Reading time: 8 minutes
Listening time: 8 mins

Welcome to Your Pride's Friday Five / Eight

Every Friday the team rips through 200+ insurance, legal, and cyber-risk articles into three signals your board can act on Monday morning.

The news that caught our attention this week:

• Trellix published a comprehensive intelligence assessment of Iran's active cyber threat groups. MuddyWater infiltrated a financial institution in Egypt in November. CyberAv3ngers built custom malware for fuel management systems. Financial institutions are explicitly on the target list, and the conflict just raised the stakes.
• The US-Israeli military campaign is repricing carrier economics through three channels most boards haven't connected yet: reinsurance, social inflation, and cyber. We break down what the war 7,000 miles away means for the mutual in Ohio.
• President Trump signed an executive order framing cybercrime gangs as transnational criminal organizations. But the 120-day action plan timeline means carriers are exposed now with federal coordination still forming and CISA's director seat empty.

Three events we think deserve a quick rundown…First, If you'd rather listen check out the audio version.

Right now, Iran's Cyber Army Is Targeting Financial Institutions

Summary

Trellix's Advanced Research Center published a comprehensive threat intelligence assessment of Iranian cyber capabilities on March 5, one week after the US-Israeli strikes began.

The picture is sobering. Iran's MuddyWater group, active since 2017, shifted from commodity remote management tools to purpose-built malware through 2025. The group deployed Rust-based payloads, custom backdoors, and UDP-based implants across an expanding target set that now includes financial institutions, energy companies, defense contractors, and fintech firms. In November 2025, Trellix disrupted a MuddyWater campaign actively targeting a financial institution in Egypt. Separately, CyberAv3ngers, linked to the Islamic Revolutionary Guard Corps, developed IOCONTROL, a custom malware platform built specifically for operational technology environments, and deployed it against fuel management systems in both Israel and the United States.

At least ten distinct Iranian threat groups remain active or recently active, spanning both the IRGC and the Ministry of Intelligence and Security. Several groups showed indicators of AI-assisted malware development and cross-group collaboration. CyberCube found that 12% of large American firms are highly vulnerable to Iran-linked cyber attacks, spanning healthcare, energy, utilities, and financial institutions.

Fitch Ratings warned that state-sponsored groups could target US critical infrastructure in retaliation for the strikes.

(source: Trellix Advanced Research Center, CyberCube, Fitch Ratings)

So what?

Two distinct threat vectors are active. They require different responses.

The first is an IT threat to financial institutions. MuddyWater's primary attack vectors against FI targets are spear-phishing with macro-enabled documents, exploitation of known Exchange and VPN vulnerabilities, and abuse of legitimate remote management tools for persistence. These are specific, defensible attack surfaces. If your security team hasn't cross-referenced your SIEM against the published indicators of compromise for MuddyWater and related Iranian groups, that's the first action item.

The second is an OT threat to critical infrastructure.

CyberAv3ngers' IOCONTROL platform targets fuel management systems, PLCs, and SCADA environments. Carriers writing commercial packages for healthcare systems, energy companies, and infrastructure operators should be assessing which policyholders do. The geopolitical cascade makes both vectors worse.

Assad's fall severed Iran's logistical corridor to Hezbollah.

The Twelve-Day War degraded ballistic missile infrastructure. Maximum Pressure 2.0 tightened economic pressure. The February 2026 strikes targeted senior IRGC and MOIS components. Cyber operations historically intensify when conventional options narrow.

War exclusions are where this becomes a coverage question.

These are policy clauses that allow insurers to deny cyber claims if the attack is linked to a nation-state. There are dozens of approved Lloyd's war exclusion wordings for cyber alone, built around four LMA model clauses (5567, 5568, 5569, and 5570). They disagree on the attribution standard: some require a government attribution, some require only a reasonable determination, and some give the insurer sole discretion.

If a regional bank on your book gets hit with ransomware traced to an Iranian actor, which standard applies determines whether coverage responds or triggers a multi-year dispute.

