• TItanium Escrow - LeaderBoard
  • Nasdaq Governance Solutions
June 19, 2026
Subscribe Now
Practice Directory
LN BUTTON
New Membership

Conflict-driven cyber risks: The GC’s role

As geopolitical conflict reshapes the cyber threat landscape, general counsel are being pushed to the front line — navigating disruption, regulatory scrutiny and rising pressure to protect operations, data and supply chains.

The Middle East has seen an increase of heightened cybersecurity risk over the last few months, with threat actors targeting both governments and companies across the region and beyond. Governments and cybersecurity firms continue to call for vigilance, particularly for companies active in the Middle East; those with sovereign state investors; companies providing critical infrastructure, energy, utilities, logistics, transportation, financial services, defense, and aerospace-related services; and those with exposed supply chains.

Stakeholders in these critical industries face ongoing risk of malicious cyber activity, including operational disruption and data exfiltration. In turn, general counsel may wish to proactively consider the cyber risk mitigation and preparedness measures, including those that we have proposed below.

HEIGHTENED IRAN-LINKED CYBER THREATS

Government agencies and private cybersecurity firms continue to warn the public that the conflict in the Middle East brings enhanced cybersecurity threats. Notably, the United States’ Cybersecurity and Infrastructure Security Agency[1] (CISA), Federal Bureau of Investigation[2] (FBI), US Department of Defense Cyber Crime Center (DC3), and National Security Agency (NSA) have previously warned that Iranian state-sponsored threat actors or affiliated threat actors are actively targeting US critical infrastructure.

The United Kingdom’s National Cyber Security Centre (NCSC) recently warned businesses[3], particularly companies with operations, offices, or supply chains in the region, to review and strengthen their cybersecurity defenses. On April 7, 2026, the FBI, CISA, NSA, and other federal agencies, issued a joint advisory,[4] warning that Iranian‑affiliated cyber actors are actively targeting U.S. critical infrastructure sectors, including water and wastewater systems, energy, and government facilities. As such, companies with heightened exposure include those active in energy and oil infrastructure, aviation and transportation, logistics, financial services, telecommunications and IT service providers, and defense and national security assets. As is evident from recent threat actor activity,[5] companies with supply chain links or other critical infrastructure in or involving the Middle East may also be impacted through exploitation of supply chain vulnerabilities.

Since the start of the conflict, at least one US-headquartered medical device company is known to have been compromised by Iranian state-sponsored threat actors. Additionally, on March 12, 2026, Polish authorities reported[6] they recently detected and blocked an attempted cyberattack targeting Poland’s National Centre for Nuclear Research. According to Digital Minister Krzysztof Gawkowski,[7] preliminary indicators suggest the cyberattack may be linked to Iran. Together, these incidents highlight the expanding geographic reach and scope, including private and public sector entities, of Iran-linked cyber activity.

Government authorities in the United States and Europe anticipate that cyberattacks are likely to remain elevated over the coming weeks and are encouraging companies to prepare accordingly. For example, the NCSC recommends preparing for potential denial-of-service (DDoS) attacks, phishing campaigns, system disruptions, and account compromises. Unit 42, a cybersecurity intelligence firm, also warns against[8] vulnerability exploitations, AI-enhanced spear-phishing, and website defacement. Likewise, Mandiant advises organisations[9] using Microsoft Intune, a cloud-based endpoint management service, to reassess Intune access permissions, warning that attackers could exploit privileged access to launch destructive cyberattacks, including remote wipe commands, against company-managed devices such as laptops or phones. In the April 7 joint advisory, U.S. federal agencies warn that cyber actors are actively exploiting internet-facing programmable logic controllers (PLCs)—types of devices that allow for digital control and monitoring of industrial equipment—across several U.S. critical infrastructure sectors, “resulting in operational disruption and financial loss.” These agencies recommend, among other measures, that organisations disconnect PLCs from the public-facing internet to reduce exposure.

WHAT SHOULD GENERAL COUNSEL DO?

