Stay up to date with our latest news
By Mark Scott, Head of Risk Practice, j. awan & partners
On the night of 1 March 2026, Iranian drones struck AWS data centres in the UAE and Bahrain. Within hours, several GCC banks reported disruptions to their mobile banking and phone services. Payments firms and consumer platforms across the UAE went offline. The cause was not a cyberattack in the conventional sense: no system was breached and no malware was involved. Physical strikes on physical buildings disrupted a significant portion of the digital infrastructure that GCC financial services firms depend on daily.
Six weeks on, a two-week ceasefire brokered via Pakistan came into effect on 8 April. Staff are returning to offices. Markets have partially recovered. Oil prices have eased below $100 per barrel since the ceasefire announcement, and there is cautious relief across the region.
That relief is understandable, but it is worth being honest about what a ceasefire does and does not mean for the risks that surfaced during those 40 days, particularly for financial institutions and technology-dependent businesses across the GCC.
What a ceasefire does not resolve
A ceasefire stops active hostilities. It does not repair damaged infrastructure, restore confidence in regional supply chains, or neutralise the cyber threat environment that developed alongside the physical conflict.
On supply chains, analysts at Drewry Maritime Research note that even with the Strait of Hormuz reopening, insurance premiums for vessels transiting the waterway will remain significantly elevated until stability is more durably established. Supply chain specialists estimate that full normalisation, covering upstream production, refining throughput, and maritime flows, is likely to take three to four months at minimum, and that is under an optimistic scenario where the ceasefire holds.
Fitch Ratings, which placed Qatar and Ras Al Khaimah on Rating Watch Negative during the conflict, has been direct on this point: a re-escalation of hostilities, or a more prolonged disruption to economic activity, could further test sovereign resilience and exert additional pressure on ratings across the GCC. The ceasefire is two weeks old and the negotiations in Islamabad involve parties with materially different positions on what a durable settlement looks like. Iran's domestic political situation, including divisions between the IRGC and civilian leadership over who controls the negotiating delegation, adds further uncertainty to the timeline.
For financial institutions, the practical implication is that the risk environment of March 2026 has not been resolved. It has paused.
The cyber threat has not paused
Palo Alto Networks' Unit 42 threat intelligence team, which has been tracking cyber activity related to the conflict in close to real time, updated its threat brief as recently as 17 April. Iran operated under a near-complete domestic internet blackout for much of the conflict and yet cyber operations against GCC financial institutions continued throughout, with Iran-linked groups shifting to VSAT services including Starlink to keep operations running.
As of 17 April, Iran began restoring limited internet access for the first time in 47 days. That restoration removes one of the constraints that had been limiting the scale of state-directed cyber operations. Unit 42 has also identified a new cluster of threat activity targeting operational technology and industrial control systems, representing a shift from earlier attack patterns focused on internet-connected infrastructure. The threat is evolving, not receding.
Iran-aligned hacktivist groups remain active across the region. CloudSEK logged coordinated disruption attempts against 10 financial institutions across the GCC in the first five days of the conflict alone. CNBC reported in early April that Iran has explicitly threatened major international technology firms, including Microsoft and Google, both of which provide critical cloud infrastructure to financial institutions across the region.
The assumption that broke
Cloud providers structure their infrastructure around the concept of Availability Zones: geographically separated data centres within a region, designed so that if one facility goes down, the others continue operating. The architecture makes sense for the scenarios it was designed around, namely power failures, floods and hardware faults.
When two of three Availability Zones in the UAE were disrupted simultaneously, AWS confirmed structural damage, disrupted power delivery, and in some cases fire suppression activities that resulted in additional water damage across its UAE and Bahrain facilities. AWS then advised customers to migrate workloads out of the Middle East entirely, to the US, Europe or Asia Pacific.
For regulated GCC financial institutions, that advice was difficult to follow. As Mohamed Radwan, Senior Cloud Architect at T-Systems International, noted: data residency is not just a best practice, it is the law. Moving workloads to other regions during a crisis might bring services back online, but it risks moving sensitive data outside national borders. Firms operating under UAE or Saudi data localisation requirements could not simply reroute to alternative regions and continue operating normally.
As Gregor Hohpe, co-author of Enterprise Integration Patterns, observed in the aftermath: the risk is regional, not tied to a provider. The
mitigation is reducing your regional exposure, not your vendor exposure.
Cloud concentration risk
The structural issue underlying all of this predates the conflict: most GCC financial institutions carry significant concentration risk in their cloud and technology infrastructure.
The region's financial sector has followed a global pattern, moving rapidly onto platforms dominated by a small number of hyperscale providers. That makes commercial sense. The difficulty is that concentrating critical workloads with a single provider in a single geography means a single event can affect the entire operation at once.