This week's action items:

For carrier risk officers and CISOs: Pull your current cyber policy's war exclusion clause. Identify which LMA classification it aligns with (5567–5570). Map where the attribution standard creates ambiguity. Cross-reference your SIEM against published Iranian threat group IOCs. Start with CISA joint advisory AA22-055A (MuddyWater TTPs and detection guidance) and AA23-335A (CyberAv3ngers OT targeting). Both include specific indicators your team can operationalize today. Search cisa.gov/iran for the full advisory index.

For MGA operators: If you bind cyber coverage under delegated authority, confirm with your capacity providers whether war exclusion language has been or will be modified in response to the conflict. Delegated authority programs may have war exclusion language changing underneath you without direct involvement in the negotiation. Your E&O exposure is live: if you bound coverage with a war exclusion you didn't fully understand or communicate to clients, the professional liability chain runs carrier → MGA → retail broker → insured. Founder-led MGAs positioning for exit should expect acquirer diligence to focus on cyber book composition, war exclusion exposure, and incident response capabilities in the current environment.

For board and risk committee members: Ask management one question: if a state-sponsored cyber attack hit one of our insured institutions tomorrow, walk me through the claims process — at what point does the war exclusion question arise, who makes the attribution determination, and what is our estimated timeline to resolution?
​
​Want to know how these moves could impact your next corporate liability renewal? We'd be happy to show you the protocols we're advising LION clients to formalize...Let's chat!

One War, Three Channels, Zero Gulf Exposure Required

Summary

A mutual insurer in Ohio doesn't trade with Iran. Its reinsurance costs, social inflation exposure, and cyber risk all just changed anyway.

The US-Israeli military campaign launched February 28 is repricing carrier economics through three channels simultaneously. Start with reinsurance. January 2026 property catastrophe renewals fell 15–20%. Reinsurers expected further declines into 2027. That window is closing. Seven of twelve global P&I clubs cancelled war-risk cover within days of the Strait of Hormuz shutdown. Maritime war-risk premiums surged more than 1,000% in some corridors. Hull war rates jumped tenfold. Global reinsurers are absorbing correlated losses across marine, aviation, energy, and political violence lines at the same time.

Morningstar DBRS warned they will raise attachment points and reduce capacity on treaties unrelated to the Gulf.

The retrocession and ILS markets, roughly $121 billion in combined capacity, need to rebuild risk models before restoring that capacity. The Trump administration created a $20 billion DFC maritime reinsurance facility with Chubb as lead insurer. When the federal government enters the insurance business, the old pricing assumptions are dead.

(sources: Morningstar DBRS, AM Best, industry reporting)

The LION Lens

What happened — Seven of twelve P&I clubs cancelled war-risk cover, maritime premiums surged over 1,000%, and the US government stood up a $20 billion reinsurance facility within days of the Strait of Hormuz shutdown (sources: Morningstar DBRS, industry reporting).

Why it matters — Correlated losses across marine, aviation, energy, and political violence lines are forcing reinsurers to reprice treaties that have nothing to do with the Gulf. The repricing is not uniform. Property catastrophe programs at higher attachment points are seeing different behavior than working-layer casualty or cyber treaties. Carriers with mid-year 2026 treaty renewals face the most immediate pressure; 1/1/2027 renewals will price in a longer view of conflict duration and severity. Both groups need to be modeling conflict scenarios into treaty assumptions now.

Practical implications — Social inflation is compounding the reinsurance pressure through a channel most boards haven't connected. Diesel prices jumped more than 20% since strikes began. Gasoline climbed from $2.98 to $3.48 per gallon in two weeks. Cement, steel, and aluminum are repricing in real time. Every auto, property, and commercial lines claim is quietly getting bigger because the repair cost inputs are moving. AM Best projected a 96.9 combined ratio for 2026 (January 2026 forecast, pre-conflict assumptions). That assumed 4% net premium growth and manageable severity. Both assumptions look strained. For calibration: during the 2022 Russia-Ukraine escalation, comparable energy and materials cost spikes contributed to a personal auto combined ratio of 112.2% and property damage claim severity acceleration of nearly 50% over four years.

