Q&A: Iran, Escalation Risk, and the Case for Scenario Planning

Regardless of how the conflict between Israel and Iran progresses in the coming days and weeks, banks face heightened uncertainty on multiple fronts, from cyberattacks and energy market shocks to sanctions compliance and geopolitical spillover. Claudine Fry, who leads the global issues team at the Control Risks consultancy, shares what financial institutions should be watching now—and how to prepare for what’s next. (Fry provided her perspectives on June 25. The following has been lightly edited for length and clarity.) 

What are the most significant indirect risks to the financial system that banks should consider given the United States’ involvement in the Israel-Iran conflict? 

Direct U.S. involvement in hostilities in the Middle East between Israel and Iran could generate indirect risks to the financial system if it increased the risk of conflict escalation. An escalation to include persistent and serious attacks on energy infrastructure, and which directly or indirectly disrupts shipping or aviation, would have implications for the value of the U.S. dollar, commodity prices, and could trigger broader market volatility. Uncertainty relating to the status of a ceasefire agreement and the outlook for further hostilities is also going to weigh on markets for months yet. 

How should banks re-evaluate their cyber resilience strategies in light of potential state-sponsored attacks from Iran? 

Control Risks has observed a significant uptick in cyber operations since the initial Israeli strikes on Iran on June 13, and while these have been primarily focused on Israeli organizations, the U.S. strikes on June 22 could prompt an expansion of targeting to include U.S. interests. Assuming the current ceasefire holds, the Iranian state is unlikely to conduct sophisticated operations targeting critical national infrastructure (e.g., wipers, industrial control system, and operational technology attacks against internet-of-things connected terminals). However, less-sophisticated attacks (e.g., DDoS, data leaks, or web defacement attacks) carried out by pro-Iranian actors or proxy groups that can be denied by Iran are likely to target U.S. companies—including banks—that are viewed as having weaker cyber security measures in place than U.S. government targets. 

Banks with a U.S., UK, Canadian, and Northern European footprint, particularly with brands associated with countries in these locations have previously been targeted by Iranian and Iran-linked proxies with low sophistication attacks, with a clear intent to publish attempted and successful attacks for brand impact. Banks should also consider that key third parties—trading, settlement, and other industry specific partners—may  be targeted as a perceived easier target. Banks should prepare for scenarios where they and their partners are disrupted or named by activist or proxy groups and also run resilience tests against technologies that may be targeted by known Iranian threat groups.  

Which energy market disruption scenarios pose the greatest credit risk to banks, and how should institutions prepare? 

Any protracted disruption to the energy market caused by strikes on energy infrastructure in the region impacting exports meaningfully or to shipping—either through targeted attacks on ships or more generalized destabilization of waterways (for example, through the use of sea mines)—should be monitored closely given the potential to impact credit risk by, for example, jeopardizing the financial position of affected companies through contract cancellations, force majeure declarations, supply chain disruptions, etc., and by driving instability in markets. 

Beyond the immediate region, which other emerging market economies and their banking sectors are most vulnerable to contagion from this conflict, and what early warning indicators should banks monitor? 

Tensions in the Middle East between Iran and Israel will remain high, making further hostilities possible. In the likely event that such hostilities are contained and do not draw in other states or escalate significantly, the impact on other emerging markets outside the region would be limited and indirect. However, in the event of conflict escalation which seriously disrupted energy, emerging market economies exposed to commodity price volatility would be particularly exposed to financial risk. Banks should monitor the drivers of Iran-Israel tensions closely to ensure that they are aware of developments in a timely fashion which could expose them to greater risk, including statements by groups linked to Iran which may have an interest and capability to disrupt shipping (principally the Houthis in Yemen). 

What changes or intensifications should banks anticipate in regulatory expectations around sanctions, AML, and counter-financing of terrorism (CFT)? 

Divergence between the U.S. and the EU on sanctions will continue to be a key trend banks should monitor closely. Differences in policy between Washington and Brussels on Israel and on the Iran hostilities could add to divergence pressures, influencing the adoption of more distinct and contrasting positions on the imposition and enforcement of sanctions, complicating compliance. 

Looking beyond the current conflict, which geopolitical flashpoints should banks be watching most closely in the months ahead—and how can institutions strengthen their overall readiness for the next global shock? 

The geopolitical environment is extremely fluid and volatile, so there are a number of flashpoints to monitor closely. Some of these are long-standing including between India and Pakistan, India and China, and North and South Korea. But there are emerging flashpoints which might become more significant, including competition for influence in the Arctic and in space. Financial institutions should ensure they have identified “wild cards” or shock scenarios which could impact them, and that they are then monitoring those scenarios closely. There is no such thing as “unlikely” anymore! Companies should also ensure that business continuity and crisis management plans are practiced and ready for implementation in the event of shock events materializing. Even if the exact shock events you have predicted do not materialize exactly as you anticipate, the fact you have thought through how to respond to a crisis and the fact you are familiar with geopolitics means that you will be able to respond more effectively. Geopolitical risks impact organizations in so many different ways—it is also critical that financial institutions have a broad range of functions and perspectives involved in discussing and planning for flashpoints to erupt.