This is the issue regulators have been pressing on. The EU's Digital Operational Resilience Act (DORA) requires financial institutions to map their ICT dependencies, identify concentrations, and demonstrate they can absorb provider failure. The UAE Central Bank and Saudi Arabia's SAMA have been moving in the same direction. The events of March gave those conversations considerably more urgency.
What this means in practice
At j. awan & partners, we work with a number of cloud-only financial services firms across the UAE and KSA, including fintechs, payments businesses and lending platforms that have built their entire operations on cloud infrastructure. Many are small to medium-sized, with lean technology teams and limited contingency for a scenario like 1 March. No secondary provider. No tested failover. No documented plan for what happens when their cloud region is unavailable for 48 hours.
Cloud-first is a rational way to build a financial services business in 2026. Without a resilience strategy alongside it, however, the exposure is real. For these firms, the events of early March were a direct stress test of an assumption that had never been examined: that the cloud would simply always be there.
The World Economic Forum's Global Cybersecurity Outlook 2026 found that 91% of the world's largest organisations have revised their cybersecurity strategies in response to geopolitical volatility. For smaller firms in the GCC, a structured review is equally necessary, even if the resources available to conduct it are more limited.
Whether you run a regional bank with a dedicated risk function or a cloud-native fintech with a team of twenty, the practical questions are the same:
1. Do you know exactly which critical workloads sit with which provider, in which region and availability zone, and does your business continuity plan account for simultaneous failure across multiple zones while respecting data residency requirements?
2. If your primary cloud provider is unavailable in the UAE or KSA for 48 hours, what fails with it, and what does recovery actually look like?
3. Are your identity and access controls sufficiently robust? Protiviti's Iran conflict cyber advisory identifies hardening identity controls and reducing unnecessary external exposure as the most urgent near-term actions for financial institutions.
4. Does your board have clear visibility of your cloud dependencies and recovery capability? Regulators across the region increasingly expect that it does.
Looking ahead
The current ceasefire is a two-week arrangement. Negotiations are ongoing, the underlying issues are unresolved, and Fitch has been explicit that re-escalation remains a plausible scenario. Even under an optimistic trajectory where the ceasefire holds and talks progress, the broader stabilisation of the region's security environment is a matter of months, not weeks.
For financial institutions in the GCC, the period ahead is one to use constructively. The conflict exposed specific gaps in cloud architecture, contingency planning and cyber readiness that are now easier to make the case for addressing internally than they were six months ago. With Iran's cyber infrastructure being gradually restored following the 47-day blackout, the volume and pace of state-directed and state-aligned cyber activity is likely to increase rather than decrease in the weeks ahead.
The question for most institutions is not whether to act, but where to start. A straightforward mapping of cloud dependencies and a realistic test of business continuity assumptions is a reasonable place to begin.
References
1. AWS Service Health Dashboard and official customer communications, March 2026. Amazon Web Services. aws.amazon.com
2. Walker, J. (2 March 2026). AWS Middle East Outage After Data Centers Hit by Drone Strikes. Data Center Knowledge. datacenterknowledge.com
3. Gulf Systems Targeted by Wave of War-Linked Cyberattacks (March 2026). AGBI (Arabian Gulf Business Insight). agbi.com
4. Unit 42 (Updated 17 April 2026). Threat Brief: Escalation of Cyber Risk Related to Iran. Palo Alto Networks. unit42.paloaltonetworks.com
5. Managing Concentration Risk and Exit Requirements: A Framework for Financial Institutions (2 February 2026). Microsoft Industry Blogs. microsoft.com
6. War in the Middle East: GCC Mulls Action Over Iranian Attacks (March 2026). Global Finance Magazine. gfmag.com
7. Global Cybersecurity Outlook 2026. World Economic Forum. weforum.org
8. Robins, U. (27 March 2026). Iran Conflict Cyber Risks: What Organizations Should Expect and How to Prepare. Protiviti. blog.protiviti.com
9. GCC, Other Middle East Nations React to Iran-US Ceasefire Announcement (8 April 2026). Al Jazeera. aljazeera.com
10. Recovery of Energy Flows Will Be Gradual Rather Than Immediate as Hormuz Re-Opens (April 2026). The Print / Drewry Maritime Research. theprint.in
11. Most GCC Sovereigns Remain Resilient Amid Iran War (18 April 2026). Fitch Ratings, via Muscat Daily. muscatdaily.com
12. United Behind the Ceasefire Even as Divisions Loom (April 2026). ACLED. acleddata.com
13. Iran Threatens Nvidia, Apple and Other Tech Giants With Attacks (1 April 2026). CNBC. cnbc.com
When the Cloud Goes Dark
When physical infrastructure fails, the “cloud” stops being abstract and becomes a single point of real-world risk. Resilience isn’t about where your systems run, but how many assumptions you can afford to lose at once.
