Top 5 Cyber Threats for Carriers in 2026

With today’s reliance on digital capabilities to conduct business, the risk of cyberattacks and cyber-related incidents is greater than ever. Organizations are experiencing an increasing number of threats and growing severity when an incident does occur. To make matters worse, as technology evolves, threat actors will continue to develop more sophisticated strategies for carrying out cyberattacks. Even the most typical attacks, such as business email compromises (BECs), wire fraud, and ransomware attacks (which typically lead to data breaches), will be amplified, leading to greater business impact, damaged reputations, and much bigger paydays for the threat actors.

From a management perspective, threat actors have learned that organizations are no longer interested or compelled to pay the ransom when a ransomware attack occurs. There is even more government scrutiny around ransom payments, making it more challenging for organizations to pay when attacked. Organizations are much savvier at properly securing and backing up data for business continuity, so at times, ransom payment is not warranted because organizations can recover their data from backups. 

Looking ahead to 2026, we will see a shift in threat actor tactics in several ways, and cyber insurance carriers are under increasing pressure to provide added value services to help safeguard their insured’s operations—as well as vendor partnerships to help protect the data, business function, and interests of their clients—from the threat of a cyber incident. Many of the leading risks are already present but will evolve and further shape the future of cyber claims and risk management. Let’s explore the top five cyber threats for insureds in 2026 and the strategies that carriers are adopting to mitigate the potential impact to their insureds.

Top 5 Cyber Threats in 2026

1. Double Extortion Method: We expect that threat actors will not only encrypt data in ransomware attacks but also exfiltrate (steal) data and threaten to publish it if the ransom is not paid. And, because more organizations are backing up their data properly, threat actors may skip the encryption process altogether, only exfiltrate sensitive data, and threaten to publish if the ransom is not paid. This is more efficient for threat actors since they do not have to provide ongoing support in the decryption process, and it is more effective as organizations might have no choice but to pay, depending on the nature of the stolen data.
   
   
2. Continued Exploitation of Zero-Day Vulnerabilities: A zero-day vulnerability is a security flaw in technology that a threat actor can exploit before the vendor is aware. As we have seen more recently, zero-day exploitations are a proven way for threat actors to scale attacks to extort more money, especially when so many organizations rely on SaaS products and other outsourced (and consolidated) technology.
   
   
3. More Strategic and Sophisticated Attacks: Threat actors will likely begin to demonstrate more patience before striking, looking to make the biggest impact. In the past, threat actors attacked single organizations in hopes of a quick hit and then moved on if their efforts were not fruitful. This can be laborious and make paydays uncertain. Now, threat actors are more likely to target larger supply chains and vendors whose customers rely on that vendor’s product. With these more targeted attacks on supply chains, we will see threat actors access vulnerable networks (more often, via access brokers) and remain dormant and undetected for an extended time—maybe months—until the time is right to attack. They will sit back, watch email traffic, monitor the network, and figure out who the organization’s key players are, looking for the customers and key stakeholders before striking. They will watch finances and become more strategic and credible when making ransom demands.
   
   
4. Continued Supply Chain and Vendor Attacks: For example, with the increasing connectivity among organizations and consolidation of technology management solutions, vendors are a lucrative target. Threat actors can turn their attention to single points of failure with targeted attacks that impact the vendor and many more downstream customers (and those customers’ customers). Those threat actors targeting the supplier or vendor can also leverage the attack by having the downstream customers put pressure on the victim vendor to pay the ransom because their business is relying on that victim returning to normal operations. This is an evolving tactic that resulted in huge payouts in 2024 and 2025 when the industry saw the Change Healthcare, CDK Global, and PowerSchool ransomware attacks, and currently, the Salesloft Drift cyber incident, that affected so many downstream customers. With that single-point-of-failure strategy, other ancillary threat actors not involved in the direct supply chain/vendor attack will leverage the event to pose as vendor support (via phishing emails or impersonation in phone calls), gaining unauthorized access to attack and further exploit the situation and monetize quickly.
   
   
5. AI and Technological Advancements: Threat actors are beginning to leverage AI in several ways. For a while now, they’ve been using Generative AI (GenAI) to create more convincing social engineering attacks. They are generating more believable phishing emails that read in a tone/style as a trusted colleague. The emails are also translated into various languages across the enterprise and to scale. Phishing emails used to be easier to spot due to grammatical errors and low sophistication. Now AI is used to create these emails, removing the easy-to-spot flags and enabling more seamless social engineering. Once threat actors are in a network, they use AI to review an organization’s data more quickly to make more credible threats. Instead of manually reviewing internal documents to learn about the organization and its financials, which takes time, threat actors are using AI to help expedite the review. This more sophisticated review could, perhaps, even find the cyber insurance policy or P&Ls and make a credible demand, one that it knows the organization can afford to pay from a financial perspective and can’t afford to not pay from a data or operations perspective. Additionally, threat actors are using AI to automate finding and exploiting vulnerabilities before they are patched. Using AI to write malicious code for ransomware attacks, threat actors make the ransomware industry more accessible to less-technical threat actors.
   
   
6. Strategies for Minimizing the Risk of Cyber Incidents: Generally speaking, the traditional approach to insurance has been reactive, but over the years, we’ve seen cyber insurance evolve from being a reactive financial safety net to a proactive partner and enabler of cyber resilience. Cyber insurance carriers are forced to adapt, because the threat landscape is not static. Now, most cyber insurance products out there have added value services and continuous monitoring to prevent cyber-attacks from occurring in the first place. Then, if needed, they engage highly skilled cyber claims experts who have the technical expertise to stop the bleeding and mitigate further exposure.

As the threat landscape constantly changes, the only way to even try to stay ahead of the game is through active insurance with ongoing monitoring and threat detection. Carriers are adapting on the underwriting side by requiring very specific security measures, such as multifactor authentication, endpoint detection and response (EDR), patch management, dual authentication for wires, and other pre-policy risk assessments. Some may require potential policy holders to list out their tech stack, managed service provider, or other tech vendors the organization relies on.

And more than ever, we are seeing that many cyber carriers are integrating EDR and even managed EDR (MDR) tools as part of their offering and building out in-house computer forensic teams to help respond when an incident occurs. In-house capabilities also allow carriers to use the forensic information they learn when investigating in the underwriting feedback loop and to better understand the current threat actor landscape, including their tactics, techniques, and procedures.

Partnering to Achieve Superior Outcomes

At Gallagher Bassett, our team of cyber experts balances the cyber industry’s evolving threat landscape and how it uniquely impacts our clients’ programs and goals—regardless of size, niche, or coverage. Serving a wide range of clients, including large carriers, self-insured entities, and risk pools, we lead with a commitment to excellence that prioritizes minimizing their risk, providing actionable insights, and driving superior claims outcomes for their cyber operations. Contact us to found out how we can help keep your business safe and secure.