Cyber 2026: Evolving Threats Demand Strategic Leadership

Cyber 2026: Evolving Threats Demand Strategic Leadership
January 27, 2026 13 mins

Cyber 2026: Evolving Threats Demand Strategic Leadership

Cyber 2026: Evolving Threats Demand Strategic Leadership

In 2026, AI-driven threats and regulatory pressures make cyber risk a board-level priority. Now is the time for leaders to act decisively — strengthening resilience and leveraging a favorable insurance market.

Key Takeaways
  1. Evolving cyber threats — driven by AI, supply chain complexity and ransomware — are reshaping the risk environment for organizations.
  2. Regulatory and legal pressures are intensifying, making proactive, board-level cyber risk management essential.
  3. With the stakes higher than ever, leaders have an opportunity to take advantage of a favorable market window in 2026 to build resilience and enhance controls.

Cyber risk is no longer the sole domain of the chief information security officer (CISO). In today’s environment — marked by relentless, sophisticated and increasingly expensive threats — cyber accountability extends across the C-suite and boardroom.

Rapid advances in artificial intelligence (AI) and digital technologies have accelerated cyber risk’s evolution into a strategic business challenge rather than merely an IT issue. The global average cost of a data breach climbed to nearly $5 million in 2024, underlining just how high the stakes have become.1

“While organizations continue to improve their cyber posture, concern and vigilance are at an all-time high,” says Ady Sharma, Cyber Growth Leader for Aon in Canada. “Cyber risk is being discussed in boardrooms more than ever.”

Lessons from 2025: Top Themes and Market Dynamics

1. Cyber Risk Remains the Top Enterprise Threat

Aon’s Global Risk Management Survey reinforces this reality: Cyber attacks and data breaches remain the top enterprise risk through 2026, with this trend expected to continue well into 2028.

Cyber risks in 2026 will intersect with a spectrum of business challenges, from AI-driven supply chain and third-party threats to regulatory, privacy and litigation pressures. The rise of ransomware and the potential for systemic, catastrophic events mean that directors, officers and the broader organization must stay agile, informed and united.

Quote icon

Achieving cyber resilience — this takes a village. It takes the entire firm to come together to drive cyber resilience. Cyber is the perfect distributed problem. That’s why cyber is so insidious, so challenging, so difficult because it truly is an interconnected risk.

Greg Case Image
Greg Case
Chief Executive Officer at Aon, in his keynote address at the 31st Risk Management Conference

The good news? With decisive action, clear leadership and a collaborative mindset, organizations are well-positioned to transform cyber threats into opportunities for resilience and sustained growth.

Six Top Predictions for 2026

As risk leaders move into 2026 and beyond, we offer a clear perspective on the market, evolving threats and actionable insights to strengthen organizational resilience and take advantage of a favorable market window.

2. Cyber Market: Buyer-Friendly, with Signs of Tightening in 2026

It remains a good time to buy cyber insurance. Since late 2022, a buyer-friendly and well-capitalized market has made coverage more affordable globally. While the market is expected to remain soft in 2026, signs of tightening began to emerge in late 2025, driven by rising loss frequency and poor loss development in some markets.

Insurers have also identified minimum rates below which they cannot offer their maximum capacity — or, in some cases, any capacity at all — an important consideration for buyers seeking significant limits. Excessive pressure on rates may additionally drive desirable capacity away from key cyber insurers.

“Carriers, particularly the market leaders, are seeing losses accrue to a point where it is putting pressure on profitability,” says Brent Rieth, Global Cyber Leader at Aon. “They are feeling the pressure, but it is being combatted by a tremendous amount of net new insurance capacity that has come into the market over the past five years.”

Cyber Threats that are Looming Large in 2026

1. Third-Party and Supply Chain Risks

Supply chain or distribution failure is a top 10 global risk, confirmed by Aon’s Global Risk Management Survey, and is projected to remain high into 2028. High profile incidents, including CDK and Change Healthcare, exposed the scale and severity of systemic risk and business interruption impact.

When one major manufacturer’s operations were disrupted by a cyber attack, thousands of suppliers and dealers faced significant financial strain, prompting government intervention to stabilize the supply chain.

These incidents underscore a growing issue: Third-party involvement accounted for 30% of all data breaches in 2024, up from 15% a year earlier.2

Non-malicious events, including CrowdStrike, are often just as severe as a cyber attack and may be covered under a cyber insurance policy.

As supply chains expand and become more interconnected, organizations find it increasingly difficult to maintain oversight of their suppliers’ security maturity and resilience to technology outages.

“Even beginning to assess how third parties manage their risks — and what that means for your business — quickly becomes a complex web to untangle," Rieth adds. “We are going to continue to see the weakest link in the broader third-party ecosystem be a trigger for pretty severe and in some cases widespread events that impact multiple businesses at a fairly catastrophic level.”

