By Kyle Sawdey | Chief Revenue Officer & EVP of Underwriting | Updated April 2026
The conflict with Iran has been a reminder for businesses across the United States of the potential cyber risk threats. Over the past several weeks, I posted on LinkedIn about the uptick in questions I’ve been fielding from policyholders, brokers, and MSPs asking the same thing: could the Iranian conflict trigger a cyber insurance claim, and if it does, is there actually coverage? The war exclusion is one of the most misunderstood clauses in any cyber policy. And right now, in the middle of an active, escalating conflict with a nation-state adversary that has explicitly targeted U.S. critical infrastructure, misunderstanding it could be costly.
The Threat Is Real, It’s Here, and It’s Escalating
First, the facts on the ground.
Since at least March 2026, Iranian-affiliated advanced persistent threat (APT) groups have been conducting active exploitation campaigns against U.S. critical infrastructure, disrupting programmable logic controllers (PLCs) at water and wastewater facilities, energy plants, and local government systems across the country. The FBI, CISA, NSA, EPA, the Department of Energy, and U.S. Cyber Command jointly issued an urgent advisory on April 7, 2026 warning private-sector organizations that these campaigns have already caused operational disruptions and financial losses for victims.
This isn’t a warning about what could happen. It’s a warning about what is happening.
Iran’s cyber playbook has been aggressive and evolving for over a decade. From disabling U.S. financial websites in the early 2010s, to erasing data from the Las Vegas Sands Casino in 2014, to targeting U.S. municipalities with ransomware that caused tens of millions in damages, Tehran has consistently used cyberspace as an asymmetric battlefield. While Iranian missiles cannot hit the U.S. homeland, Iranian hackers can, and they have.
What makes the current environment particularly dangerous is the nature of the targeting. Iranian-affiliated actors are not simply conducting espionage or credential harvesting. They are going after operational technology, the industrial control systems and PLCs that manage physical processes. Compromising these systems doesn’t just take down a website. It forces facilities to operate manually. It disrupts industrial processes. It creates potential physical safety risks. And it causes direct, measurable financial losses.
The threat is not contained to critical infrastructure. Pro-Iranian actors have targeted North American medical device companies, U.S. financial institutions, and technology firms. If you run a business that touches any of these sectors, or if you’re an MSP servicing clients who do, this conflict is relevant to your risk profile today.
The War Exclusion: Why Everyone Gets It Wrong
Did you know? The original war exclusion in cyber insurance policies is based on the Spanish Civil War from 1936 to 1939. Yes, you read that right. No wonder the market was busy over the last few years updating those clauses. But with those updates came many different conversations, disagreements, and ultimately competing versions.
Here is what I hear most often when this topic comes up: “If this is state-sponsored, my cyber policy won’t cover it because of the war exclusion.”
That statement is both understandable and, in most cases, incorrect. The war exclusion is not a blanket prohibition on coverage for nation-state activity. Understanding what it actually says, and what it doesn’t, is one of the most important things a policyholder, broker, or MSP can do right now.
The confusion stems from the fact that “war exclusion” is a single phrase that describes at least a dozen meaningfully different contractual clauses, each with different trigger conditions, different carve-backs, and different legal implications. The exclusion language that might be in your cyber policy is likely very different from what you’d find in a property policy, and even within cyber, the language varies enormously from carrier to carrier and tower to tower.
The Practical Reality for Policyholders Today
So what does all of this mean for someone with a cyber policy right now, given what’s happening with Iran?
Most attacks targeting individual organizations will be covered. If an Iranian-linked actor compromises your network, exfiltrates data, deploys ransomware, or causes a business interruption, in the vast majority of cases your cyber policy will respond. The war exclusion as written in most modern policies is not triggered by targeted attacks against private sector organizations, even when those attacks are linked to state-sponsored threat actors.
Coverage is most uncertain at the systemic level. The scenarios where the war exclusion becomes genuinely threatening are ones involving cascading, infrastructure-level disruptions that can be plausibly argued to constitute a “major detrimental impact” on a state’s essential services. These are the tail-risk scenarios that keep underwriters up at night, not a ransomware attack on a regional MSP’s clients.
Your policy language matters enormously. There are many different war exclusions out there, and it’s important to consult your broker and carrier for clarity. Some still use older “hostile or warlike action” language that leaves far more room for interpretive dispute. Others use proprietary wordings that may be more or less favorable than the Lloyd’s Market Association (LMA) standard. If you don’t know exactly what war exclusion language is in your policy, now is the time to find out.
Tower non-concurrency is a real risk. Many sophisticated buyers purchase cyber coverage in layered towers, with primary, excess, and umbrella markets stacked on top of each other. One of the most persistent problems in the current market is that different layers may carry meaningfully different war exclusion language. Your primary carrier might use one version while an excess carrier uses an older, broader exclusion. When a claim hits, that non-concurrency can create coverage gaps that no one anticipated at binding. Seek consistency if you are a tower buyer.
What MSPs and Technology Companies Need to Pay Attention To
If you’re an MSP or technology company, the current environment raises a specific set of concerns that your insurance program needs to address.
First, your clients are targets. The Iranian threat actors currently active are not just going after Fortune 500 corporations. They are opportunistically scanning for internet-facing OT devices, exploiting known vulnerabilities, and targeting organizations with weak security configurations across industries including local government, utilities, healthcare, and manufacturing, precisely the verticals that many MSPs serve.
Second, your potential liability as a service provider is real. If a client suffers a cyberattack that passes through your managed environment, your Technology Errors and Omissions (Tech E&O) exposure may be directly implicated, regardless of whether the attack was state-sponsored. The war exclusion debate is primarily about cyber first-party coverage. Your Tech E&O exposure for client losses is a separate and potentially more acute concern.
The Bottom Line
The conflict with Iran has turned the war exclusion from a theoretical policy concern into an active coverage question that every policyholder, broker, and MSP should be prepared to answer.
The good news: for most businesses, most attacks, even those linked to Iranian state-sponsored threat actors, will fall within the coverage provided by a well-structured modern cyber policy. Most war exclusions are designed to address scenarios of systemic events, not targeted attacks against individual organizations.
The bad news: the market is not uniform. Policy language varies. Tower non-concurrency is common. Attribution is complex. And the threat environment is moving faster than most organizations’ insurance review cycles.
The right time to understand your war exclusion language was before the conflict escalated. The second best time is now.
If you’re a broker with clients asking these questions, or an MSP trying to understand where your coverage stands, reach out. This is exactly the kind of nuanced, real-world underwriting conversation that we have every day at SeedPod Cyber, and it’s a conversation worth having before a claim forces the issue.