When the Cloud Goes Dark
When physical infrastructure fails, the “cloud” stops being abstract and becomes a single point of real-world risk. Resilience isn’t about where your systems run, but how many assumptions you can afford to lose at once.
By Mark Scott, Head of Risk Practice, j. awan & partners
On the night of 1 March 2026, Iranian drones struck AWS data centres in the UAE and Bahrain. Within hours, several GCC banks reported disruptions to their mobile banking and phone services. Payments firms and consumer platforms across the UAE went offline. The cause was not a cyberattack in the conventional sense: no system was breached and no malware was involved. Physical strikes on physical buildings disrupted a significant portion of the digital infrastructure that GCC financial services firms depend on daily.
Six weeks on, a two-week ceasefire brokered via Pakistan came into effect on 8 April. Staff are returning to offices. Markets have partially recovered. Oil prices have eased below $100 per barrel since the ceasefire announcement, and there is cautious relief across the region.
That relief is understandable, but it is worth being honest about what a ceasefire does and does not mean for the risks that surfaced during those 40 days, particularly for financial institutions and technology-dependent businesses across the GCC.
What a ceasefire does not resolve
A ceasefire stops active hostilities. It does not repair damaged infrastructure, restore confidence in regional supply chains, or neutralise the cyber threat environment that developed alongside the physical conflict.
On supply chains, analysts at Drewry Maritime Research note that even with the Strait of Hormuz reopening, insurance premiums for vessels transiting the waterway will remain significantly elevated until stability is more durably established. Supply chain specialists estimate that full normalisation, covering upstream production, refining throughput, and maritime flows, is likely to take three to four months at minimum, and that is under an optimistic scenario where the ceasefire holds.
Fitch Ratings, which placed Qatar and Ras Al Khaimah on Rating Watch Negative during the conflict, has been direct on this point: a re-escalation of hostilities, or a more prolonged disruption to economic activity, could further test sovereign resilience and exert additional pressure on ratings across the GCC. The ceasefire is two weeks old and the negotiations in Islamabad involve parties with materially different positions on what a durable settlement looks like. Iran's domestic political situation, including divisions between the IRGC and civilian leadership over who controls the negotiating delegation, adds further uncertainty to the timeline.
For financial institutions, the practical implication is that the risk environment of March 2026 has not been resolved. It has paused.
The cyber threat has not paused
Palo Alto Networks' Unit 42 threat intelligence team, which has been tracking cyber activity related to the conflict in close to real time, updated its threat brief as recently as 17 April. Iran operated under a near-complete domestic internet blackout for much of the conflict and yet cyber operations against GCC financial institutions continued throughout, with Iran-linked groups shifting to VSAT services including Starlink to keep operations running.
As of 17 April, Iran began restoring limited internet access for the first time in 47 days. That restoration removes one of the constraints that had been limiting the scale of state-directed cyber operations. Unit 42 has also identified a new cluster of threat activity targeting operational technology and industrial control systems, representing a shift from earlier attack patterns focused on internet-connected infrastructure. The threat is evolving, not receding.
Iran-aligned hacktivist groups remain active across the region. CloudSEK logged coordinated disruption attempts against 10 financial institutions across the GCC in the first five days of the conflict alone. CNBC reported in early April that Iran has explicitly threatened major international technology firms, including Microsoft and Google, both of which provide critical cloud infrastructure to financial institutions across the region.
The assumption that broke
Cloud providers structure their infrastructure around the concept of Availability Zones: geographically separated data centres within a region, designed so that if one facility goes down, the others continue operating. The architecture makes sense for the scenarios it was designed around, namely power failures, floods and hardware faults.
When two of three Availability Zones in the UAE were disrupted simultaneously, AWS confirmed structural damage, disrupted power delivery, and in some cases fire suppression activities that resulted in additional water damage across its UAE and Bahrain facilities. AWS then advised customers to migrate workloads out of the Middle East entirely, to the US, Europe or Asia Pacific.
For regulated GCC financial institutions, that advice was difficult to follow. As Mohamed Radwan, Senior Cloud Architect at T-Systems International, noted: data residency is not just a best practice, it is the law. Moving workloads to other regions during a crisis might bring services back online, but it risks moving sensitive data outside national borders. Firms operating under UAE or Saudi data localisation requirements could not simply reroute to alternative regions and continue operating normally.
As Gregor Hohpe, co-author of Enterprise Integration Patterns, observed in the aftermath: the risk is regional, not tied to a provider. The
mitigation is reducing your regional exposure, not your vendor exposure.
Cloud concentration risk
The structural issue underlying all of this predates the conflict: most GCC financial institutions carry significant concentration risk in their cloud and technology infrastructure.
