Tom Egglestone, Head of Claims International at Resilience takes a look at cyber risks;
Cyber extortion is entering a more complex and financially consequential phase. This year, it will increasingly present as more than a single insurable event. Attacks will rely less on one tactic such as data encryption or theft, and instead combine operational disruption, data manipulation and reputational pressure in sustained campaigns designed to maximise leverage and prolong uncertainty for victims and their constituents.
This evolution matters not only for risk managers and boards, but for insurers and brokers who must assess, price and transfer an increasingly systemic form of cyber risk, and for organisations that must rethink how they prepare for, govern and insure against such threats.
From single-loss events to systemic exposure
In 2026, hybrid extortion models have already replaced traditional ransomware attacks; in Resilience’s portfolio, 65% of extortion demands involved data theft without encryption. Only 13% of attacks featured encryption as a primary tactic; the remainder used encryption as leverage in initial extortion attempts and data suppression as the secondary. Threat actors will layer multiple tactics over time, targeting operational continuity, stakeholder confidence and leadership decision-making. The emergence of portfolio extortion further expands the risk, with attackers simultaneously targeting subsidiaries, suppliers and customers to accelerate payment and compound reputational damage.
This pattern was already visible in the closing months of 2025, where several high impact extortion campaigns moved beyond simple encryption to sustained pressure across supply chains, shared service providers, and even clients reinforcing the systemic nature of the threat.
From an insurance perspective, this marks a move from isolated insured events to correlated exposure across interconnected insureds and third parties. While competitive market conditions are expected to continue limiting broad increases in insurer requirements, underwriting models will become increasingly sensitive to visibility around supply chain dependencies and operational risks.
Resilience over recovery in cyber underwriting
The growing complexity of extortion is reinforcing a key underwriting trend this year. Resilience is becoming a more meaningful indicator of preparedness than recovery capability alone.
Organisations that can sustain critical services during an incident, particularly customer-facing systems in sectors such as financial services, healthcare and e-commerce, will materially reduce both loss severity and reputational fallout. From an insurer’s standpoint, this will directly influence expected loss, claims volatility and tail risk.
As a soft market for cyber premiums persists, there is strong potential for gaps to develop in organisations’ preparedness as they assume they can fall back on insurance to cover losses. CISOs may focus on compliance, believing in their policy to protect them, leading to the potential for underinsurance.
Underinsurance and the failure to quantify risk
As cyber losses continue to escalate, underinsurance is set to remain a persistent and structural issue in 2026. Many organisations are entering this year with cyber limits that do not reflect their true exposure to prolonged disruption, customer attrition or reputational damage.
This is not solely a function of market capacity or pricing. Underinsurance often reflects an absence of quantified risk understanding. Where organisations cannot model loss scenarios or articulate the financial impact of downtime and data compromise, insurance limits are frequently set without a clear economic rationale.
For insurers and brokers, this will continue to create friction at both placement and claims stages, particularly when loss duration and secondary impacts exceed original assumptions. Conversely, organisations that invest in quantification and exposure visibility will be better positioned to secure tailored risk transfer and manage residual risk with greater certainty.
Data integrity as an emerging loss driver
In 2026, the focus of cyber extortion is set to shift further from data theft to data integrity. From our experience of managing incidents, which already present unique challenges from case to case, the nightmare scenario for 2026 isn’t a locked system, but a corrupted one. When an attacker quietly alters financial or operational data, the ‘recovery’ isn’t just a matter of restoration, it’s a significant (and likely expensive) hunt for the truth.
For insurers, this will increasingly challenge conventional definitions of cyber loss. The cost will no longer be limited to ransom payments or system restoration, but may include forensic validation, operational verification and long-term remediation of corrupted environments, often extending well beyond initial incident response.
Over time, coverage considerations are likely to evolve to reflect these realities. Organisations that can demonstrate data integrity controls, independent validation mechanisms or immutable records will be better positioned from both a risk and underwriting perspective.
Regulatory developments, including the proposed UK Cyber Security and Resilience Bill currently under consideration, and emerging ransomware-related proposals, are expected to reinforce expectations around data integrity, disclosure and loss transparency. Recent UK government initiatives focused on strengthening the resilience of public digital services, backed by £210 million in funding, further underline how continuity and integrity are becoming policy priorities, even where obligations do not yet extend to the private sector.
Extortion pressure moves to the board level
As transparency and disclosure requirements continue to increase this year, extortionists are expected to place greater focus on boards and executives. Timed leaks, fabricated communications and AI-enabled impersonation will exert significant pressure when aligned with earnings announcements, transactions or regulatory filings. We have already seen this in recent UK matters, where senior leaders of an affected entity have received calls from the hackers to increase pressure.
From an insurance standpoint, this expands extortion risk beyond technical compromise to include reputational, disclosure and market impacts. While current market dynamics in 2026 make immediate policy restructuring unlikely, boards are increasingly expected to seek advisory support that integrates cyber risk, governance and crisis communications before incidents occur, not only after claims are notified.
Insurers that support board-level scenario planning and crisis simulation will help bridge the gap between technical risk and executive decision-making, strengthening the insurer–insured relationship in the process.
Implications for the cyber insurance market
These developments underline a broader shift in how cyber risk will be understood and transferred in 2026. Cyber extortion is no longer a narrow coverage issue. It is becoming an exposure that tests resilience, leadership and financial preparedness.
For insurers, the challenge this year lies in balancing competitive pressures with the need to accurately reflect systemic risk without undermining market confidence. For insureds, the imperative is clear. Visibility, quantification and resilience are becoming prerequisites for effective risk transfer.
As cyber extortion continues to evolve through 2026, the organisations that navigate it most effectively will be those that treat insurance not as a standalone product, but as part of a broader resilience framework grounded in governance, operational continuity and informed leadership decision-making.
Be the first to comment