Cyber risk is becoming harder to underwrite, with systemic disruption, third-party exposure and faster attack cycles challenging insurers’ ability to price and manage losses. A joint report from AXA XL and Thales sets out how the cyber threat environment in 2026 is affecting risk modelling, governance and operational resilience, with implications for insurers, brokers and corporate buyers.
The report states that cyber incidents are no longer isolated events, with disruption spreading across interconnected systems and supply chains. Financial exposure is rising, with the global average cost of a data breach reaching US$4.44 million in 2025.
More than 12,000 confirmed breaches were recorded globally in the same year, while vulnerability disclosures continue at scale, with around 130 new common vulnerabilities and exposures published daily.
Attack speed is also changing the loss profile. The average breakout time — when an attacker begins moving within a network — has fallen to about 29 minutes, with the fastest observed at 29 seconds. This reduces the time available to detect and contain incidents once access is gained.
For insurers, that systemic disruption, rapid escalation and higher recovery costs are making it more difficult to define exposure boundaries and assess potential losses.
“This report reinforces a fundamental reality we are seeing across industries and regions: cyber resilience now extends well beyond technical controls. It requires disciplined governance, strategic foresight, and proactive risk management,” said Rebiah Girard-Bardot, head of cyber risk consulting services at AXA XL.
The findings point to increasing dependence on third-party systems, including cloud providers, managed services and supply chains. Attacks targeting shared technology providers or widely used platforms can affect multiple organisations at once.
Risk is no longer confined to corporate IT environments. Operational technology systems, including those used in manufacturing, logistics and infrastructure, are also being targeted. Disruption in these environments can lead to operational shutdowns and physical consequences.
Vendor access, cloud misconfiguration and extended supplier networks can increase the scale of impact from a single breach, complicating underwriting assumptions and policy structures.
Cybercrime is described as a structured and commercially organised ecosystem. Ransomware-as-a-service and other on-demand criminal services allow different actors to specialise in access, execution and negotiation.
Access broker activity increased by 50% through 2024, indicating that initial access to networks is being traded more widely. Artificial intelligence is also being used to automate phishing campaigns, generate exploit code and support impersonation attacks.
Deepfake voice and synthetic video tools are being deployed in social engineering campaigns, enabling attackers to imitate executives or trusted contacts. These methods increase the likelihood of successful intrusion and raise concerns about verification processes within organisations.
Cyber risk is also influenced by regulatory requirements and geopolitical developments. Privacy or cybersecurity regulations are now in place in 144 countries, with frameworks such as NIS2, DORA and the EU AI Act introducing stricter expectations for governance, reporting and risk management.
Survey data cited in the report shows that 96% of executives have adjusted their security posture in response to regulatory demands.
Geopolitical factors are contributing to exposure, with organisations facing threats linked to geography, sector alignment and supplier relationships. Critical infrastructure sectors, including energy, healthcare and transport, are identified as frequent targets for disruption.
The report outlines how advances in artificial intelligence, automation and quantum computing are influencing both attack methods and defensive planning.
AI is being deployed across enterprise functions while also enabling more scalable and credible cyber attacks. Interconnected systems and the use of IoT devices are increasing the number of potential entry points.
Looking ahead, quantum computing presents a longer-term risk to encryption. The report notes that organisations need to prepare for post-quantum cryptography, particularly in relation to long-life systems and data that may remain in use for years.
At the same time, 60% of breaches involve a human element, and many cloud security failures are linked to misconfiguration, indicating that operational practices continue to affect exposure.
The report identifies five areas for senior leaders: gaining visibility of digital assets and dependencies; extending oversight across third-party ecosystems; ensuring governance keeps pace with AI deployment; preparing leadership teams for crisis response; and developing a roadmap for post-quantum cryptography.
“In the face of the hyper-acceleration of cyber threats, Thales supports organisations at every stage — from strategy development to advisory and operational implementation — across the entire cybersecurity value chain, from risk identification to remediation,” said Christophe Bianco, vice president for Thales Cybersecurity Services.
AXA XL said its approach combines risk assessment, preparedness, protection and response within a single framework, linking advisory services with underwriting insight.
Cyber resilience now sits within enterprise governance and operational planning, influencing how organisations assess, transfer and manage risk across the insurance value chain.
