Cyber risk: A look ahead to 2026

Despite an increase in both the frequency and severity of cyber losses, the cyber insurance marketplace remained favorable to buyers in 2025. While the market hardened in 2020 following the emergence of more sophisticated and costly ransomware attacks, competitive conditions have prevailed since 2022, driving year‑over‑year premium reductions. This trend continued through 2025, even as underlying cyber risk intensified.

Early indicators in 2026 point to a deceleration in the rate of market softening within the cyber insurance sector. While several prominent insurers are making efforts to maintain stability, particularly by pushing for flat primary renewals in high-risk industries such as healthcare and aviation, there remain widespread opportunities for premium reductions and expanded coverage options across the broader marketplace. The trajectory of the market will largely be shaped by ongoing loss trends, especially those characterized by severe ransomware incidents and systemic events occurring in early 2026. These developments, along with the results of cyber reinsurance renewals, will play a pivotal role in determining whether the market undergoes a shift toward firmer conditions in the coming months. By strategically leveraging this heightened competition among insurers, organizations can often secure lower costs and broader protection, making it an opportune time for those seeking robust cyber insurance solutions.

Cyber losses continue to escalate, bad actors continue to deploy new tactics and the risks have never been so unpredictable. At the same time, an abundance of insurer competition is chasing cyber premiums, as underwriters are eager to capitalize on the biggest growth opportunity in the wider insurance industry. Estimates suggest that the cyber market expanded to $16 billion in 2025, and most studies project that the market size will increase to at least $40 billion by 2030. Several notable insurers have raised concerns that heightened underwriting discipline is needed to ensure continued profitability of cyber insurance, so that the marketplace can be positioned effectively to meet this increased demand. Cyber events in 2025 were not just limited to ransomware; the year was also underscored by losses arising from privacy non-compliance and technology service provider outages, with many of these losses resulting in systemic impacts.

Cyber risk issues that shaped 2025

Ransomware

In 2025, ransomware remained the most significant cyber risk. Attack frequency increased by 45% year-over-year, while average ransom payments declined by 50%, reflecting improved organizational resilience and a growing reluctance to pay. However, the risk profile evolved materially, including a notable rise in insider‑enabled attacks, where threat actors incentivized employees to facilitate system access. In one shocking recent example, a member of the Medusa ransomware group offered an employee a 15% cut in the ransom payment in exchange for granting access to the company’s computer systems.

This past year also highlighted just how sobering that most severe ransomware losses can be. In one example, an automotive company suffered a ransomware loss, which caused a $2.5 billion impact on system exposure to the local economy. Some of the larger and more recent ransomware losses have highlighted that while disruptions to computer systems can be less protracted, the ensuing disruption to the business can last months and in some cases over a year.

Systemic losses caused by vendor incidents

On the heels of vendor incidents impacting Change Healthcare and CrowdStrike the year prior, 2025 saw a drastic increase in cloud outages, with notable outages impacting AWS, Microsoft Azure, Google Cloud and Cloudflare. The cost of November 2025’s Cloudflare outage alone is estimated to have cost anywhere from $5 billion to $15 billion and the increased frequency and severity of these losses has exhibited just how dependent organizations are on technology vendors. These solutions are often deployed to enhance system performance, improve reliability and information security. When these technologies run seamlessly, they can enhance their user experience, but an outage can bring a customer’s business to a complete halt. This exposure evolves into a systemic risk when a substantial portion of the business ecosystem depends on a concentrated group of proprietary technologies.

Within the cyber insurance marketplace, the good news is that robust coverage is available to cover both cyber attacks and system failures impacting critical vendors. Cyber underwriters are evaluating system failure coverage more closely, but the abundance of competition among cyber insurers has incentivized underwriters to offer system failure coverage, often at full limits, even with the increased exposure. 

Privacy non-compliance and wrongful collection

Traditionally, privacy risk has focused on liabilities resulting from unauthorized disclosure of sensitive personal data, either due to negligent protection of data or a malicious cyber attack. Often overlooked are losses arising from wrongful data collection and regulatory non‑compliance that do not involve a malicious cyber event. Recent pixel‑tracking litigation highlights how legacy privacy, wiretap and antihacking statutes are being repurposed to address modern data practices.

The original focus on the General Data Protection Regulation (GDPR) in 2016 was well founded given the potential for fines of up to 4% of annual turnover. However, the use of pixel tracking technologies in the healthcare sector has been in focus since a June 2022 investigation by The Markup, a non-profit publication. The findings of the investigation showed a substantial portion of hospitals utilized pixel tracking technologies without explicit consent, which fueled class action lawsuits, congressional inquiries and updated guidance from regulatory entities surrounding pixel compliance. Fast forward to 2025, notable pixel tracking settlements in the healthcare sector totaled over $100 million, with plaintiffs successfully bringing claims under a mix of U.S. federal and state statutes, often repurposing older privacy, wiretap and anti-hacking laws.

Wrongful collection claims arising from non-compliance with the Biometric Information Privacy Act (BIPA) also continued in 2025, but settlements decreased 34% after 2024 amendments to the law limited damages to a single affected person rather than adding all biometric scans together during a specified period. BIPA is an onerous Illinois law that regulates how entities collect biometric data and can apply fines of up to $5,000 per violation. Nevertheless, 2025 saw a $51.75 million BIPA settlement by a facial recognition company, underscoring that organizations should not keep BIPA out of sight or mind even while the 2024 amendments to the law saw liabilities curtailed.

