
- Geopolitics shows up in cyber through state-backed operations, spillover from regional conflicts, and mass-exploitation of widely used tech. Most incidents you face will still be “ordinary” crimeware—but wording around state operations and systemic events matters at renewal. LloydsDAC Beachcroft
- Since 2024, NIST CSF 2.0 and the SEC cyber disclosure rules have raised the bar on governance and incident transparency—insurers increasingly expect alignment. NIST Computer Security Resource CenterNISTSEC
- The 2025 Verizon DBIR highlights more breaches with third-party involvement and surges in vulnerability exploitation—exactly the patterns that turn geo-tension into business risk. VerizonSecurity Today
Why geopolitics matters even if you’re not a target
Recent conflicts show cyber can create regional events with global blast radius—for example, the Viasat KA-SATsatellite attack timed to the start of Russia’s invasion disrupted service across parts of Europe and Ukraine and was formally attributed to Russia by the EU and allies. Spillover like this can affect bystanders far from the front line. ConsiliumViasat.com
It’s not just Russia–Ukraine. In 2023–2025, governments warned about PRC state-sponsored actors burrowing into critical infrastructure for pre-positioning (“living off the land”) and persistence, and Iran-aligned actors targeting water utilities’ industrial controllers—both with potential to affect ordinary businesses via suppliers and shared platforms. CISA+1Internet Crime Complaint Center
Meanwhile, mass-exploitation of popular software (e.g., MOVEit Transfer in 2023) showed how one vulnerability can ripple across thousands of organizations and agencies—no geopolitics required for the impact to be “systemic.” CISAAxios
The 2025 risk picture in one page
- Third-party concentration risk is rising. DBIR 2025 commentary notes increased third-party involvement and vulnerability exploitation—both amplify spillover when tensions rise. Security TodayVerizon
- Governance expectations hardened. NIST CSF 2.0 adds a Govern function; the SEC requires timely disclosure of material incidents and governance detail—norms many private firms adopt to satisfy investors, partners, and insurers. NISTSEC
- Allies keep publishing attributions/advisories. Joint bulletins from CISA/NCSC and EU statements on state activity provide the “competent authority” context that some policies reference. CISAConsilium
What this means for your insurance
1) State-backed cyber operations (aka “cyber war”) language
Lloyd’s required clearer state-backed cyber-attack wording (Bulletin Y5381), and the LMA released model war/cyber operation clauses (LMA5564–5567 A/B). There is no single universal clause—details differ on attribution triggers, “widespread” definitions, and carvebacks for collateral damage. Ask your broker which form/version you have. LloydsDAC Beachcroft
Red flags to watch for: vague “widespread” triggers; overly broad “state-backed” definitions; attribution that treats any statement as dispositive.
Good signs: clear definitions; attribution via a credible competent authority (with room for contrary evidence); carvebacks preserving cover for uninvolved bystanders. DAC Beachcroft
2) Systemic/vendor events
Policies vary on contingent business interruption, dependent system failure, data restoration for supplier outages, and any aggregation/sub-limits triggered by systemic incidents. The MOVEit wave is a useful mental model for what “systemic” can look like in practice. CISA
3) Governance & disclosure readiness
Public companies must disclose material cyber incidents within four business days and describe risk management and board oversight; even private companies are getting asked for CSF 2.0 alignment, playbooks, and tabletop evidence during underwriting. SECNIST
What underwriters will expect in 2025 (and what actually reduces loss)
- Identity hardening: phishing-resistant MFA for admins/users; privileged access management; break-glass controls. (Widely cited in joint gov’t advisories as key mitigations.) CISA
- Rapid patching of internet-facing tech: treat newly exploited vulns like MOVEit-class events; maintain an emergency patch/runbook. CISA
- Third-party risk discipline: inventory critical SaaS and suppliers; require SSO/MFA, logs, and incident SLAs; pre-approve IR vendors. (Regulatory focus is intensifying.) Reuters
- Detection & response: EDR with monitored alerting; tested tabletop exercises for vendor compromise and wiper-style scenarios. (CISA/NCSC guidance emphasizes readiness.) CISA
- Framework alignment: map controls to NIST CSF 2.0; use the Govern function to codify roles, risk appetite, and board oversight. NIST
10 questions to take to your broker/carrier
- Which state-backed/cyber operation exclusion is on our policy (form and A/B version)? How does attributionwork? DAC Beachcroft
- Are there carvebacks if we’re collateral damage rather than an intended target? DAC Beachcroft
- How do you treat dependent/contingent business interruption from cloud/SaaS outages? Any aggregationsub-limits? CISA
- Are OT/ICS incidents (e.g., PLCs) covered, and under what conditions? CISA
- Do we have restoration and data-reconstruction cover if wiper-style malware hits us or a key vendor? CISA
- What evidence of CSF 2.0 alignment and tabletop exercises will you ask for at renewal? NIST
- Which incident reporting and regulatory costs are in-scope if we must disclose under SEC rules? SEC
- Are retentions or sublimits different when a systemic event is declared? CISA
- Do we have pre-approved IR, forensics, and legal panels that match our tech stack and sector? Reuters
- What’s the process to adjust coverage mid-term if a key supplier’s risk changes?
Practical checklist (save this)
- Enforce SSO + MFA everywhere (especially for admins, vendors, and remote access). CISA
- Track and patch externally exposed services weekly; treat “actively exploited” CVEs as same-day. CISA
- Maintain a critical vendor register with contacts, logs available, BCP/IR docs, and contract SLAs. Reuters
- Run two tabletops/year: one for vendor compromise (MOVEit-style), one for state-scale disruption (e.g., loss of comms). Consilium
- Map policies and processes to NIST CSF 2.0 (use the new Govern function to clarify roles and reporting). NIST
FAQs
Are state-linked attacks automatically excluded?
No. Modern policies use more precise language and often require specific triggers or credible attribution. Knowing your exact clause/version is key. DAC Beachcroft
Does this only matter if we operate in conflict zones?
No. Spillover and supplier-side impacts (e.g., satellite, telecom, cloud, MFT tools) have crossed borders in recent events. ConsiliumCISA
We’re private—do SEC rules still affect us?
Directly, no. Indirectly, yes: customers, partners, and carriers are benchmarking governance against those disclosure standards. SEC
References & further reading
- EU attribution of Viasat KA-SAT attack to Russia, and vendor incident overview. ConsiliumViasat.com
- Joint government advisories on Russia, PRC “living off the land,” and Iran-aligned OT targeting. CISA+2CISA+2
- NIST CSF 2.0 official materials and news. NIST Computer Security Resource CenterNIST
- SEC Final Rule on cyber disclosures. SEC
- Verizon DBIR 2025 landing page + summaries of key trends. VerizonSecurity Today
- MOVEit 2023 joint advisory and coverage. CISAAxios
- Lloyd’s Y5381 and LMA model clause coverage. LloydsDAC Beachcroft