Deepfakes, data suppression, and what keeps CISOs awake
The cyber threat landscape is evolving at breakneck speed, and the challenges organizations will face in 2026 look dramatically different from those of even a year ago. To understand what’s coming, we gathered insights from Resilience’s leading cybersecurity and cyber insurance experts: Vishaal ‘V8’ Hariprasad, CEO; Dr. Ann Irvine, Chief Data and Analytics Officer; Chris Wheeler, CISO; David Meese, Director of Security Services; Chuck Norton, Senior Technical Security Advisor; Maria Long, Chief Underwriting Officer; Tom Egglestone, Head of International Claims; and Scott Tenenbaum, Head of North American Claims.
Their predictions paint a clear picture: 2026 will be defined by AI-amplified threats that exploit human vulnerabilities; a fundamental shift in ransomware tactics; the blurring line between private enterprise and national security; evolving insurance coverage landscapes; and the critical importance of resilience over prevention. Here’s what organizations need to know—and do—to prepare.
AI and the threat landscape
If there’s one prediction our experts agree on unanimously, it’s this: Artificial intelligence will fundamentally reshape cybersecurity in 2026, empowering both attackers and defenders in an escalating arms race. From deepfakes that fool even close colleagues to AI agents that autonomously discover vulnerabilities, the impact will be felt across every aspect of cyber defense.
Deepfakes reach a critical tipping point
The deepfake problem isn’t coming—it’s already here, and it’s accelerating faster than most organizations realize. David Meese warns that the quality of these attacks is reaching alarming levels of realism.
“The deepfake problem everyone was worried about two years ago is 100x times worse today, and it’s going to be 100x worse in a year,” Meese says. “We’re already seeing AI-generated avatars and voices that are indistinguishable from the real thing. At DEF CON this year, teams used LLMs to run fully automated social engineering campaigns, calling real companies and successfully tricking employees into sharing information. It’s only going to get worse from here.”
Think about the implications: Attackers can now convincingly impersonate executives, colleagues, or trusted vendors in video calls. The traditional “human element as weakest link” problem is being exploited at a scale and sophistication we’ve never seen before.
AI lowers the barrier to entry for threat actors
Chuck Norton points out that AI isn’t just making attacks more sophisticated—it’s making them accessible to a broader range of threat actors.
“Attackers won’t need to change their social engineering playbooks in 2026; AI will simply help them do the same things better,” Norton says. “The human element is still the weakest link, and as generative tools improve, it’s becoming even easier to craft convincing lures. Even as new threats emerge, tricking someone into clicking a link or sharing access will remain the most reliable and profitable entry point.”
In practical terms, this means organizations can no longer rely on the technical incompetence or poor English skills of attackers as a warning sign. AI-powered tools can craft perfectly worded, contextually appropriate, and psychologically manipulative messages at scale.
The implications extend beyond social engineering. “Threat actors will use AI to rapidly scan open-source code for weaknesses,” Meese warns. “They’ll be able to suggest malicious patches that introduce new vulnerabilities. As AI tooling becomes more accessible, the speed and precision with which attackers identify exploitable flaws will accelerate, making secure software development and code review even more critical.”
AI adoption will create new vulnerabilities
The AI tools organizations are implementing to stay competitive could become their next attack surface. Chris Wheeler predicts 2026 will mark a watershed moment in AI-related security incidents.
“2026 will be the year we see the first meaningful breaches tied directly to AI—not attacks assisted by AI, but incidents that exploit weaknesses created by AI adoption,” Wheeler says. “Companies have accelerated adoption of large language models into their workflows, both via organic initiatives and vendor integration. Security tooling to protect these workflows is usually nascent or prohibitively expensive, which creates opportunity for mistakes and misuse, especially at companies with smaller security budgets.”
The rush to integrate AI is creating security gaps that threat actors are eager to exploit. “It’s a natural byproduct of technological transition,” Wheeler adds. “The tools are evolving faster than the security frameworks protecting them.”