General counsel may wish to consider the following steps:

  • Consider cyber hardening measures and work with information security teams
    • Assess direct and indirect risks, including supply chain relationships, for example, those with access to sensitive data or critical systems
    • Identify any internet-facing PLCs and remove direct exposure to the public internet, where possible
    • Work with their security and IT departments to strengthen monitoring and alerts for suspicious activity, particularly for VPN gateways, internet-facing systems, and supply chain relationships
    • Facilitate the offering of enhanced employee training regarding phishing and malware delivery
    • Harden Active Directory; enforce multi-factor authentication across all managed devices and accounts, reduce token session lifetimes, revisit administrative privileges, modify conditional access policies, and prioritise patching for critical systems
    • Confirm that backups are immutable and up to date
    • Implement geographic IP blocking where appropriate
  • Test incident and operational resilience protocols:
    • Confirm that incident response plans are up to date
    • Confirm that contact details for relevant stakeholders, including IT, legal, communications, outside counsel, and external vendors, are up-to-date and accessible offline via out-of-band communication platforms
    • Conduct realistic tabletop exercises for senior management that simulate state-sponsored attacks, malware, DDoS, and operational disruption scenarios and test recovery protocols and timelines
    • Review potential board, investor, employee, contractual, regulatory, insurance carrier, and law enforcement notification scenarios
    • Review legal professional privilege considerations in the context of multi-jurisdictional incidents
    • Consider the company’s policy towards ransom payments, including with the overhang of global sanctions and anti-money laundering laws
  • Review cyber risk insurance:
    • Consider incident‑notification procedures for insurance carriers
    • Assess whether policies exclude coverage for war or state-linked events, and as such, be mindful of incorrect assessments of threat actor identity
    • Clarify coverage for business interruption and supply chain disruptions
  • Monitor threat intelligence:
    • Ensure the company is monitoring and evaluating real-time industry guidance and threat intelligence to stay ahead of evolving risks and specific tactics, techniques, and procedures utilised by Iranian state-sponsored threat actors
    • Where appropriate, coordinate with government authorities and national cyber authorities
    • Provide regular updates to senior management and/or the board regarding evolving cyber and geopolitical risk

It is critical that companies based or active in the Middle East; sovereign state investors; companies and government entities providing critical infrastructure, energy, utilities, logistics, transportation, financial services, defense, and aerospace-related services; and those with exposed supply chains, understand and continue to anticipate the potential cyber risks associated with the ongoing conflict. General Counsel play a central role in guiding proactive organisational preparedness and should consider the steps above when overseeing these efforts.

Text by:

 

 

 

 

 

 

  1. Vishnu Shankar, partner, Morgan, Lewis & Bockius LLP (London/Brussels)
  2. Gregory Parks, partner, Morgan, Lewis & Bockius LLP (Philadelphia)
  3. Ezra Church, partner, Morgan, Lewis & Bockius LLP (Philadelphia)
  4. Heather Egan, partner, Morgan, Lewis & Bockius LLP (Boston)
  5. Arriana Sajjad, associate, Morgan, Lewis & Bockius LLP (Washington, DC)

Footnotes:

[1] https://www.cisa.gov/resources-tools/resources/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-interest?utm_source=chatgpt.com

[2] https://www.fbi.gov/file-repository/cyber-alerts/iranian-cyber-actors-may-target-vulnerable-us-networks-and-entities-of-interest-063025.pdf/view?utm_source=chatgpt.com

[3] https://www.ncsc.gov.uk/news/ncsc-advises-uk-organisations-take-action-following-conflict-in-middle-east

[4] https://www.ic3.gov/CSA/2026/260407.pdf

[5] https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/

[6] https://www.ncbj.gov.pl/aktualnosci/udaremnienie-cyberataku-na-narodowe-centrum-badan-jadrowych

[7] https://www.politico.eu/article/poland-investigates-iran-links-as-hackers-target-nuclear-facility/

[8] https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/

[9] https://cloud.google.com/blog/topics/threat-intelligence/preparation-hardening-destructive-attacks

Previous Editions

Privacy Policy © 2016 The Oath All rights reserved. Developed by 360 Inc