Skip to content

Cyber Volatility in Precarious Times

Escalating conflict may drive near-term cyber volatility. Why must (re)insurers adopt a “shields up” approach to risk and accumulation?

  • 6 Minute Read

Cyber Volatility in Precarious Times

Turning on the news this Saturday, I was greeted with something my old friends would call a “predictable surprise”: a joint US/Israeli strike on Iran. However, this article is not going to be about that conflict — at least not directly. Instead, I want to focus on an urgent “heads up”: there is a very real probability of increased cyber risk for enterprises and individuals over the next 30 to 60 days. Thus, as experts in defensive cyber and risk quantification, I want to make sure that we’re ready for what may come next.

When conflicts escalate in the physical world, cyber risk tends to rise everywhere else. Not because every company suddenly becomes a primary target, but because cyberspace is the easiest domain in which to retaliate, signal, and apply pressure — often through deniable proxies. The result is predictably unpredictable: more phishing, more credential abuse, more disruptive campaigns, and more opportunistic crime riding the same wave.

However, there’s an aspect of this that is less well known — and far more worrisome. Just like a physical battlefield, the attacker can do a lot in advance of a potential conflict. Software can be trojanized. Machines compromised. Implants… well, implanted, I guess. The terrifying part is that the most decisive cyber work often happens before the first obvious shot: initial access and stealthy persistence, which provides optionality.

In addition, a cyber battlefield has little meaningful “geography” or proximity. Everything is local, everything is attackable with sufficient effort… and, as we will see, cyber is the ultimate asymmetric battlefield for an attacker who cannot hope to compete using traditional military force.

Deniability, Proxies, Copycats, Targeting, and Cost

When we think of asymmetry, we should think about a number of factors that double down on why it can be an effective strategy.

The most obvious is cost. Let’s have a quick “round numbers” thought experiment, playing with order-of-magnitude numbers. For the price of just one state of the art fighter jet (let’s say $100 million as a nice round number), a country can build an extremely potent cyber capability. For example, imagine recruiting cyber-mercenaries at $1M a pop. A team of ten could cause global chaos, especially when augmented by AI. The cost asymmetry alone is enough to make this an attractive approach.

That said, there are four other factors that make cyber a very pragmatic choice for an attack. They are:

  • Deniability: cyber operations can operate “below threshold” while still disruptive. Moreover, a lot of groundwork can be completed before formal hostilities begin. An attacker could bury themselves deeply in critical infrastructure, causing no explicit harm until they choose to do so. Such scenarios are extremely worrisome.
  • Proxies: loosened control means more actors and more unpredictability. The days of dealing with just “a country” are mostly long gone. Today adversaries leverage loose proxies who can act semi-autonomously. This can make outcomes highly unpredictable, as there is no single playbook to follow. Unpredictability helps the weaker side.
  • Copycats: criminals exploit noise; defenders get overloaded. Given the large amount of money tied up in electronic assets, criminals will jump into the fray when they can. If (when) defenders are overloaded and focused on a “nation state actor”, it’s the ideal time to quietly exfiltrate assets that are tradeable.
  • Targeting broadens: everyone finds themselves in the crosshairs. Almost every large company today is a software company — and given the connectivity between companies, there’s no such thing as a non-combatant.

Taken together, these issues make cyber an attractive choice for conflict, but what really makes a difference is when we explore the potential emotional impact of cyberattacks.

The Psychology of Terrorism

In addition to deniability and the overall asymmetry present (a very small group of actors can inflict massive economic damage), there is also a psychological factor that one should consider. Terrorism — and terror-adjacent disruption — is an “effects” strategy. The physical damage (and even the economic damage) can be secondary. The primary objective is psychological, leveraging salience, uncertainty, helplessness, and loss of trust.

Salience is just a fancy way of saying that you can see it… it’s real to you. A cyber event becomes real when it impacts things you can see. That means taking very visible public systems down (think air traffic control, for example), defacing popular websites, leaks of confidential material… or any change that prevents a part of normal life from operating as expected.

Proximity, however, can make it personal. It’s not hitting in the abstract. It’s hitting at home.

Here, noise can be a more rewarding strategy than sophistication: a messy public disruption can have an outsized impact compared to its actual damage.

Uncertainty is destabilizing — and this unease is also boosted by proximity. Most readers of this article will not have traveled to the Middle East — let alone Iran. However, cybersecurity issues can bring that distant battlefield incredibly close to home in a way that kinetic conflict usually cannot. This turns an abstract geopolitical conflict into something that has “right here, right now” consequences. It’s often been written that armies run on their stomachs… but warfare relies in many ways on the will of the people. By making the homefront feel uncomfortable, you inject uncertainty into day to day life. Is this link safe? Can I take this call? Is this invoice real? Ultimately, it forces users to ask the most damning question: are we still in control?

Helplessness is another emotional string to pull. During a cyberattack, the general population feels helpless. There’s nothing you can do. The threat manifests. You simply have to endure it.

Finally, much of the modern world relies on trust. I trust that my bank has my money. I trust that my stocks are still present. I trust that my personal secrets remain secret. When trust erodes, we can see contagion. "If this, why not that” bleeds from a real attack to an imagined one.

All of these factors combined can make a cyber response to a kinetic action a highly effective choice.

What This Means, In Practice

Forewarned is forearmed, but unfortunately in this case, it’s impossible to eliminate all the risk (though there are high-leverage options open to defenders). Additionally, it’s equally possible that absolutely nothing happens — as combatants may wish to deescalate what is already a highly volatile situation. But while we can hope for the best, it’s important to prepare for the worst.

The first thing every defender should do is use this as a wake up call: you must be prepared “left of boom”. Conflict can break out at any time, and whether you like it or not, everywhere in cyberspace is “local” in a conflict. While you can’t go back in time (if you do, though, be sure to take with you a copy of “Gray's Sports Almanac” with you), this is not the last time kinetic conflict will break out. Your cyber prep needs to be happening continually.

Second, from a loss perspective, every organization should now be shields up. While as of February 28, 2026, U.S. agencies have extensive standing guidance on Iranian cyber activity, and prior joint advisories urging vigilance, a conflict-specific alert has not yet clearly appeared. However, given the long-standing Iran-specific guidance, it’s very reasonable to think that tensions are now much higher. Run your phishing drills, and remind folks that most attacks come through the end user, not the machine.

Third, please patch your perimeter. This is now table stakes, but it’s a good time to ensure there’s nothing in CISA’s Known Exploited Vulnerabilities (KEV) — at a bare minimum — floating around in your network. Again, even if this is a precaution, you will reap the benefits in the long run.

Finally, recognize it’s too late for prevention for some threats: a determined adversary could already be burrowed deep into your network. This is the time for you to run your observability playbooks as if your lives depended on it. Best case, you find nothing, and you get a good fire drill completed. Worst case… Well, you know what the worst case is.

Closing Thoughts

The insurance world is a little complex when it comes to warfare. While physical policies have long contained exclusions, the cyberworld is more complex. For example, some policies include something along the lines of LMA5567 that explicitly contemplates proxy cyberwars. But the trouble is, it’s increasingly difficult to tell what’s what. While kinetic events are obvious (and, fortunately, rare, so attribution is prioritized and comparatively easy), cyber events are common, and there’s a blurred line that is very open to interpretation. If things don’t go well over the next few months, expect a lot of debate and chaos.

As Yogi Berra famously said, “prediction is hard, especially about the future”. We don’t know what the outcome of the Middle East conflict will be. But one thing we can be sure of is that a sensible “shields up” posture will pay you back, if not this time around, but next time.