These security gaps aren’t just opening doors for external attackers—they’re also creating a new category of internal risk. Long identifies emerging privacy violations that will generate unexpected claims in 2026, particularly incidents that don’t fit the traditional data breach mold.
“What’s old is new,” Long says, emphasizing that many organizations have neglected basic acceptable use policies in their rush to deploy AI. The problem stems from employees using AI tools without understanding the privacy implications. “In a rush, they prefer efficiency over being thoughtful,” Long explains. “For example, someone might take an internal document and put it in ChatGPT to analyze, exposing PII in the process.”
The risks extend beyond external AI tools. Long points to scenarios where one employee could query about another employee via internal GenAI tools if provisioning isn’t properly managed. These aren’t traditional data breaches—they’re privacy violations that occur through authorized system use, creating complex questions about coverage and liability.
Scott Tenenbaum, Resilience’s Head of North American Claims, expects these risks to accelerate an already mounting wave of privacy litigation. “An entrepreneurial plaintiff’s bar is weaponizing everything from new laws like the California Invasion of Privacy Act to decades-old wiretapping statutes and targeting companies over routine website technologies—cookies, pixels, standard tracking tools,” Tenenbaum says. “It’s ambulance-chasing at scale. Since most companies settle for nuisance value rather than pay legal fees to fight in court, we’ll see this trend intensify throughout 2026 before it improves.”
Ransomware evolution
Ransomware has been the number one cause of loss in the Resilience portfolio for years—and our experts don’t expect that to change. In fact, they expect that ransomware will further transform in 2026, leaning into patterns that we’ve observed starting in 2025.
Ransomware will shift from encryption to data suppression
Traditional ransomware encrypted your data and demanded payment for the decryption key. But threat actors are increasingly skipping that step entirely.
“We’re already seeing threat actors skip encryption entirely and demand money just to avoid leaking stolen data,” Dr. Irvine says. “It’s creating a strange grey zone where it’s unclear what a company is paying for or how it fits under existing regulations.”
This shift is significant. When data is encrypted, organizations with solid backups can recover. But when the threat is data exposure—customer information, trade secrets, or sensitive communications leaked to the public or competitors—backups don’t help.
Hybrid extortion models will multiply pressure points
Tom Egglestone, Resilience’s Head of International Claims, sees this evolution becoming even more sophisticated. Rather than a simple shift from one tactic to another, he predicts criminals will combine multiple tactics to maximize leverage.
“Cyber extortion is entering its next phase,” Egglestone says. “By 2026, attacks will no longer rely solely on encryption or data theft but will combine multiple tactics in sequence. Adversaries are discovering that the most effective leverage comes from sustained, multi-layered disruption that touches every part of an organisation’s operations. Increasingly, we will see ‘portfolio extortion,’ where criminals target not only a company but also its subsidiaries, suppliers, and customers simultaneously. This creates a network of pressure that accelerates both reputational and operational harm.”
From an insurance perspective, this evolution means resilience rather than recovery will define preparedness. “In the comprehensive market environment, widespread increases in baseline security requirements are unlikely, but policyholders that can demonstrate stronger visibility into supply chains will be able to take advantage,” Egglestone explains. “Insurers may shift to rewarding organizations that integrate continuous threat monitoring and business continuity planning into their cyber risk strategies.”
Litigation will follow every incident
Scott Tenenbaum adds another dimension to the ransomware threat: the legal aftermath that now accompanies virtually every incident. “In 2026 in the United States, organizations should continue to anticipate that litigation will follow most cyber incidents, sometimes almost immediately—within days of an event taking place,” Tenenbaum warns. “Companies will barely have time to understand what happened before they’re defending multiple legal fronts.”
This reality fundamentally changes incident response planning. It’s not enough to restore systems and notify affected parties—organizations must simultaneously prepare for legal defense, often while still investigating the breach.
