This update supersedes our initial advisory of 28 February 2026.
What Has Changed Since Yesterday
U.S. and Israeli operations have entered a second day. Iranian Supreme Leader Ayatollah Ali Khamenei has been confirmed dead. At least 40 senior Iranian military and security officials were killed in the same strike package, including the IRGC Commander, Defense Minister and Armed Forces Chief of Staff. Three U.S. service members have been killed in action and five seriously wounded, the first American casualties of Operation Epic Fury. Iranian retaliation has expanded to eight countries across the Gulf. President Trump has described operations as “ahead of schedule” and has signaled willingness to engage in dialogue with Iranian representatives.
What It Means
The leadership decapitation changes the threat calculus in both directions.
The death of Khamenei removes the single individual who, for 36 years, served as the ultimate decision-making authority over Iran’s military, nuclear program, judiciary and proxy network. That is strategically significant. It also creates conditions that are in some respects more dangerous in the near term than an Iran governed by a living Khamenei.
Iran has established a temporary three-person leadership council. A new Supreme Leader will ultimately be selected by the Assembly of Experts. But the transition period, its length unknown, leaves command authority fragmented and distributed across institutions with competing interests. The IRGC, which has suffered significant leadership losses but retains its force structure, has every incentive to demonstrate its continued relevance through aggressive retaliation. History suggests that decapitated regimes often escalate before they negotiate.
The Council on Foreign Relations has noted that the IRGC, not Khamenei, is the operational core of the regime. Accordingly, Khamenei’s death does not equal regime collapse. Three trajectories are possible: continuity under a new Supreme Leader, effective IRGC military control or regime collapse accelerated by the ongoing protest movement. None of this resolve quickly. All produce sustained uncertainty.
Reza Pahlavi, the U.S.-based son of the former Shah, has publicly called on Iranians to resume protests and urged security forces to side with the people rather than the regime. His relevance to any succession scenario is contingent on whether the protest movement inside Iran sustains momentum and whether IRGC loyalty fractures; neither of which is assured.
The domestic threat environment has fundamentally shifted.
The killing of a Supreme Leader, framed immediately by Iranian state media as martyrdom, creates a threat environment inside the United States that is qualitatively different from what existed 48 hours ago. Three distinct vectors merit attention.
The IRGC maintains an active, documented assassination program targeting current and former U.S. officials, defense executives and individuals with Israeli affiliations. The FBI has disrupted multiple plots on U.S. soil since 2020. Khamenei’s death removes a constraint and adds a new motivation. Directed operations against high-profile targets inside the United States are a near-term risk that organizations should treat as credible and immediate.
Beyond directed operations, the martyrdom narrative creates conditions for lone wolf attacks by individuals with no operational connection to Iran but radicalized by the killing. These actors are unpredictable, potentially global in location, and may target symbolic rather than strategic objectives — Jewish institutions, crowded public venues, government facilities or anything associated with the United States or Israel. This threat does not require IRGC direction to materialize.
U.S. intelligence has previously assessed that Iran maintains pre-positioned assets inside the United States capable of conducting attacks on short notice. The combination of leadership loss, martyrdom framing and the IRGC’s public pledge of “the most ferocious offensive operation in the history of the Iranian armed forces” elevates the activation risk of these networks to a level that merits immediate attention from security leadership.
Beyond direct Iranian action, Tehran’s proxy network poses an independent threat vector. Hezbollah, Houthi forces in Yemen, and Shia militant groups in Iraq. Each capable of acting with or without direct Iranian instruction, may be animated by Khamenei’s death to conduct independent retaliatory operations. Hezbollah retains significant reach into Europe and the Western Hemisphere. Houthi forces have demonstrated a willingness to strike commercial and military targets at range. Iraqi Shia militant groups have previously targeted U.S. personnel and facilities directly. Organizations should treat the proxy network as a distributed threat that does not require central Iranian command to activate.
The succession vacuum has long-term implications beyond the immediate conflict.
Even in a best-case scenario where military operations conclude and dialogue begins; organizations should not assume a return to the pre-conflict baseline. A new Iranian leadership, regardless of who it is, will face intense domestic pressure to demonstrate strength. Sanctions relief, nuclear negotiations and proxy de-escalation are all harder in a succession environment than they were under a consolidated authoritarian. The near-term window for a negotiated resolution may actually be narrower than it appears, not wider.
Energy and supply chain exposure is real and immediate.
The Strait of Hormuz is effectively closed to commercial traffic. Major trading houses have suspended oil shipments. At least 15 container ships have reversed course from entering or exiting the Strait. Hapag-Lloyd has suspended all vessel transits, citing official closure by relevant authorities. Jebel Ali, the Gulf’s largest port and a critical global logistics hub, was temporarily shut after being struck by Iranian missile debris on Saturday.