The rapid adoption of third-party and open-source AI models has created a vast new attack surface — the AI supply chain. Vulnerabilities are often introduced as supply chains expand, especially when third-party compliance is challenging to verify or open-source code is used. Only 37% of organizations have processes to assess third-party AI tool security before deployment.3

In 2025, several research labs demonstrated that altering just 0.1% of a model’s training data could cause targeted misclassification, such as instructing an AI vision system to misidentify a stop sign. In cyber security, this could mean an intrusion-detection model misclassifying a malicious payload as benign.4

Quote icon

We will continue to see single points of failure in the third‑party ecosystem cascade into systemic incidents — disrupting multiple businesses simultaneously and amplifying losses.

David Molony
Head of Cyber Solutions, Europe, Middle East and Africa

2. The Growth of AI-Driven Threats

AI’s impact on cyber extends to other attack vectors as well. AI is the digital age’s double-edged sword — while it delivers significant efficiency gains for businesses, it also empowers threat actors to scale and automate attacks at unprecedented speed and sophistication. As AI becomes more deeply integrated into operations, organizations face a new era of cyber risk — one where autonomous, adaptive threats can outpace traditional defenses.

Aon’s Global Risk Management Survey confirms that AI-driven cyber attacks are now a top-10 risk for business leaders worldwide. These attacks stand apart because they combine speed, autonomy and intelligence at a scale human attackers can’t match.

“There is a multiplier effect with AI that allows bad actors to wage asymmetrical warfare against companies,” says Adam Peckman, Global Cyber Risk Consulting Leader & Head of Risk Consulting & Cyber Solutions for Aon in the APAC Region. “Threat actors can weaponize the latest vulnerabilities quickly and deploy them at scale, without significant investment in people or computing power.”

Beyond supply chain and data model poisoning, these threats are changing the face of cyber risk:

  • Autonomous AI Attacks: Machine agents can independently coordinate and execute multi-stage campaigns, challenging traditional security models.
  • Adaptive Malware Fabrication: Self-evolving malicious code can generate unique, functional malware variants in seconds, making detection and response more difficult.
  • Synthetic Insider Threats: AI agents, built from stolen employee data and voice samples, can convincingly mimic real users and infiltrate platforms with precise linguistic and behavioral patterns.5

AI is also reshaping physical security. Technologies like autonomous drones and deepfake-enabled access systems have exposed new vulnerabilities, and traditional security boundaries are becoming obsolete. Attackers are leveraging open-source intelligence — satellite imagery, building layouts, social media and even employee movement patterns — to orchestrate sophisticated breaches.

These capabilities allow adversaries to pinpoint weaknesses, simulate patrols and bypass physical controls with unprecedented precision. Insurers are also watching closely — not just how AI is used by attackers, but how organizations are deploying it to strengthen cyber resilience.

“If you are developing AI technology, you need professional liability or tech E&O coverage to protect your organization,” adds Matt Chmel, Head of Cyber Solutions for Aon in North America. “Businesses also need to look at how they are using AI, ensuring business practices, processes, safeguards and compliance measures are robust.”

3. Ransomware Makes a Comeback

After a period of declining frequency and severity, ransomware attacks grew in severity in 2025, creating additional pressures among businesses globally.

  • 44%

    Global frequency decline in ransomware attacks in Q4 2025

    Source: Aon data

  • 95%

    Increase in global average ransomware payment amounts in 2025

  • 74%

    Increase in global ransomware claims in 2025

“Ransomware is not a new threat, but it’s an increased threat,” says Pablo Constenla, Head of Cyber Coverage and Claims for Aon in Europe, Middle East and Africa. “There are new ransomware groups out there, so the ones that had been previously active are even more aggressive.”

Regulatory and Legal Developments Become Enterprise Concerns

Regulatory and legal risks remain a top enterprise concern among business and risk leaders, ranking as the fourth highest risk in Aon’s Global Risk Management Survey. The trend will likely persist well into 2028 as organizations face an evolving and complex regulatory environment.

New regulations from government agencies, including the Security and Exchange Commission’s (SEC) new cyber security disclosure rules in the U.S., and NIS2, a directive that aims to ensure “a high common level of cyber security” in the European Union, are raising the bar for incident reporting and accountability.

“SEC regulations are requiring disclosures to be reported within four days, and insurance markets want more information in light of supply chain concerns,” says Stephen Viña, Senior Vice President, Cyber Solutions for Aon in North America. “These developments are putting cyber at the top of the agenda.”

As privacy regulation tightens globally, litigation risk is rising — especially in the U.S., where class action lawsuits related to tracking technologies and data collection continue to impact the market. Insurers are responding by reassessing policy language and narrowing coverage around wrongful or unlawful data collection.

Data privacy and cyber security continue to dominate regulatory agendas, especially as AI and advanced analytics reshape business models.

“Generative AI right now is a big topic, especially at the board level as they seek to understand the risk to their enterprise,” says Allan Vogel, Cyber Security Consulting Leader for Cyber Solutions for Aon in North America. “AI providing wrong information to employees or clients is one area of huge concern.”

The EU’s 2024 Artificial Intelligence Act, effective in 2024, imposes stringent requirements on high-risk AI systems, with penalties reaching beyond 7% of global revenue for non-compliant companies. 

Meanwhile, U.S. states are advancing their own data privacy laws, and China’s data governance policies continue to raise cross-border concerns over implications for data restrictions, data regulation and internet sovereignty.

