Global instability and rising cyber risk

The need for supply chain resilience, risk assessment, and a cyber incident response plan

In today’s interconnected world, geopolitical threats, cyber risks, and supply chain vulnerabilities are increasingly intertwined. When geopolitical tensions rise, many companies and industries may face new or increased exposures as cyberattacks have become part of the adversarial toolkits of nation-states. At the same time, supply chains can become particular targets, which is especially problematic for organisations that do not fully understand their supply chain vulnerabilities.

Cyber risk is an enterprise risk, with implications and responsibilities beyond the digital realm and the information security team, whether related to geopolitics or other issues. To effectively manage it, companies require a comprehensive, strategic approach that includes evaluating supply chain liabilities, evaluating risk exposure across their organisations, strengthening cyber incident management plans, and securing appropriate insurance coverage.

Cyberattacks can contribute to political instability

Nation-state cyberattacks are closely connected to diplomatic relations between countries. As geopolitical tensions intensify, the risk of cyberattacks escalates.

Among the motives of threat groups are accessing sensitive information for geopolitical advantage or causing disruption, whether by cutting fibre optic cables or spreading disinformation. Sometimes, nation-state threat actors may lie dormant inside a network or IT system, ready to “flick the switch on” at a given time, or simply to conduct espionage and continue gathering information. Some state actors carry out cyberattacks for financial gain.

However, not all geopolitically motivated cyberattacks fall into the “hack” category. It is now generally accepted that an element of geopolitical instability is the use of digital means by nation-states to undermine democratic and economic effectiveness. For example, bots are used across social media to reinforce one narrative over another. The Council of Europe, the UK government, US senators, and others have alleged election interference by foreign states.

Additionally, intellectual property theft can be used to disrupt industries within one nation while accelerating the growth of those same industries in another. For example, an engineer was charged with stealing self-driving car technology for another state, while hackers reportedly stole secrets from a Dutch chip company and designs from a car manufacturer.

A particular higher-risk area is countries experiencing extended periods of political polarisation, where the attitudes and opinions of a population become divided into opposing groups. As a result, these countries are less able to execute effective long-term economic and social policies, so adversaries may adopt a cyber strategy to contribute to such problems.

Entry points and targets

State-sponsored hackers use various methods to gain entry into an organisation’s IT systems. These include exploiting existing vulnerabilities in unpatched or outdated software, accessing email and other accounts and devices through weak or compromised passwords, and using ransomware to encrypt, steal, and leak sensitive information.

In some state-sponsored cyberattacks, it's easy to see when systems are affected. However, when attackers tamper with operational technology, such as machinery or control systems, the effects are not always immediately obvious. This can cause hidden issues with service quality and equipment, potentially leading to more serious and hard-to-detect problems.

Because cyberattacks are a common way for countries to act on their discontent with another government, high-profile businesses may become targets. This is partly because certain brands are linked in people's minds to their country of origin and the values they represent.

Also, critical national infrastructure — including financial institutions, healthcare organisations, utilities, and telecommunications — may be more vulnerable to cyberattacks during periods of heightened geopolitical unrest. For example, threat actors infiltrated critical infrastructure systems in the US from 2023 to 2024, in some cases remaining dormant within utilities, possibly positioning themselves to respond to a future event. Defence and semiconductor companies and official intelligence organisations are also at significant risk of infiltration by state-sponsored threat actors.

However, this is not to state that those territories or higher-risk industries are the sole targets — any entity could become a target of opportunity for state-sponsored cyber activity.

Addressing supply chain vulnerabilities

Recent geopolitical shifts, such as the changing trade landscape, including tariffs, sanctions, and export controls due to conflict, are putting historical trade flows, policy frameworks, and supply chains under considerable strain, prompting companies to switch providers, potentially introducing new political, trade credit, and cyber risks.

Many companies manage multiple interconnected supply chains; among them, those for production and technology can be especially critical. As such, companies should treat suppliers of the technology stack (the programming languages, frameworks, tools, and libraries used to develop and maintain a software application or system) with the same diligence as they do for the suppliers of the components of their end product.

They should understand who their providers are, assess their resilience strategies — including their cybersecurity controls — and establish a defined response plan in the event they experience a cyber event. It is appropriate to discontinue partnerships with suppliers with poor cyber controls and to include wording on contracts that outlines the expectations regarding these controls. It may also be worth investing in simplifying the technology stack to reduce dependencies wherever possible.