The insurance market has responded with unusual speed. Marsh, the world’s largest insurance broker, estimates war risk hull and machinery premiums for Gulf transits will increase 25% to 50% in the near term. Premiums have already doubled, moving from approximately 0.25% to 0.5% of a vessel’s insured value — translating to an increase from roughly $375,000 to $750,000 per transit for a large container vessel. Those costs will be passed directly to cargo owners as war risk surcharges. War risk policy cancellation notices were issued over the weekend before markets reopened Monday, a signal of the urgency with which insurers are reassessing exposure.
The Strait handles approximately one third of global seaborne crude and roughly 20% of total global oil supply. Even a partial or temporary disruption produces immediate energy price spikes. Oil is forecast to surge toward $100 per barrel. Organizations with Gulf-dependent supply chains, energy sector exposure or logistics operations routed through the Middle East should treat this as an active disruption, not a risk to monitor.
The Red Sea presents a compounding risk. Houthi forces, which had begun standing down attacks on commercial shipping in recent months, are likely to resume offensive operations in solidarity with Iran. Shipping lanes through the Bab el-Mandeb strait and the broader Red Sea corridor, already disrupted through much of 2024 and 2025, face renewed threat. Organizations that rerouted supply chains through the Red Sea following the earlier Houthi ceasefire should reassess those decisions immediately. The combination of a closed or restricted Strait of Hormuz and an active Red Sea threat leaves no safe primary routing option for Gulf-origin cargo.
What To Watch
- Whether the temporary Iranian leadership council holds or fractures under IRGC pressure
- IRGC command decisions in the absence of Khamenei’s authority: escalation or restraint
- Whether the domestic protest movement accelerates as strikes continue and the regime is visibly weakened
- Confirmation of Strait of Hormuz status and energy market response
- The pace and scope of emergency OFAC designations and export control actions
- Any indicators of IRGC-directed or inspired activity on U.S. or European soil
Immediate Considerations for Organizations with Assets or Personnel in the Area of Operations
Companies with assets or personnel in the area of operations should take several prudent risk-management steps.
- First, conduct an immediate accountability exercise to ensure positive contact with all personnel, ideally through a bi-directional, application-based mass notification platform that allows employees to confirm status and request assistance.
- Second, closely monitor and adjust travel plans—not only to obvious “hot zones,” but also to avoid contested airspace and potential escalation corridors (for example, evaluating eastbound routings from CONUS to India to minimize Middle East overflight exposure).
- Third, reinforce employee awareness by providing updated guidance on situational awareness and personal security, recognizing that asymmetric or opportunistic violence could occur outside traditional conflict zones.
- Finally, proactively assess downstream supply chain vulnerabilities, including energy and maritime chokepoints, and develop contingency plans should escalation materially disrupt transit through the Strait of Hormuz.
Immediate Cybersecurity Considerations.
The killing of Khamenei and significant IRGC leadership losses increase both the motivation and the likelihood of Iranian cyber retaliation. Iranian APTs and hacktivist proxies can be expected to target U.S. and Israeli financial institutions, energy and water infrastructure, healthcare systems, defense contractors, logistics providers and telecom sectors. Iran-affiliated actors have previously conducted Distributed Denial of Service (DDoS) campaigns, defaced websites, deployed wiper malware, launched hack-and-leak operations and used cyber operations to collect intelligence. Known intrusion vectors include phishing, exploitation of unmanaged or poorly secured Internet-facing devices, valid account abuse and “watering hole” attacks that compromise vendor websites and thereby infect users visiting these sites. CIOs and CISOs should treat this as an active threat requiring immediate attention. Key mitigations include:
- Validate DDoS mitigation and website protection services.
- Identify and disconnect Operational Technology (OT) assets from the public internet.
- Harden remote access technologies such as virtual network computing, remote desktop protocol (RDP), Secure Shell Protocol (SSH) and web management interfaces.
- Implement multi-factor authentication (MFA) wherever possible, track exceptions and immediately replace weak or default passwords.
- Apply the manufacturer’s latest software patches for internet-facing systems to ensure protection against exploitation of known vulnerabilities.
- Ensure deployment of Endpoint Detection & Response technologies wherever possible.
- Monitor user access logs for remote access to OT networks and for implementation of any firmware or configuration changes.
- Ensure business continuity, disaster recovery and incident response plans are in place, including implementing full system and data backups to facilitate any recovery efforts.
The Chertoff Group‘s advisory team is actively monitoring this situation and stands ready to support your organization. For more information or to speak with one of our advisors, please contact us. This bulletin will be updated as developments warrant.
