Cyber and technology exposure
The rise of non-state actors
Once a space of experiment, the cyber landscape has emerged as a critical battlefront in the field of geopolitics. Early cyber-attacks consisted of basic forms of espionage – including attempts to crash and slow essential websites, such as those belonging to government ministries, banks, and media. Today, cyber warfare has evolved to include large-scale coordinated attacks, deployed by both state and non-state actors to forward their political, military, or strategic goals. With geopolitical tension at a fever-pitch, there is an increased likelihood of cyber-attacks levied against corporate targets.
Cyber-attacks have traditionally been perpetrated by state actors. But recent decades have seen an unprecedented rise in attacks launched from non-state actors, operating without explicit state backing. This category includes both state-affiliated actors, with operations allegedly funded or otherwise supported by a nation state, and so-called ‘hacktivists’: small or loosely organised individuals or groups acting independently of a state, who nevertheless wish to forward its aims.
The rise in attacks perpetrated by non-state actors is a function of geopolitical tension, but it also reflects underlying shifts in the global cyber and technology landscape. Throughout the last decade, the cybersecurity sector has witnessed a proliferation in malicious cyber tools, which has reduced barriers-to-entry for cyber criminals and increased profitability. The commercial availability of these tools – which include ransomware-as-a-service (RaaS) – has enabled their use as an ‘asymmetric’ warfare tactic, in which potentially devastating attacks can be launched at a fraction of the cost required to build a conventional military programme.
From extortion to disruption
But it is not only the frequency of cyber-attacks that are changing; geopolitical instability is also transforming the nature of attacks. Acts of cybercrime typically carry a financial incentive: criminals may seek to gain access to sensitive data, encrypt networks and files, or disrupt essential services in return for a ransom payment. Where the attacker is state-affiliated, that sum may be used to fund or recoup money lost in physical warfare.
As geopolitical tensions increase, these motivations are changing. Rather than seeking to extract value, state-linked or ideologically motivated actors are increasingly seeking to cause maximum disruption, with no incentive to restore systems. One of the most high-profile destructive attacks occurred on 11 March 2026, when US medical technology giant Stryker suffered a devastating global cyber-attack. Claimed by Handala, a pro-Iranian hacktivist group, the attack included no ransom demand – eliminating the possibility of resolution through negotiation. The attack wiped tens of thousands of internal devices and paralysed the organisation’s manufacturing and shipping operations across dozens of countries.
Businesses facing the greatest threat are those with a tangible link to conflict (e.g. state munitions or technology suppliers), or whose operations support critical national industries – as the example of Stryker demonstrates. However, any organisation can be targeted, particularly where attackers lack a financial interest. Nor are direct attacks the only source of loss – businesses may also be exposed to a third-party cyber-attack, such as where a successful ransom attack forces a critical supplier to bring its operations to a halt.
Understanding the cyber-war exclusion
The scale of potential losses arising from a war-linked cyber-attack are catastrophic, and as such are typically excluded under cyber policies. For the most part, this includes undeclared war and/or war-like action. However, when handling claims under these exclusions, it is insurers who bear the burden of proof; to deny the claim, they must actively demonstrate that the attack was carried out as part of war, or that a state actor or state-sponsored group conducted the attack and that the attack in question carried a ‘major detrimental impact’ on the functioning of a state – either due to the disruption of essential services, or the state’s security or defence.
Lloyd’s Market Association (LMA) clauses provide examples of services which may qualify as essential, such as financial market infrastructure, health services, or utilities. But this list is not exhaustive. For attacks on other core services – such as transportation or telecommunications networks – whether an exclusion is triggered will be subject to interpretation, with the outcome depending on the insurer’s analysis of the specific attack in question. As such, these exclusions are inherently difficult to invoke.
Not all cyber-related losses manifest through digital disruption. Hackers may use digital entry points to disable physical infrastructure such as power grids, water treatment plants, and transportation networks. In June 2022, a major cyber-attack attributed to the Israel-linked hacking group Predatory Sparrow (Gonjeshke Darande) successfully sabotaged major Iranian steel mills. The hackers forced the machines to malfunction, resulting in a severe fire and causing molten steel and sparks to spew across the factory floor. Once again, such physical damage is typically excluded from traditional property and liability policies, leaving a critical gap when systems fail due to a digital cause. Modern affirmative cyber physical damage policies can bridge this gap.
KEY COVERAGES
Cyber Liability Insurance
A tailored risk management solution that protects businesses against the financial losses, legal liabilities, and operational disruptions caused by cyber-attacks and data breaches.
Cyber-Physical Damage Insurance
Protects businesses against physical asset destruction, bodily injury, or environmental harm caused by a digital hack or cyber-attack. Available either as a standalone or as an extension to an existing cyber policy.