and probing from Iranian IP space,” he said. “Particularly against Remote Desktop Protocol (RDP), virtual private networks (VPNs), and other remote access services that attackers can use for direct system access.”
Walsh said that pattern is already feeding client concern, with brokers and insureds asking whether the conflict changes their exposure, which assets now matter most and how policies would respond if an incident had a state-linked element. He sees that as a constructive response, provided it drives action: hardening remote access, stepping up monitoring of public-facing systems, and rehearsing incident response and business continuity plans.
His underwriting message is similarly targeted rather than alarmist. Walsh expects the episode to sharpen attention on aggregation and concentration risk across shared cloud, SaaS and third-party infrastructure; internet-exposed remote access technologies; and the treatment of nation-state and war-related activity in policy wordings. He pointed to Coalition’s recent alert to policyholders about a widespread ShintHunters campaign targeting Salesforce Experience Cloud sites as an example of how a single campaign can create correlated exposure across many insureds.
“For carriers that can see risk in near real time, episodes like this are more likely to trigger refined selection and stronger control expectations than a blanket retreat from the market,” said Walsh.
Bailey’s perspective is more measured. He said what has been most visible during the conflict is a lift in low-level, attention-grabbing activity such as website disruption, themed messaging and opportunistic campaigns designed to exploit uncertainty. Those incidents can create headlines and anxiety, but he said they are generally broad, unsophisticated and short-lived rather than the kind of targeted, high-severity attacks that fundamentally alter the exposure profile for most businesses.
That view broadly aligns with the official picture that emerged in the US during the conflict. On June 22, 2025, the Department of Homeland Security warned that the ongoing Iran conflict was creating a “heightened threat environment” in the US and said low-level cyberattacks by pro-Iranian hacktivists were likely. But eight days later, CISA and partner agencies said they had not seen indications of a coordinated campaign of malicious cyber activity in the US that could be attributed to Iran.
Even so, the conflict produced striking cyber incidents that show why the insurance market cannot afford complacency. In June 2025, hackers claimed they had disrupted Iran’s state-owned Bank Sepah, while a separate attack on Iran’s Nobitex crypto exchange reportedly wiped out about $90 million in assets in what AP described as a politically motivated operation rather than a financially driven theft.
For Bailey, though, those episodes do not automatically imply a broad deterioration in risk for the average insured, especially SMEs. He argues that the more advanced cyber operations associated with geopolitical conflict still tend to focus on government-adjacent organisations, critical infrastructure and entities operating directly in affected regions, not mainstream commercial buyers.
“Importantly, the types of advanced, targeted cyber operations associated with geopolitical conflict tend to focus on government-adjacent organisations, critical infrastructure, or entities operating directly within affected regions - not the average SME,” he said.
That leaves brokers with a delicate but important communication task: acknowledge the geopolitical backdrop without overstating the practical risk to ordinary clients. Bailey said the most realistic threats remain the familiar ones - phishing, credential compromise and unpatched vulnerabilities - and that periods like this should be used to reinforce cyber basics rather than to imply a wholesale change in exposure.
“Brokers should be reassuring clients that, despite the heightened geopolitical backdrop, the most realistic cyber risks remain unchanged,” he said.
Taken together, the two perspectives could point to a useful middle ground for the market. For insurers and brokers, the wise response to cyber fallout from the US-Iran conflict is likely sharper underwriting, clearer conversations about war and state-linked exclusions and a renewed push to make sure today’s noisy threat environment does not become tomorrow’s claim.