These developments demand vigilant monitoring and proactive risk management. Organizations must try to stay ahead of regulatory changes to protect their business and maintain resilience.

Four Key Trends to Watch in 2026

Building Resilience: Actionable Strategies for the Coming Year

To effectively manage cyber risks, organizations should consider these recommendations:

  1. Reinvest Savings into Cyber Resilience
    With global cyber risk transfer market conditions expected to remain favorable, organizations can use premiums savings to strengthen cyber defenses, expand coverage limits and optimize program structure. Lead risk buyers continue to leverage these conditions by enhancing controls and adjusting retention levels to match their risk appetite.
  2. Adopt Data-Driven Risk Management
    Advanced analytics empower leaders to make better and faster decisions. Tools, like Aon’s Cyber Risk Analyzer and Cyber Quotient (CyQu) Evaluation, offer the quantitative insights needed to understand exposure and tailor insurance programs, supporting sustainable and scalable cyber resilience.
  3. Invest in Incident Response and Recovery
    A robust, coordinated response plan is critical to minimizing the impact of cyber events. Regular resilience drills and cross-functional collaboration help organizations operate with confidence. Aon supports clients with strategic claims recovery, insurer coordination and access to preferred providers for effective incident management.
  4. Utilize cyber resilience as a KPI
    Organizations are starting to measure and report on cyber resilience as a formal business objective. Data analytics and risk modeling inform investment in security controls, business continuity planning and cyber insurance purchasing.
  5. Innovate in risk transfer to enhance program
    Captives and alternative risk transfer solutions are gaining traction as organizations seek flexibility for covering regulatory fines, supply chain outages and other exposures. Alternative solutions, including multi-year policies, parametric covers and co-insurance structures are emerging as creative ways to manage risk.
Aon’s Thought Leaders

Katie Andruchow
Cyber Broking Practice Leader, Canada

Matt Chmel
Head of Cyber Solutions, North America

Alistair Clarke
Managing Director, Cyber Broking, United Kingdom

Pablo Constenla
Head of Cyber Coverage and Claims, Europe, Middle East and Africa

Catalina Esteban Loring
Executive Director, Cyber and Commercial E&O, United Kingdom

David Molony
Head of Cyber Solutions, Europe, Middle East and Africa

Adam Peckman
Global Practice Leader of Cyber Risk Consulting, Head of Risk Consulting & Cyber Solutions, Asia Pacific

Brent Rieth
Head of Global Cyber Solutions

Ady Sharma
Cyber Growth Leader, Canada

Greg Sparacio
Middle Market Leader, Cyber Solutions, United States

Søren Stryger
Chief Cyber Broking Officer, Europe, Middle East and Africa

Stephen Viña
Senior Vice President, Cyber Solutions, North America

Allan Vogel
Cyber Security Consulting Leader, Cyber Solutions, North America

1 Cost of a Data Breach Report 2025: The AI Oversight Gap, IBM
2 Verizon 2025 Data Breach Investigations Report
3 5 risk factors from supply chain interdependencies in a complex cybersecurity landscape, WEF
4 Abusing supply chains: How poisoned models, data and third-party libraries compromise AI systems, The Monitor
5 AI 2030: The Coming Era of Autonomous Cyber Crime, Check Point

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

Aon's Better Being Podcast

Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.

Aon Insights Series Asia

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series Pacific

Expert Views on Today's Risk Capital and Human Capital Issues

Aon Insights Series UK

Expert Views on Today's Risk Capital and Human Capital Issues

Client Trends 2025

Better Decisions Across Interconnected Risk and People Issues.

Construction and Infrastructure

The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.

Cyber Resilience

Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.

Employee Wellbeing

Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.

Environmental, Social and Governance Insights

Explore Aon's latest environmental social and governance (ESG) insights.

Q4 2023 Global Insurance Market Insights

Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.

Global Risk Management Survey

Better Decisions Across Interconnected Risk and People Issues.

Regional Results

How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.

Top 10 Global Risks

Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.

Industry Insights

These industry-specific articles explore the top risks, their underlying drivers and the actions leaders are taking to build resilience.

Human Capital Analytics

Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.

Human Capital Quarterly Insights Briefs

Read our collection of human capital articles that explore in depth hot topics for HR and risk professionals, including using data and analytics to measure total rewards programs, how HR and finance can better partner and the impact AI will have on the workforce.

Insights for HR

Explore our hand-picked insights for human resources professionals.

Workforce

Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.

Mergers and Acquisitions

Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.

Natural Resources and Energy Transition

The challenges in adopting renewable energy are changing with technological advancements, increasing market competition and numerous financial support mechanisms. Learn how your organization can benefit from our renewables solutions. 

Navigating Volatility

How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?

Parametric Insurance

Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.

Pay Transparency and Equity

Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.

Property Risk Management

Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.

Technology

Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.

Trade

Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.

Transaction Solutions Global Claims Study

Better Decisions Across Interconnected Risk and People Issues.

Weather

With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.

Workforce Resilience

Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.

More Like This

View All
View All
Subscribe CTA Banner