Key Takeaways
- AI is lowering the barrier for sophisticated cyberattacks, dramatically speeding up breakout times and enabling new tactics such as deep‑fake social engineering and AI‑crafted ransomware.
- Non‑malicious cyber incidents now represent a quarter of all events, up from 11% in 2021, challenging traditional insurance assumptions and prompting underwriters to examine corporate governance alongside technical controls.
- Operational disruption—not ransom payments—typically accounts for the largest share of cyber losses, as illustrated by the $867 million business‑interruption impact of the 2024 Change Healthcare breach.
- Third‑party and supply‑chain vulnerabilities have become the top cyber‑resilience challenge, with nearly half of 2025 breaches involving external partners, leading insurers to demand detailed vendor risk assessments.
- Non‑breach privacy claims (e.g., illicit pixel tracking) and data‑breach class‑action lawsuits are growing rapidly, yet insurers frequently deny coverage by classifying them as intentional business decisions rather than accidental losses.
- Organizations often overestimate the scope of standard cyber policies, leaving gaps for social‑engineering fraud, IP infringement, defamation from AI‑generated content, and other emerging liabilities.
Overview of the Evolving Cyber Threat Landscape
The 2026 Lockton Cyber Threat Report highlights that cyber risks facing businesses have grown markedly more complex. Drivers include AI‑enabled attacks, geopolitically motivated intrusions, and an increasing proportion of losses stemming from companies’ own decisions rather than external threat actors. This shift forces risk managers to broaden their focus beyond technical defenses to encompass governance, strategic choices, and supply‑chain dependencies.
Surge in Non‑Malicious Incidents
Munich Re data cited in the report reveal that 25 % of cyber incidents in 2024 were non‑malicious, up from 11 % in 2021. These events—such as misconfigured cloud storage, accidental data exposure, or inadvertent sharing, or self‑inflicted system outages—are straining traditional coverage assumptions that assume most losses arise from malicious actors. Underwriters are now scrutinizing internal governance, change‑management processes, and employee training as part of their risk evaluation.
AI as a Force Multiplier for Attackers
Artificial intelligence has become a powerful accelerator for threat actors. CrowdStrike data referenced in the report show an 89 % increase in attacks leveraging AI, with average breakout times falling 70 % since 2021 to just 29 minutes, and the fastest recorded breakout occurring in only 27 seconds. By automating reconnaissance, exploit development, and evasion techniques, AI lowers the technical expertise required to launch sophisticated campaigns.
AI‑Enhanced Ransomware Tactics
In the ransomware domain, large language models enable modestly skilled actors to produce evasive malware that previously demanded deep coding expertise. AI can obfuscate code, generate polymorphic variants, and tailor payloads to bypass signature‑based defenses, thereby increasing the likelihood of successful encryption and extortion attempts.
Deep‑Fake and AI‑Driven Social Engineering
Business email compromise (BEC) and other social‑engineering fraud have been transformed by AI‑generated deep‑fake video and voice cloning. These tools allow attackers to impersonate executives or trusted partners with startling realism, often rivaling the effectiveness of classic phishing emails. The resulting fraud can bypass traditional email‑security gateways that rely on known malicious indicators.
AI for Data Exfiltration Analysis and Evasion
Beyond initial intrusion, AI accelerates the post‑breach phase. Threat actors use machine‑learning algorithms to rapidly sift through exfiltrated data, pinpointing high‑value records for ransom or extortion. Simultaneously, AI models help attackers identify patterns that trigger endpoint detection and response (EDR) alerts, allowing them to modify tactics in real time to avoid detection.
Liability Risks Stemming from AI Use
AI introduces distinct liability exposure beyond traditional breach scenarios. Models trained on copyrighted material can generate unauthorized reproductions, opening the door to intellectual‑property infringement claims. AI‑produced content that contains factual inaccuracies may lead to defamation suits. Moreover, employees who upload sensitive corporate data to public AI tools create privacy risks that fall outside conventional breach narratives, yet can trigger regulatory penalties and civil litigation.
Dual‑Use Risk Illustrated by Anthropic’s Mythos Model
The April 2026 decision by Anthropic to withhold its latest AI model, Mythos, from public release underscores the dual‑use nature of advanced AI. The company cited concerns that Mythos could be used to discover previously unknown software vulnerabilities, thereby amplifying offensive cyber capabilities. Lockton notes that such dilemmas force firms to weigh innovation benefits against potential security harms.