Assess how geopolitical tensions could change your risk exposure

In addition to fully understanding their supply chain risk, companies should assess their core cyber risk in relation to geopolitics. They may benefit by establishing a capability to monitor geopolitical developments and assess their potential impact on the business, including areas such as supply chains, cybersecurity, and legal and regulatory compliance. Engaging in high-level scenario planning can establish a coordinated approach to managing geopolitical risks.

Enhance cyber resilience through realistic tabletop exercises and addressing external exposures

A thorough simulation of cyberattacks that could result from geopolitical challenges can help uncover possible vulnerabilities, including potential impacts on your supply chain.

Although conducting annual tabletop exercises is valuable, they provide the most value when run as live, role-play exercises and involve all key roles. Conducting such exercises under pressure is more informative than desktop exercises that do not involve all relevant stakeholders. Ultimately, the goal is to ensure these exercises are comprehensive and realistic enough to effectively evaluate resilience and response capabilities.

In response to state-sponsored activity, companies should also prioritise implementing Marsh’s 12 key cybersecurity controls, which include measures to reduce external vulnerabilities, such as those related to network edge devices and Internet of Things (IoT)-connected appliances. Companies should avoid connecting control systems directly to the public internet and use strong, unique passwords for each account. They can also buy endpoint detection and response tools to continuously monitor, detect, and respond to threats on endpoints — such as laptops, desktops, servers, and mobile devices. Additionally, addressing any vulnerabilities in their supply chains and among third parties is essential.

Given that 90% of all claims involve human interaction, it is equally important to conduct frequent reviews of internal governance and training, alongside the continual hardening of external-facing endpoints.

Review your insurance coverage in light of geopolitical risks

Nation-state cyber activity is within the scope of what insurers have assessed and have appetite for, making it likely that companies can obtain coverage for this risk. However, in the context of sovereign state versus sovereign state conflicts, insureds must carefully consider, especially at renewal, how geopolitical tensions could impact their business and whether their current coverage is sufficient to address these risks. In times of rising geopolitical tensions, cyber events may become more frequent and severe. Companies should plan accordingly and consider whether they require excess cover, such as that available through Marsh’s Cyber ECHO facility.

Generally, cyber policies are not designed to cover incidents resulting from war. However, coverage will depend on the specifics of a cyberattack, policy wording, and whether a war exclusion is triggered. While a state actor may be backed by a government, their cyberattack may not necessarily be classified as an act of war.

Furthermore, cyber risk is increasingly recognised as a directors and officers (D&O) liability issue. If risk managers haven't conducted thorough due diligence to identify their specific risks and assess whether they are purchasing sufficient coverage, their companies may be underinsured. This could then pose a risk to direct D&O claims if allegations of negligence or breach of duty arise.

How Marsh can help

Marsh provides guidance and tailored solutions to help clients accurately assess and manage their cyber risk and other exposures.

Marsh’s dedicated cyber team offers a comprehensive suite of services beyond traditional insurance. We help organisations understand the cyber risk landscape through detailed assessments, identify vulnerabilities, and develop mitigation strategies. Our experts support you in designing robust incident response plans, conducting realistic tabletop exercises, and implementing best practices to strengthen your cyber defences.

In addition to providing you guidance on the cybersecurity controls, we are aware that the human risk element remains. To gain a comprehensive view on your cyber posture and enable data-based and targeted mitigation strategies, we have developed, in conjunction with Mercer, a tool that can provide insight into the human risk of your organisation ahead of any loss.

Relevant coverages may include cyber insurance, trade credit insurance, political risk insurance, or alternative risk transfer options.

To help understand your supply chain risks, Marsh’s Sentrisk™ tool provides you with unparalleled visibility into your supply chain, helping uncover “hidden” risks.

Marsh Advisory's Cyber Risk Consulting Solutions team addresses the essential elements of cybersecurity, from strategy, governance, and enterprise risk management to controls architecture, implementation, and management.

We can help you assess your current exposure, develop tailored response plans, and review your insurance coverage to ensure you are prepared for today’s evolving geopolitical and cyber landscape.

Report,Featured insight

Global instability and rising cyber risk

The need for supply chain resilience, risk assessment, and a cyber incident response plan