AI and the Iran war could increase cyberattacks

Editor's Note: This is the second installment of a two-part series examining how the conflict in Iran is changing global cybersecurity risks for insurers and their clients.

Cyber threats are a constant factor for today's businesses, but the broad adoption of artificial intelligence and the war in Iran are providing threat actors with the means and opportunity to perpetrate attacks across a range of industries. Part one of this two-part series focused on how bad actors use the chaos created by global events to increase their attack coverage, who some of these entities are, and identified their most likely targets.

Understanding the threat actor's goals

During a conflict, threat actors focus on areas that have strategic value, will provide significant visibility or public impact, and allow them to gain access to data or other intelligence that provide leverage.

Disrupting critical infrastructure and essential services such as energy, transportation or communications can have a real-world impact, according to Will Handley, cyber underwriting executive for MISG USA. In the financial sector, payments and market infrastructure are high-value and highly visible, and the sector tends to elevate monitoring during geopolitical spikes.

Handley says the goals for these bad actors usually involve espionage and positioning, disruption or coercion, influence and psychological impact, or financial gain. Attackers may want to seek access to sensitive information, create disruptions that can have a significant psychological or economic impact, or generate public confusion and undermine confidence.

"What is important is that many of these outcomes intersect with different areas of risk. A cyber event may begin as a network intrusion but quickly expands into financial fraud, operational disruption, or reputational impact. At MSIG USA, we're partnering with brokers and clients from a more holistic lens, with close coordination between cyber, financial lines, crime, across all our lines. Understanding the potential objectives of attackers helps insurers and clients alike focus on the controls and response planning that can reduce both the likelihood and severity of an event," he details.

"In the context of escalating tensions between the United States and Iran, the objectives of cyber threat actors are becoming increasingly aggressive and strategically aligned with geopolitical interests. These actors are not simply probing networks — they are actively pursuing financial gain, political leverage, ideological influence, and corporate or state-sponsored espionage," says Michael Crean, senior vice president of managed services for SonicWall and a U.S. Army combat veteran. "Organizations should assume that cyber activity tied to this conflict will increasingly prioritize impact and visibility, not just profit."

Threat actors understand that conflicts provide a unique opportunity to embed viruses and other code that will provide future access to a company's data. This long-range approach allows them to see inside their targets' systems and collect information for future secondary attacks.

Michelle Chia, chief underwriting officer, cyber, design & select professional at AXA XL adds, "In a geopolitical conflict, actors prioritize strategic objectives like espionage, pre-positioning for future disruptions, and signaling through cyberattacks, rather than purely financial motives. They aim to gather sensitive information, maintain dormant access for future use, and send political messages by disabling or damaging systems. While financial gain via ransomware and fraud occurs, it often serves to fund operations or exploit chaos. Ultimately, the main focus is on intelligence, leverage, and gaining a long-term strategic advantage."

How conflicts change risks for insurers and clients

As companies focus on how the Iran war is affecting various aspects of their business, their employees may be less vigilant about the emails they open, the links they click or how they respond to inquiries from unknown individuals. Threat actors are very aware that attention may be diverted elsewhere and increase their efforts to attack.

Chia explains how this affects insurers and their clients. "A rise in cyber activity certainly increases risks for cyber insurers by amplifying the likelihood of large-scale, systemic events and creating attribution challenges around acts of war or state-sponsored attacks. This evolving landscape prompts insurers to update underwriting models, emphasizing dependencies on critical infrastructure, government contracts, and specific vendors, while also raising legal and reputational concerns. In response, insurers are enhancing monitoring with threat intelligence, offering proactive security services, and educating clients on asset hardening, segmentation, and crisis planning. Overall, this shift fosters a more collaborative, continuous approach to risk management beyond traditional indemnity coverage."

Some policies may include war exclusions, which affect coverage if a loss is attributable to a "war" or similar actions. "War exclusions in cyber policies have already been subject to considerable legal debate, and this conflict will intensify that scrutiny," shares Steve Durbin, chief executive of the Information Security Forum. "Insurers are grappling with how to define and attribute state-sponsored attacks, and the Iran-US-Israel conflict creates exactly the kind of ambiguity that makes claims contentious. The more forward-thinking insurers are actively helping clients assess supply chain vulnerabilities and incident response readiness. Organizations should not assume their existing cyber coverage will respond in the way they expect."

Because cyberattacks have the potential to spread globally in minutes, some could result in substantial losses for international companies and their insurers. "Cyber insurers face an elevated risk of systemic losses from a single, large-scale event, particularly if an attack cascades across multiple policyholders in a critical sector," says Judson Dressler, director of the Resilience Risk Operations Center. "Attacks on critical infrastructure (energy, water, communications, etc.) can aggregate losses quickly." 

Additionally, because of the escalating tensions between the U.S. and Iran, Crean believes threat actors are increasing cyber risks and pushing them beyond routine background threats to a more active and strategic domain. These actions are requiring cyber insurers and their security teams to increase monitoring for potential state-sponsored attacks that could target critical systems or sensitive data.

"To reduce risk, insurers should be encouraging organizations to focus on core security practices such as applying software patches quickly, enabling multi-factor authentication (MFA), and strengthening protections around critical infrastructure and sensitive systems," advises Crean. "These steps are especially important as Iran-aligned cyber groups have historically targeted U.S. sectors such as financial services, energy, and government with disruptive tactics including ransomware, data theft, distributed denial-of-service (DDoS) attacks, and destructive malware."

Hackers increase efforts during wartime

Conflicts tend to make threat actors more aggressive for a number of reasons, so organizations that could become targets need to be even more vigilant and prioritize efforts like patching and software updates, review their supply chain security and ensure their data is backed up and accessible if needed.

"Events like these embolden bad actors because they assume organizations are distracted and malicious activity is easier to hide amid the increased digital 'noise,'" cautions Mary Ann Miller, VP, evangelist & fraud executive adviser at Prove. "To protect themselves, companies should focus on strengthening identity security by using strong authentication, monitoring for suspicious behavior, especially because compromised credentials and account takeover remain some of the most common entry points for attacks."

"Treat geopolitical conflict as a signal to strengthen your cyber posture and resilience," encourages Chia, "not just temporarily, but as a vital part of adapting to a world where cyber operations are an ongoing element of global tensions."

Handley finds that a conflict can embolden actors because it increases their perceived justification, creates a sense of urgency, and sometimes lowers the bar for "acceptable" disruptive tactics. He offers several practical steps to help companies mitigate the risks from a possible attack.

• Focus on hardening identity controls: Enable multifactor authentication, actively monitor suspicious login behavior, and reduce credential reuse.
• Patch systems and reduce exposed attack surfaces. Prioritize updates for internet-facing systems.
• Prepare for potential disruption events, including distributed denial-of-service attacks.
• Confirm robust logging is in place with comprehensive endpoint detection, and review response playbooks to keep them current.
• Reinforce phishing and fraud controls, particularly for financial transactions and vendor communications. Political events can increase social engineering activities.

Global events like the war in Iran provide an opportunity for insurers and brokers to educate customers on their risks and strengthen their defenses before an event occurs. The ease with which threat actors can use AI to execute phishing and other social engineering attacks requires companies and employees to be even more suspicious and alert than ever.