The ransom payment debate will intensify
This evolution is forcing an uncomfortable conversation in the cybersecurity and insurance communities. A recent high-profile example has brought this issue to the forefront.
“Salesforce’s public refusal to pay a ransom demand will set the tone for a larger reckoning around extortion and ransom payments,” Irvine says. “Expect a much louder debate in 2026 about what’s ethical, what’s legal, and what’s insurable.”
Should organizations pay to suppress data leaks? What are the ethical, legal, and practical implications? The industry needs answers, and 2026 may be the year we finally have this debate in earnest.
Threat actors will lose leverage as organizations strengthen backups
Interestingly, there’s also a glimmer of hope on the horizon. “In 2026, threat actors will lose some leverage when it comes to data encryption as organizations continue to strengthen their backups and incident response plans,” Irvine notes. “When companies can quickly restore systems and data, the value of encryption-based extortion plummets. We’ll see fewer companies feeling compelled to pay for data suppression because they’ll be better equipped to recover and move on.”
David Meese sees a potential path to significantly reducing the ransomware threat altogether through legislative action combined with improved organizational resilience. However, Norton reminds us that the fundamentals of the threat remain unchanged: “Attackers will use AI to identify vulnerabilities and automate parts of the extortion process, making operations faster and more profitable. But the real story in 2026 will be about efficiency, not novelty. The fundamentals haven’t changed—if there’s money to be made, threat actors will find a way to make it.”
Third-party risk
As organizations strengthen their internal security posture, attackers are increasingly targeting the path of least resistance: third-party vendors and service providers.
Third-party risk will dominate headlines
Chris Wheeler predicts this trend will intensify. While many organizations have strengthened their own defenses, their data increasingly lives in centralized third-party platforms like CRMs, cloud providers, and managed service environments—which remain attractive targets for attackers.
“Third-party risk will dominate headlines in 2026,” Wheeler says. “Even if individual organizations are more resilient, their partners and vendors may not be, and that exposure will drive some of the biggest incidents next year.”
It’s a frustrating paradox: as you improve your own security, you become more dependent on the security of your vendors, over which you have limited control.
Ann Irvine emphasizes the urgency of this challenge.
“Ecosystem risk will be the #1 thing that keeps CISOs up at night,” Irvine says. “Companies are realizing that much of their exposure sits outside their own walls, with vendors and service providers they don’t control. In 2026, we’ll see a greater emphasis on contingency planning, cross-team collaboration, and ensuring that insurance policies reflect those dependencies.”
Service disruptions will erode customer trust
Tom Egglestone adds a critical dimension to the third-party risk discussion: the impact on customer relationships. When vendor incidents cascade through your operations, the damage extends far beyond data exposure.
“As cyber hybrid extortion models evolve, businesses will need to not only protect their data but also ensure they don’t damage the customer experience during a breach,” Egglestone says. “Disruptions in services, especially those affecting customer-facing systems like e-commerce, financial services or healthcare, have a direct and eroding effect on customer trust and erode loyalty.”
This perspective reveals why third-party dependencies matter so much. It’s not just about whether your data is exposed—it’s about whether your customers can still do business with you, and whether they’ll trust you afterward. “Businesses that demonstrate a proactive, transparent approach to managing these risks will be better positioned to maintain customer trust even in a crisis,” Egglestone notes.
The insurance market
As AI reshapes the threat landscape, the cyber insurance market will undergo its own significant transformation. Maria Long, Resilience’s Chief Underwriting Officer, predicts that 2026 will bring major shifts in how AI-related exposures are covered—and who bears the risk.
Coverage creep will intensify as other products exclude AI
One of the most significant market shifts Long foresees is a wave of coverage migration that will push AI exposures onto cyber and Tech Errors and Omissions (E&O) policies.
“ISO has filed absolute AI exclusions for general commercial liability and for completed products/operations, effective January 2026,” Long explains. “This may place more exposure on Tech E&O and Cyber policies, as well as standalone AI policies.”