Mid-market FIs with smaller security budgets face the same threat actors with fewer defensive resources per dollar of revenue.

So what?

The 2022 Russia-Ukraine playbook applies.

Social inflation spiked, reserve adequacy got questioned, carriers that didn't adjust early paid for it later. The Iran conflict involves a dual-chokepoint crisis affecting a larger share of global energy and trade flows than Russia-Ukraine did.

Then layer in the cyber channel from Article 1. Iranian actors are documented targeting financial institutions. The 48 Lloyd's war exclusion wordings, spread across four LMA model clauses with meaningfully different attribution standards, create ambiguity that could tie up claims for years. Reinsurance, severity, and cyber exposure are converging from one conflict into a single risk event for boards to manage.

For ILS and alternative capital participants, the convergence has a specific operational consequence: if war exclusion disputes delay claims resolution by two to three years, capital backing those programs is trapped pending arbitration with no clarity on ultimate loss.

The correlation assumptions underpinning ILS diversification models (that cyber, property cat, and political violence are independent risk pools) are being stress-tested in real time by a single geopolitical event.

The LION POV

Here's what we expect professional liability underwriters to focus on at your next renewal — and what you can do now to be ready for the conversation:

For carrier leadership: Your professional liability underwriters are going to ask how you've responded to three channels moving simultaneously. Have answers for each one.

• On reinsurance: The pressure on your treaties flows directly into how underwriters price your corporate program. If your reinsurance costs are rising and your combined ratio assumptions are shifting, your D&O and E&O underwriters will want to understand the earnings impact. Know your story before they ask.
• On social inflation: Your claims team should be running a weekly input cost tracker — diesel, steel, lumber, medical — and flagging any claim where repair or settlement costs have moved materially since February. Social inflation compounds quietly. By the time it shows up in the reserve review, you're already behind. Underwriters pricing your program will look at your reserve adequacy as a proxy for management discipline.
• On cyber: Pull your war exclusion clause before your underwriter asks for it. If you haven't mapped it against the LMA classifications in Article 1, that's the gap they'll find at renewal.

If you're adjusting across all three channels simultaneously, brief your AM Best or S&P analyst proactively — don't let them discover it in your next filing.

For MGA operators: Expect underwriters to scrutinize your cyber book composition and war exclusion exposure at renewal. If you write FI or specialty business with cyber sub-limits in commercial packages, the war exclusion exposure in Article 1 and the social inflation described here converge on your book. Confirm your capacity providers' treaty assumptions haven't changed. If they have, your program economics may need to be re-modeled before mid-year.

For board and risk committee members: The question your D&O underwriters will ask at renewal is whether your organization has connected the three channels this conflict activated. The question for your next meeting is likely the same..."have we modeled the connection between reinsurance, social inflation, and cyber, and what is our action plan if the conflict extends past six months?" If your actuary, your reinsurance intermediary, and your CISO haven't been in the same room for this conversation, schedule it.

For ILS and alternative capital: Underwriters providing your fund's D&O and E&O coverage will want to understand how your portfolio's diversification assumptions hold when a single geopolitical event activates marine, aviation, energy, political violence, and cyber lines simultaneously. Assess trapped capital risk on programs with war exclusion exposure. Determine whether the $20B DFC facility is additive capacity that stabilizes your market or displacement that compresses the risk-return you're seeking. If fund economics come under pressure from trapped capital or correlation breakdown, expect heightened investor scrutiny, which elevates your own D&O exposure at renewal.

Market intelligence from live renewals indicates carriers are already tightening cyber manuscript language in response to the conflict, primarily by narrowing attribution windows and broadening the definition of state-sponsored activity to include actors operating with tacit government support below the threshold of armed conflict. Early movers gain positioning advantage before capacity adjusts.

(sources: Morningstar DBRS, AM Best, CyberCube, Fitch Ratings, Canadian Centre for Cyber Security)

Want to review your cyber war exclusion language or model conflict scenarios into your renewal strategy? Contact LION Specialty for a confidential assessment.

