The Year Ahead: What 2026 Has in Store for CISOs and Cyber Insurance

What can UK CISOs expect from the coming year in cyber insurance?

The past 12 months have reminded us that no industry does drama quite like cybersecurity. Billion-pound breaches, empty supermarket shelves, and government loan guarantees signal a risk landscape punctuated by headline-dominating breaches and near-existential events. All of which should make the case for cyber insurance stronger than ever. But things are never quite that straightforward.

Watch out for a hardening market

It’s been around three years since the UK exited the previous hard market in cyber insurance. But already, the warning signs of a potential return are appearing. A trifecta of rate reductions, increased losses, and broader coverage is the perfect catalyst for such an event. The bad news is that there’s not much a CISO can do to plan for this. Just enjoy the fact that rates will likely stabilise at relatively low levels for the time being.

Also, watch for a systemic cloud-related outage that could cause extended downtime. That might lead reinsurers to panic, exit the market, and trigger a domino effect that impacts insurers.

That said, we should also see buyer levels increase this year. The government reckons just 45% of UK businesses had cyber insurance in 2025. We can expect figures to tick up, especially among SMEs, which have long treated coverage as a discretionary expense. As more breach stories hit the headlines, this will no doubt change.

A trifecta of rate reductions, increased losses, and broader coverage is the perfect catalyst for the hardening of the insurance market

Insurers get creative to woo customers

Unless we see a dramatic market correction, insurers are likely to continue finding new ways to attract buyers this year. These could include affirmative AI endorsements designed to cover losses caused by AI-powered attacks. There’s not much to say about this other than it’s more of a marketing gimmick. AI attacks are not fundamentally different from regular cyber attacks, so existing policies should cover them. However, the emergence of new endorsements reflects the intensifying competition for customers in today’s market.

We may similarly see the emergence of more industry-specific addendums to policies – such as “missed bid” endorsements in construction. If a company misses an opportunity to bid for a contract due to a cyber attack, the policy would pay out. As discussed in our look back at 2025, dependent customer interruption cover could also become more commonplace in the aftermath of incidents at JLR and M&S. This will be particularly useful for small suppliers that are dependent on one or two large customers or partners.

Contractual changes as supply chain attacks surge

Another result of the massive supply chain breaches of 2025 could be a surge in copycat attacks on big players like JLR. The sheer chaos and financial damage (to the tune of an estimated £1.9bn) that it caused will have digital extortionists shortlisting a new list of targets they can inflict similar pain on. The greater the disruption, the more likely victims are to pay, and the higher the potential ransom.

For the same reason, we might see an increase in legal action among companies in these supply chains, as smaller suppliers seek to recoup losses caused by a breach by a larger customer. Lawyers will review contracts to tighten definitions and coverage. Most organisations have a data breach indemnification clause in their contracts, but these clauses may not cover broader cyber incidents that cause downtime. Expect this to change.

We can also expect to see cases of data leaks and breaches caused by chatbots. According to one study, tools like Microsoft Copilot exposed around three million sensitive records per organisation during the first half of 2025 alone. The proliferation of shadow AI usage means the scale of the risk may not even be fully understood by IT. Although unrelated to AI, a recently settled multibillion-dollar lawsuit related to sensitive information disclosure points to the potential financial and reputational risks for firms.

Underwriters set to demand more

Insurers may still be competing for buyers, but that won’t stop underwriters from getting more granular about which controls they expect policyholders to have in place. When it comes to identity, having multi-factor authentication (MFA) alone will no longer suffice. SMS-based versions that are relatively easy to intercept will be ruled out, even as a fallback. Phish-resistant authentication methods could be the new baseline. Even so, the growing sophistication of phishing kits, including session-hijacking capabilities, will require continued evaluation of where the line should be drawn. Insurers tend to be six months to a year behind the latest threat landscape trends in the controls they’re seeking. But they get there eventually.

If third-party risk management controls weren’t already mandated by new regulations like DORA, NIS2 and the forthcoming Cyber Security and Resilience Act, they will be by insurers

Another key requirement for CISOs in 2026 will be third-party risk management controls. If they weren’t already mandated by new regulations like DORA, NIS2 and the forthcoming Cyber Security and Resilience Act, they will be by insurers. Increasingly, they will want to drill down into how organisations vet their suppliers and customers. And what kind of due diligence they’re doing on controls – annual questionnaires or continuous evaluation and external scans?

Data governance should be another area of focus for CISOs to limit the risk of AI-related data leakage. How well do they understand where data is stored, how it flows through and out of the organisation, and who has access to it? What controls are in place to prevent exfiltration, or at least sound the alarm? Data loss prevention tools and email encryption may be required. There could be greater scrutiny of supply chain contracts with data processors to ensure risks are appropriately managed.

Government will loom large over cyber

Let’s not forget the potential impact that the government might have on the cyber liability space in 2026. It’s ultimately the insurance sector’s job to help businesses mitigate and transfer financial risk associated with cyber incidents. But sometimes those incidents are so big and systemic that the Government has to step in. We saw this with JLR in 2025, where it agreed to underwrite a loan guarantee from private finance in case JLR defaulted, in order for the firm to pay its suppliers. Might the government formalise such an approach, especially if another similar event occurs?

If it did, this might embolden threat actors to strike harder at organisations with large supply chains, as we suggested above. A proposed ransomware ban for public sector and critical infrastructure (CNI) organisations may have similarly unintended consequences. The Government has stated that it is considering “national security exemptions” for such a policy. Wouldn’t this further encourage threat actors to target CNI firms, where outages could have catastrophic repercussions? In any case, if payments to these groups are banned, a black market is likely to emerge, driving the process underground.

Strap in for another wild ride

Whatever the next 12 months bring, CISOs will need to roll with the punches. It’s become almost impossible to predict how the threat landscape will shift. What we do know is that our adversaries have the advantage of surprise. The good news is that most cyber insurance policies should provide plenty of expert incident response support in the event of a worst-case scenario.