The pattern is familiar to anyone who’s watched the cyber insurance market evolve over the past decade. As traditional insurance products exclude emerging risks, those exposures don’t disappear—they simply migrate to cyber policies, often through ambiguous policy language that wasn’t designed with these risks in mind.
The soft market will create pressure to overextend
The timing of these coverage shifts couldn’t be more challenging. “The market is quite soft right now, and with persisting capacity growth and carriers eager for market share, the market may very well overextend with respect to affirmative AI coverage,” Long warns.
In a soft market environment, insurers face intense broker pressure to address silent AI coverage and amend policies to fill perceived gaps. Long predicts that some markets may race to offer AI coverage to gain market share, potentially before they fully understand or can adequately price the exposures they’re taking on.
This dynamic creates a familiar but dangerous cycle: competitive pressure leads to overly broad coverage grants, which eventually result in unexpected losses and subsequent market corrections.
The challenge is particularly acute because, as Long notes, “some exposures don’t have a home.” Traditional insurance markets are better regulated and can more easily exclude AI-related risks, leaving insureds potentially going bare on certain exposures.
“They’re going to turn to our market for coverage for it,” Long explains. “If cyber doesn’t take it on, where does it go?”
The likely outcome: the industry will respond with small sublimits for AI-specific risks, forcing organizations to become more selective about which AI exposures they can afford to retain versus transfer.
Tech E&O will face unique AI challenges
From a Tech E&O perspective, Long sees exposures beyond just efficiency-driven attack vectors. What happens when organizations use a plugin that accesses or steals their data? Where does the liability sit when a media company violates privacy through an AI tool?
There’s also an increasing need for identity verification driven by AI and social media proliferation.
“Tech companies have to collect a lot of information to validate who people are,” Long notes. She points to Tools for Humanity, Sam Altman’s venture that collects highly sensitive biometric data to prove users are human—a direct response to AI making it impossible to distinguish real from synthetic content online.
“That means they’re absorbing a ton of sensitive information,” Long says. “There’s increasing privacy exposure because tech companies are doing this to solve for the very problems that AI created.”
Operational impact and litigation will become dominant cost drivers
Scott Tenenbaum says operational impact and litigation will fundamentally reshape the cyber insurance landscape in 2026. From a claims perspective, business income losses following cyber incidents are increasingly rivaling or even exceeding direct response costs. This holds true whether the incident hits the organization directly or impacts a critical vendor.
On the litigation front, Tenenbaum sees a growing wave of lawsuits that shows no signs of slowing. Beyond breach-related claims, there’s a separate surge in privacy violation cases that aren’t tied to traditional security incidents. The mounting costs of legal defense and settlements are becoming a critical factor that insurers must weigh when evaluating cyber risk and determining coverage terms.
“It takes time to understand the complete financial picture of a cyber incident,” he adds. “Forensic accounting, litigation, or a combination of both means claim files stay open much longer than they used to. What was once a short-tail risk now routinely extends two to three years or more. Underwriters and actuaries need to factor in this extended timeline.”
Underinsurance will become impossible to ignore
As cyber exposure grows, Tom Egglestone predicts that the gap between actual risk and insurance coverage will widen to dangerous levels—with consequences that extend beyond just financial shortfalls.
“The widening gap between cyber exposure and insurance coverage will become impossible to ignore in 2026,” Egglestone says. “As the financial and regulatory scrutiny of cyber resilience increases, businesses will find their policies do not adequately reflect their true value at risk. Underinsurance will emerge as both a financial and governance issue, testing how well companies understand the economic consequences of disruption.”
The market response, according to Egglestone, will place the burden squarely on organizations to demonstrate their understanding of their own risk. “Insurers and brokers will likely respond by refining their underwriting models and emphasising quantification,” he explains. “When they know where their remains value at question or mandated disclosures are less likely. Instead, the emphasis will fall on businesses choosing to strengthen their own quantification and visibility to secure more tailored risk transfer options.”