The region's financial sector has followed a global pattern, moving rapidly onto platforms dominated by a small number of hyperscale providers. That makes commercial sense. The difficulty is that concentrating critical workloads with a single provider in a single geography means a single event can affect the entire operation at once.
This is the issue regulators have been pressing on. The EU's Digital Operational Resilience Act (DORA) requires financial institutions to map their ICT dependencies, identify concentrations, and demonstrate they can absorb provider failure. The UAE Central Bank and Saudi Arabia's SAMA have been moving in the same direction. The events of March gave those conversations considerably more urgency.
What this means in practice
At j. awan & partners, we work with a number of cloud-only financial services firms across the UAE and KSA, including fintechs, payments businesses and lending platforms that have built their entire operations on cloud infrastructure. Many are small to medium-sized, with lean technology teams and limited contingency for a scenario like 1 March. No secondary provider. No tested failover. No documented plan for what happens when their cloud region is unavailable for 48 hours.
Cloud-first is a rational way to build a financial services business in 2026. Without a resilience strategy alongside it, however, the exposure is real. For these firms, the events of early March were a direct stress test of an assumption that had never been examined: that the cloud would simply always be there.
The World Economic Forum's Global Cybersecurity Outlook 2026 found that 91% of the world's largest organisations have revised their cybersecurity strategies in response to geopolitical volatility. For smaller firms in the GCC, a structured review is equally necessary, even if the resources available to conduct it are more limited.
Whether you run a regional bank with a dedicated risk function or a cloud-native fintech with a team of twenty, the practical questions are the same:
1. Do you know exactly which critical workloads sit with which provider, in which region and availability zone, and does your business continuity plan account for simultaneous failure across multiple zones while respecting data residency requirements?
2. If your primary cloud provider is unavailable in the UAE or KSA for 48 hours, what fails with it, and what does recovery actually look like?
3. Are your identity and access controls sufficiently robust? Protiviti's Iran conflict cyber advisory identifies hardening identity controls and reducing unnecessary external exposure as the most urgent near-term actions for financial institutions.
4. Does your board have clear visibility of your cloud dependencies and recovery capability? Regulators across the region increasingly expect that it does.
Looking ahead
The current ceasefire is a two-week arrangement. Negotiations are ongoing, the underlying issues are unresolved, and Fitch has been explicit that re-escalation remains a plausible scenario. Even under an optimistic trajectory where the ceasefire holds and talks progress, the broader stabilisation of the region's security environment is a matter of months, not weeks.
For financial institutions in the GCC, the period ahead is one to use constructively. The conflict exposed specific gaps in cloud architecture, contingency planning and cyber readiness that are now easier to make the case for addressing internally than they were six months ago. With Iran's cyber infrastructure being gradually restored following the 47-day blackout, the volume and pace of state-directed and state-aligned cyber activity is likely to increase rather than decrease in the weeks ahead.
The question for most institutions is not whether to act, but where to start. A straightforward mapping of cloud dependencies and a realistic test of business continuity assumptions is a reasonable place to begin.
References
1. AWS Service Health Dashboard and official customer communications, March 2026. Amazon Web Services. aws.amazon.com
2. Walker, J. (2 March 2026). AWS Middle East Outage After Data Centers Hit by Drone Strikes. Data Center Knowledge. datacenterknowledge.com
3. Gulf Systems Targeted by Wave of War-Linked Cyberattacks (March 2026). AGBI (Arabian Gulf Business Insight). agbi.com
4. Unit 42 (Updated 17 April 2026). Threat Brief: Escalation of Cyber Risk Related to Iran. Palo Alto Networks. unit42.paloaltonetworks.com
5. Managing Concentration Risk and Exit Requirements: A Framework for Financial Institutions (2 February 2026). Microsoft Industry Blogs. microsoft.com
6. War in the Middle East: GCC Mulls Action Over Iranian Attacks (March 2026). Global Finance Magazine. gfmag.com
7. Global Cybersecurity Outlook 2026. World Economic Forum. weforum.org
8. Robins, U. (27 March 2026). Iran Conflict Cyber Risks: What Organizations Should Expect and How to Prepare. Protiviti. blog.protiviti.com
9. GCC, Other Middle East Nations React to Iran-US Ceasefire Announcement (8 April 2026). Al Jazeera. aljazeera.com
10. Recovery of Energy Flows Will Be Gradual Rather Than Immediate as Hormuz Re-Opens (April 2026). The Print / Drewry Maritime Research. theprint.in
11. Most GCC Sovereigns Remain Resilient Amid Iran War (18 April 2026). Fitch Ratings, via Muscat Daily. muscatdaily.com
12. United Behind the Ceasefire Even as Divisions Loom (April 2026). ACLED. acleddata.com
13. Iran Threatens Nvidia, Apple and Other Tech Giants With Attacks (1 April 2026). CNBC. cnbc.com