Trump's Cybercrime Executive Order: Enforcement Intent, Execution Gap

Summary

President Trump signed an executive order on March 6 directing federal agencies to dismantle cybercriminal organizations.

The order frames cybercrime gangs, including Southeast Asian romance-scam farms and ransomware groups, as transnational criminal organizations. It mandates a 120-day action plan identifying responsible TCOs and developing strategies to disrupt and dismantle them. A new operational cell within the National Coordination Center will coordinate federal detection, disruption, and deterrence efforts. The Attorney General is directed to prioritize prosecutions. The State Department gains tools including sanctions, visa restrictions, and foreign-assistance limits to pressure nations harboring these groups.

CISA is tasked with providing training, technical assistance, and resilience building for state and local governments.

(source: whitehouse.gov)

So what?

The enforcement direction is welcome. The execution timeline creates a gap carriers need to understand.

The 120-day action plan means federal coordination is still forming through mid-summer 2026, precisely when Iranian cyber retaliation risk is elevated. CISA's director nomination remains stalled. Budget and staffing cuts have shifted cyber defense responsibility toward states and municipalities that lack the resources to absorb it.

The EO tasks CISA with SLTT resilience building, but the mandate arrives alongside reduced federal capacity to deliver it.

On the regulatory horizon: NAIC continues to refine its model bulletin on AI and cyber governance expectations for insurers. Several states have active cyber governance rulemaking in process. Treasury and OFAC sanctions enforcement related to the Iran conflict could intersect with cyber incident reporting obligations within the next 12–18 months. Boards should be tracking whether their incident response plans account for the possibility that a cyber event triggers both an insurance claim and a sanctions compliance question simultaneously.

For carriers writing cyber, tech E&O, or commercial packages with cyber sub-limits, the regulatory signal matters: the federal government is treating cybercrime as a national security priority with diplomatic and enforcement tools attached. But the signal is not a shield.

This week's action item: Don't wait for the federal apparatus to catch up. Stress-test your cyber exposure, incident response readiness, and coverage adequacy against the current threat environment — not the one the EO's 120-day plan will eventually address. If your incident response plan depends on CISA resources, confirm what's actually available to you now, not what's been promised.

The Bottom Line

One conflict just repriced three channels simultaneously for carriers with zero Gulf operations. Iranian cyber actors are documented targeting financial institutions while the federal cybersecurity response has a leadership vacancy and a 120-day planning horizon. Reinsurance attachment points are rising. Social inflation is accelerating through energy and materials costs. War exclusion language, spread across 48 Lloyd's-approved wordings with four distinct attribution standards, determines whether your cyber claims respond or enter multi-year dispute.

The carriers who connect these channels at the board level this month will own the conversation when the claims arrive. The ones who wait will be explaining why they didn't see it coming.

In Case You Missed It!

This week's Wednesday Intelligence told the story of a southeastern regional insurer we took over from a mega-broker.

The title says it all: "Our Process Wasn't Complicated. That's the Point. And Why We Won."

A D&O claim exposed every gap in the generalist team's process. Our alternative: Our process we run for all LION clients. Senior team, 150-day timeline, direct client-to-carrier communication. The fix wasn't proprietary. It was disciplined. If you missed it, it's worth the four-minute read or listen.

[Listen here / Read here]
​
​Thank you for reading today's edition!

Want to share this edition via text, email or social media? Simply copy-and-paste the link below:

​http://lionspecialty.ck.page/muddywater-doesn-t-check-your-zip-code-how-the-iran-war-impacts-us-insurance-company-operations

And if this briefing was forwarded to you, subscribe directly here.
​
​Stay Covered Out There Y'all,

TASH & FLIP

Co-Founders and Managing Partners

LION Specialty
​
​P.S. Nothing in this briefing constitutes legal advice. These are the opinions of the founders. It's market intelligence designed to help you ask better questions of your advisors and make sharper decisions at your next insurance renewal.