Cyber insurance coverage for wrongful collection and privacy non-compliance is often not found in the typical cyber policy, and the breadth of coverage can vary significantly from one policy to the next. Cyber insurers are growing increasingly wary of extending coverage for these specific privacy exposures because use of pixel tracking technologies across all types of companies is likely to continue. Many underwriters believe they are underwriting to a regulation rather than underwriting to specific cybersecurity controls. 

Artificial intelligence

Artificial intelligence (AI) is arguably the biggest emerging risk management issue and transgresses all lines of insurance. Organizations are defining their AI strategies while at the same time considering the advantages and risks of home-grown versus SaaS solutions for operations. Broadly, AI represents both an amplification of traditional cyber risk and the introduction of novel regulatory and liability exposures.

The introduction of AI amplifies cyber risk because AI allows bad actors to automate processes that were previously manual, allowing them to identify vulnerabilities and deploy cyber attacks at greater speed and efficiency. Since AI exclusions have not been deployed regularly yet on cyber policies, cyber insurance should be well posited to respond to this amplification of exposure. This is largely also true for shareholder losses arising from “AI washing” (e.g., alleged exaggeration of AI technologies deployed by companies in public filings). Since D&O policies typically do not contain AI exclusions, securities claims alleging AI washing could also be covered as an amplification of D&O risk.

Meanwhile, AI also introduces the possibility of new and potentially uncovered regulatory risks.  Certain provisions of the EU AI Act are expected to take effect in 2026, with potential fines of up to 35 million euros or 7% of global turnover, whichever is greater. Because violations may arise absent a cyber event or data breach, resulting losses may fall outside the scope of traditional cyber insurance coverage. Specifically, the EU AI Act places prohibitions on prohibited AI practices (e.g., social scoring, manipulative AI, etc.) and high-risk AI models (e.g., education, employment or biometric identification). Although a comparable federal U.S. law has not been passed yet, several states (Utah, Colorado and California) have passed similar AI laws.  Since a violation of the EU AI Act may not result from a cyber attack or breach of sensitive data, this exposure may fall outside the purview of cyber policy.

As AI risk continues to evolve in 2026, organizations must adopt a proactive approach to AI governance. This involves the development and implementation of comprehensive AI security and governance programs.  Emphasizing regulatory compliance, data governance, and addressing the risks associated with "shadow AI"—where employees utilize unsanctioned AI tools in business operations—will be critical to safeguarding the enterprise.

Effective AI governance should also be closely aligned with robust third-party and vendor management programs. Organizations need to ensure that any outsourced business processes are subject to the same level of scrutiny and control as internal operations. This integration helps mitigate risks arising from external dependencies and ensures consistency in managing AI-related exposures.

Additionally, ongoing cyber training for employees is essential in maintaining organizational awareness and preparedness against evolving AI-amplified cyber threats. Targeted phishing simulations and resilience tabletop exercises play a vital role in educating staff about attacker tactics, techniques, and procedures. These initiatives foster a culture of vigilance and enhance the organization's ability to respond effectively to cyber incidents.

Predictions for 2026

Ransomware, vendor risk, privacy risk and AI all shaped the cyber insurance market in distinct ways in 2025. Looking forward, we’re pleased to share the following predictions for 2026:

Ransomware will remain the dominant driver of cyber insurance underwriting and limit adequacy considerations: While improved controls have reduced business interruption duration, the sheer severity of large-scale events — often exceeding $1 billion — will increasingly challenge traditional limit assumptions. This trend underscores the importance of supporting data and analytics to support cyber insurance purchasing decisions.

Vendor risks and the increased reliance on a core group of technology providers will continue to stress-test cyber insurance policies: Fortunately, most outages in 2025 were rectified quickly in less than a day. An incident that lasts several days or weeks could result in losses with exponentially higher billion-dollar impacts. In the short term, we don’t expect any material impact to cyber insurer appetite for system failure coverage given the current state of competition chasing cyber premiums.

Underwriting privacy and wonderful collection risk will be increasingly challenging for cyber insurers given that companies are unlikely to stop using pixel tracking technologies and continue to aggregate data: Where privacy liability attaches continues to be a fine line and a complex legal minefield. Some markets have started to curtail previous coverage expansions for wrongful collection, but the current favorable marketplace should allow buyers with favorable loss history and privacy controls to find wrongful collection coverage with persistence.

AI presents an amplification of existing cyber risk while at the same time creating new risks: Several novel AI specific insurance solutions have entered the marketplace, but available capacity and buying appetite have been limited so far. This could change with a sizable first time AI loss, which will be an inevitable watershed moment. In the meantime, it will be imperative for buyers to proactively pursue as broad coverage as possible under cyber policies covering the full range of possible AI losses.

Conclusion

Looking over the horizon, a material shift to a hard market is not yet observable. Willis, a WTW business, continues to monitor insurer loss ratios closely, along with reinsurance renewals to proactively forecast market changes. Early 2026 is a ripe opportunity for buyers to release significant coverage expansions at competitive premiums, and a proactive approach to AI governance and cyber resilience will be imperative as the exposure environment continues to evolve. 

About Willis Cyber

The Willis Cyber team compromises over 200 cyber specialists globally with broad experience and expertise in cyber insurance broking, incident response leadership and analytics. Additionally, Willis’ Cyber Consultants proactively engage with clients to offer tailored consulting solutions that align cyber risk with business objectives and optimize cyber insurance outcomes. The team places more than $1 billion in global cyber premium every year and has managed over 3700 cyber incidents.