Top 5 Cyber Threats in 2026

With today's reliance on digital capabilities to conduct business, the risk of cyberattacks and cyber-related incidents is greater than ever. Organizations are experiencing an increasing number of threats and growing severity when an incident does occur. To make matters worse, as technology evolves, threat actors will continue to develop more sophisticated strategies for carrying out cyberattacks. Even the most typical attacks, such as business email compromises (BECs), wire fraud, and ransomware attacks (which typically lead to data breaches), will be amplified, leading to greater business impact, damaged reputations, and much bigger paydays for the threat actors.

From a management perspective, threat actors have learned that organizations are no longer interested or compelled to pay the ransom when a ransomware attack occurs. There is even more government scrutiny around ransom payments, making it more challenging for organizations to pay when attacked. Organizations are much savvier at properly securing and backing up data for business continuity, so at times, ransom payment isn't warranted because organizations can recover their data from backups.

Looking ahead to 2026, we'll see a shift in threat actor tactics in several ways, and cyber insurance carriers are under increasing pressure to provide added value services to help safeguard their insured's operations — as well as vendor partnerships to help protect the data, business function, and interests of their clients — from the threat of a cyber incident. Many of the leading risks are already present but will evolve and further shape the future of cyber claims and risk management. Let's explore the top five cyber threats for insureds in 2026 and the strategies that carriers are adopting to mitigate the potential impact to their insureds.

Top 5 Cyber Threats in 2026

1. Double Extortion Method

We expect that threat actors will not only encrypt data in ransomware attacks but also steal data and threaten to publish it if the ransom isn't paid. And, because more organizations are backing up their data properly, threat actors may skip the encryption process altogether, take only sensitive data, and threaten to publish if the ransom isn't paid. This approach is more efficient for threat actors since they don't have to provide ongoing support in the decryption process, and it is more effective as organizations might have no choice but to pay, depending on the nature of the stolen data.

2. Continued Exploitation of Zero-Day Vulnerabilities

A zero-day vulnerability is a security flaw in technology that a threat actor can exploit before the vendor is aware. As we've seen more recently, zero-day exploitations are a proven way for threat actors to scale attacks to extort more money, especially when so many organizations rely on SaaS products and other outsourced and consolidated technology.

3. More Strategic and Sophisticated Attacks

Threat actors are likely to demonstrate more patience before striking, looking to make the biggest impact. In the past, threat actors attacked single organizations in hopes of a quick hit and then moved on if their efforts weren't fruitful. This approach can be laborious and make paydays uncertain.

Now, threat actors are more likely to target larger supply chains and vendors whose customers rely on that vendor's product. With these more targeted attacks on supply chains, we'll see threat actors access vulnerable networks (more often, via access brokers) and remain dormant and undetected for an extended time — maybe months — until the time is right to attack. They'll sit back, watch email traffic, monitor the network, and figure out who the organization's key players are, looking for the customers and key stakeholders before striking. They'll watch finances and become more strategic and credible when making ransom demands.

4. Continued Supply Chain and Vendor Attacks

With the increasing connectivity among organizations and consolidation of technology management solutions, vendors are a lucrative target. Threat actors can turn their attention to single points of failure with targeted attacks that impact the vendor and many more downstream customers — and those customers' customers).

Threat actors targeting the supplier or vendor can also leverage the attack by having the downstream customers put pressure on the victim vendor to pay the ransom because their business relies on that victim returning to normal operations. This evolving tactic resulted in huge payouts in 2024 and 2025 when the industry saw the Change Healthcare, CDK Global, and PowerSchool ransomware attacks — and currently, the Salesloft Drift cyber incident — that affected so many downstream customers.

With that single-point-of-failure strategy, other ancillary threat actors not involved in the direct supply chain/vendor attack will leverage the event to pose as vendor support — using phishing emails or impersonation in phone calls — gaining unauthorized access to attack and further exploit the situation and monetize quickly.

5. AI and Technological Advancements

Threat actors are beginning to leverage AI in several ways. For a while, they've been using generative AI (GenAI) to create more convincing social engineering attacks. They're generating more believable phishing emails that seem to be from a trusted colleague. The emails are also translated into various languages across the enterprise and to scale.

Phishing emails used to be easier to spot due to grammatical errors and low sophistication. Now AI is used to create these emails, removing the easy-to-spot flags and enabling more seamless social engineering.

Once threat actors are in a network, they use AI to review an organization's data more quickly to make more credible threats. Instead of taking the time to manually review internal documents to learn about the organization and its financials, threat actors are using AI to help expedite the review. This more sophisticated review could, perhaps, even find the cyber insurance policy or profits and losses (P&Ls) and make a credible demand, one that it knows the organization can afford to pay financially but can't afford to not pay from a data or operations perspective.

Additionally, threat actors are using AI to automate finding and exploiting vulnerabilities before they're patched. Using AI to write malicious code for ransomware attacks, threat actors make the ransomware industry more accessible to less-technical threat actors.

Strategies for Minimizing the Risk of Cyber Incidents

The traditional approach to insurance generally has been reactive, but over the years, we've seen cyber insurance evolve from being a reactive financial safety net to a proactive partner and enabler of cyber resilience. Cyber insurance carriers are forced to adapt, because the threat landscape isn't static. Now, most cyber insurance products have added value services and continuous monitoring to prevent cyber-attacks from occurring in the first place. Then, if needed, they engage highly skilled cyber claims experts who have the technical expertise to stop the bleeding and mitigate further exposure.

As the threat landscape constantly changes, the only way to try to stay ahead of the game is through active insurance with ongoing monitoring and threat detection. Carriers are adapting on the underwriting side by requiring very specific security measures, such as multifactor authentication (MFA), endpoint detection and response (EDR), patch management, dual authentication for wires, and other pre-policy risk assessments. Some may require potential policy holders to list their tech stack, managed service provider (MSP), or other tech vendors on which the organization relies.

And more than ever, we're seeing that many cyber carriers are integrating EDR and even managed EDR (MDR) tools as part of their offering and building in-house computer forensic teams to help respond when an incident occurs. In-house capabilities also allow carriers to use the forensic information they learn when investigating in the underwriting feedback loop and to better understand the current threat actor landscape, including their tactics, techniques, and procedures.

Partnering to Achieve Superior Outcomes

At Gallagher Bassett, our team of cyber experts balances the cyber industry's evolving threat landscape and how it uniquely impacts our clients' programs and goals — regardless of size, niche, or coverage. Serving a wide range of clients — including large carriers, self-insured entities, and risk pool — we lead with a commitment to excellence that prioritizes minimizing their risk, providing actionable insights, and driving superior claims outcomes for their cyber operations.