For organizations that can articulate their risk clearly—especially around emerging scenarios like supply chain infrastructure and residual risk—better placement will follow. Those that can’t may find themselves seriously underinsured when an incident strikes.
The regulatory climate will provide temporary breathing room
Interestingly, Long predicts that the current geopolitical climate—which has shifted from consumer protection toward innovation—may mean less immediate regulatory pressure than some expect. “We’re in an innovation phase right now,” she explains. “The thought is that we won’t see a super litigious plaintiff’s bar or extremely active regulatory bodies initially.”
This doesn’t mean the risks disappear—it just means they may take longer to materialize into claims, potentially creating a false sense of security in the near term.
Cyber warfare and national security
The line between private enterprise and national security will blur
Vishaal Hariprasad predicts a fundamental shift in how we think about cyber attacks and who is responsible for defending against them. As attacks increasingly threaten critical infrastructure and economic stability, the boundary between private sector concerns and national security issues will become indistinguishable.
“In 2026, governments and businesses alike will have a renewed and necessary conversation about what exactly constitutes an act of cyberwar and who bears responsibility for the fallout,” Hariprasad says. “We’re fast approaching a point where ambiguity around cyber warfare is no longer sustainable, and without the proper guardrails organizations remain exposed to risks they can’t predict or absorb.”
Government intervention will shift from optional to essential, likely leading to new frameworks that clarify when and how authorities should step in during major cyber incidents. The stakes are simply too high for continued ambiguity.
This evolution will also reshape the role of cyber insurance. According to Hariprasad, insurers will serve as a crucial bridge between government and private sector defense in 2026. Their unique vantage point—seeing firsthand which threats cause the most economic damage—positions them to help identify and prioritize the most disruptive risks while providing financial protection that enables organizations to bounce back, not just respond.
What organizations must do now
Given these predictions, what should organizations do to prepare for 2026? Our experts agree: shift your mindset from prevention to resilience.
Assume breach, plan for recovery. David Meese offers what may be the most important advice for 2026: “More important than trying not to get hacked is making sure when you are hit, you can get back up and get running quickly. Make sure that your backup strategy protects your data from threat actors. If you have those things, when they try to extort you, you can tell them to pound sand.”
Master third-party risk. As Dr. Irvine advises, assume vendor incidents will happen and have contingency plans ready. Map your dependencies to understand cascading impacts and ensure you’re insured against those risks.
Prepare for litigation. Scott Tenenbaum’s predictions underscore the need to plan for legal defense as part of incident response. Organizations should work with legal counsel in advance to understand their exposure, review their insurance coverage for appropriate limits to manage operational impact loss and litigation costs, and establish processes for rapid legal mobilization when an incident occurs.
Quantify your exposure. Egglestone’s warning about underinsurance underscores the need for organizations to truly understand their value at risk. This means going beyond checkbox security assessments to genuinely quantify what a cyber incident would cost—not just in recovery expenses, but in business disruption, customer loss, and operational downtime.
Never neglect the fundamentals. Chuck Norton reminds us that flashy new threats don’t negate basic security principles. “Good cyber hygiene is like brushing your teeth: do it consistently, and you’ll avoid most of the pain later.” Multi-factor authentication, regular patching, network segmentation, and security awareness training still matter—organizations that neglect these basics while chasing sophisticated solutions are building on sand.
The cyber threat landscape of 2026 will be more complex and challenging than ever before. But with the right mindset—one focused on resilience, preparation, and practical security measures—organizations can not only survive but thrive. The path forward requires acknowledging AI-amplified threats, understanding the blurring line between private enterprise and national security, preparing for evolving ransomware tactics, mastering fundamentals while planning for vendor incidents, and staying clear-eyed about the shifting insurance landscape.