Business Interruption as the Primary Loss Driver
Operational disruption, rather than ransom payments, often constitutes the largest component of cyber losses. The 2024 Change Healthcare breach exemplifies this: the company incurred an estimated $867 million in business‑interruption losses, dwarfing the $22 million ransom paid. This disparity highlights the financial toll of downtime, lost productivity, and reputational harm that follow a cyber incident.
Statistics on Operational Disruption
An IBM‑Ponemon Institute study cited in the report found that 86 % of organizations experiencing a data breach reported operational disruption, with 76 % stating that recovery took more than 100 days. These figures reinforce the need for robust incident‑response planning, business‑continuity strategies, and cyber‑resilience investments that extend beyond simple data‑recovery capabilities.
Third‑Party and Supply‑Chain Risk Dominance
The World Economic Forum’s Global Cybersecurity Outlook 2026, referenced extensively in the Lockton report, identifies third‑party and supply‑chain vulnerabilities as the top challenge to cyber resilience. Verizon data show that 48 % of breaches in the year ending October 31, 2025 involved external parties, up from 30 % the prior year. Consequently, underwriters are tightening requirements, insisting on detailed vendor risk assessments, dependency mapping, and continuous monitoring of cloud providers, managed service partners, and SaaS platforms.
Underwriter Response to Supply‑Chain Exposures
In response to the rising third‑party threat, insurers are demanding greater transparency from policyholders. This includes documentation of vendor security controls, contractual obligations for breach notification, and regular audits of critical service providers. By aligning coverage conditions with rigorous supply‑chain risk management, insurers aim to mitigate the systemic risk posed by interconnected digital ecosystems.
Growth of Non‑Breach Privacy Claims
Non‑breach privacy claims represent one of the fastest‑growing areas of cyber‑related loss, particularly in the United States. Lawsuits alleging improper pixel tracking surged to 2,200 in 2025, according to Fisher Phillips data. A notable example is the September 2025 San Francisco jury verdict that awarded $425.7 million against Google for unauthorized tracking of users who had opted out of data collection.
Insurer Pushback on Coverage for Privacy Violations
Insurers frequently deny coverage for these non‑breach privacy claims, arguing that pixel tracking reflects deliberate business decisions rather than accidental incidents. Such conduct can trigger intent‑based exclusions embedded in many cyber policies, leaving companies exposed to substantial financial liability for what they perceive as routine marketing or analytics activities.
Escalation of Data‑Breach Class‑Action Litigation
Data‑breach class‑action lawsuits in the U.S. reached 1,488 in 2024—a staggering 1,265 % increase since 2018, per Duane Morris research. Plaintiffs’ attorneys are increasingly employing technicians to scan the dark web for stolen corporate data, sometimes filing suit before the victim organization has even detected a breach. This proactive litigation strategy amplifies financial and reputational pressure on affected firms.
Plaintiffs’ Use of Dark‑Web Intelligence
By leveraging dark‑web monitoring, plaintiffs can identify compromised credentials, personal data, or proprietary information that has been exfiltrated. Armed with this evidence, they allege negligence or violation of privacy statutes, often seeking damages for alleged harm even when the breached entity remains unaware of the incident. This trend underscores the importance of proactive threat‑intelligence capabilities and timely breach detection.
Common Misconceptions About Cyber Policy Scope
Many policyholders mistakenly assume that any loss involving computers or electronic devices falls under their cyber insurance coverage. This belief can create significant gaps, particularly for social‑engineering fraud, non‑breach privacy violations, intellectual‑property claims arising from AI‑generated content, and defamation suits. Organizations must carefully review policy language, endorsements, and exclusions to ensure alignment with their evolving risk profile.
Strategic Implications for Business Leaders
The Lockton 2026 Cyber Threat Report paints a picture of a threat environment where technical controls alone are insufficient. Leaders should integrate AI risk assessments into governance frameworks, invest in robust third‑party risk management, and develop comprehensive incident‑response plans that address both operational disruption and liability exposure. Regular policy reviews, coupled with clear communication of coverage limits to stakeholders, will be essential to navigate the widening spectrum of cyber risks in the coming years.