Operation Epic Fury raises stakes for cyber insurers watching Iran

US and Israeli military strikes against Iran on February 28 have heightened the risk of a retaliatory cyberattack, analytics firm CyberCube has warned, as cyber insurers face growing pressure to reassess portfolio exposures tied to Tehran’s state-aligned hacking apparatus.

No confirmed cyberattack by Iran or its proxies has been linked to the strikes, designated Operation Epic Fury, but CyberCube said the threat could come through direct state action or deniable fronts – and urged carriers to move beyond routine monitoring toward a proactive footing across underwriting and exposure management.

The warning carries weight given Iran’s track record. After the US killing of Qasem Soleimani in January 2020, Cloudflare reported that Iran-based attempts to hack US government websites surged 50%, while the FBI warned of potential retaliatory network operations.

Researchers at West Point’s Combating Terrorism Center later noted that Iran’s response at the time stopped short of destructive attacks, amounting to website defacements, phishing, and probing.

A more volatile backdrop

This time, the backdrop is more volatile. CSIS noted that Iranian internet connectivity fell by at least 46% during Operation Epic Fury, pointing to significant cyber operations already under way.

Palo Alto Networks’ Unit 42 has since tracked a spike in hacktivist activity, estimating some 60 groups were active as of early March, with multiple Iran-aligned personas claiming responsibility for disruptive operations.

CyberCube’s analysis of roughly 1,000 large US companies found that 12% of firms with revenues above $1 billion across seven critical industries face the highest likelihood of being targeted by three Iranian state-aligned groups: APT33, MuddyWater, and Fox Kitten.

Of the 975 firms assessed, 119 were classified as high risk, with concentrations in healthcare and energy.

The loss calculus

No Iranian cyberattack has breached market-wide catastrophe thresholds to date, but precedents from other state-linked incidents illustrate the scale of potential exposure. The 2017 NotPetya attack, attributed to Russia, inflicted more than $10 billion in global damages.

Merck alone absorbed $1.4 billion in losses, ultimately settling its insurance claim in early 2024 after New Jersey courts ruled that standard war exclusions did not apply, as Cybersecurity Dive reported at the time.

The global cyber insurance market now stands at roughly $16.66 billion in premiums, NAIC data shows. An Iranian retaliatory strike tied directly to a military operation would test Lloyd’s state-backed cyberattack exclusions, mandated since March 2023.

CyberCube called on insurers to deploy threat-intelligence-informed analytics to flag high-risk portfolio companies and fold them into stress-testing exercises.