When everything’s digital, everyone’s vulnerable

January 28, 2026

Cyber risk is no longer a distant, abstract threat, it’s a daily reality for organisations of every size. The high‑profile attacks on Marks & Spencer, Jaguar Land Rover and the Co‑op in 2025 have shown just how quickly disruption can spread and how costly a single breach can become. As cybercriminals evolve their tactics and new technologies accelerate both risk and defence, insurers and businesses alike are being forced to rethink what resilience really means.

As our Cyber Insurance specialist Theo Pastuch puts it:

“Of all the risks we cover, cyber is the fastest growing by far. You might feel you’re too small to be of interest to cybercriminals or that because you’re big, you must be fully covered. The truth is, everyone is vulnerable, and the impact of an attack can be huge.”

Accelerating both risk and defence

AI is now powering both sides of the cyber battle. Criminals are using it to automate attacks, create convincing phishing emails, build fraudulent websites and generate deepfake videos in minutes. UK Finance recorded almost £100 million lost to investment scams in the first half of 2025, many fuelled by AI‑generated deepfakes.

As AI‑enabled threats grow, insurers are reviewing how policies respond, with clearer definitions around social engineering losses and potentially broader cover for organisations using AI‑powered threat detection. In 2026, AI will be both a risk and a defence.

Ransomware: Still the Biggest Threat

Ransomware continues to drive the majority of cyber‑insurance claims. QBE predicts a 40% increase in victims publicly listed on leak sites by the end of 2026. Attackers are increasingly targeting SMEs within supply chains as a route into larger organisations.

For smaller businesses, this raises a serious concern where ransomware losses could leave them exposed to significant out‑of‑pocket costs.

Skills Shortages: A Growing Gap

The 2025 Cyber Security Breaches Survey highlights a persistent skills gap:

• 49% of businesses and 59% of charities lack basic cyber skills
• 30% of businesses and 29% of charities lack advanced skills such as penetration testing and malicious code analysis

If these gaps aren’t addressed, the likelihood of breaches will rise and insurers may increase premiums for organisations unable to demonstrate adequate cyber resilience.

Regulation is tightening

The Cyber Security and Resilience Bill, expected in 2026, will expand existing NIS regulations and introduce stricter incident‑reporting requirements. Organisations that fail to comply may face penalties, higher premiums or reduced insurance capacity.

Top Tips for 2026

It’s no longer a passive policy waiting for a breach to happen. It’s an active partner in prevention, helping your business strengthen defences, reduce risk, and respond faster.
Ensure you have a robust cyber incident response plan and conduct regular recovery drills to minimise damages in the event of a breach.
Speak to an insurance broker to review your policy terms and conditions, especially regarding how social engineering scams and ransomware attacks are defined and covered.
Upskill your IT teams to address skills gaps and implement robust employee training to help staff proactively spot cyber-security concerns. Consider managed security service providers or consultants to bridge gaps in testing and malware analysis.