As the digital threat landscape becomes more volatile and disturbing, cyber insurance is expected to become mandatory for doing business, driven by pressure from large enterprise customers, according to market forecasts from Tom Pelham, global head of cyber and data, and Arran Roberts, partner at Kennedys.
In a recent report, executives offered five predictions outlining how cyber threats will evolve, who will be targeted, and how corporate boards will eventually be forced to take notice.
It predicts a shift in how people view cyber insurance, from being optional to becoming mandatory for doing business, similar to public liability policies.
Even smaller companies in the supply chain are expected to purchase cyber insurance as part of the tender process. Rapid growth in demand and changing perceptions are expected to move cyber insurance away from the “nice-to-have” realm, the report said.
Pelham and Roberts also predict that supply chains will be used as a primary weapon by threat actors. These will increasingly target smaller, less protected suppliers to encroach on larger companies, creating a domino effect.
“Threat groups know that taking down one key supplier, even a small one, can halt a global brand’s entire operations, giving them maximum leverage to demand ransom,” Pelham and Roberts said.
Adding: “As governments and regulators require broader scrutiny of partners, focus on supply chains will intensify, making supplier risk management a top priority.”
Another prediction is that responsibility will shift to top management, so network-related incidents will no longer be viewed as purely IT problems.
Regulators such as the UK’s ICO will focus enforcement actions on directors and officers (D&O), requiring evidence that boards have made appropriate investments in security, instilled a security-focused culture and conducted rigorous vetting of their partners.
“Expect large fines and possibly even major lawsuits holding individual executives personally liable for data security negligence. This will force boards to treat cybersecurity as a fiduciary duty, ensuring it becomes a standing item on every board’s agenda,” the executives said.
Pelham and Roberts predict that as companies become more resilient and less willing to pay ransoms, threat groups will increase psychological pressure to force negotiations.
“We predict an increase in threats beyond invisible and remote networks, targeting executives and their families with intimidation, doxxing (posting of private information), and even physical threats,” they said.
Additionally, threat actors could leverage advanced artificial intelligence and deepfake technology to create highly damaging fabricated CEO videos or inject fake evidence of criminal activity into compromised data sets.
They added: “The goal is simple: threaten the stock price to plummet and damage the company’s reputation, forcing the company to pay to prevent fabricated but credible lies from being leaked.”
Executives say the crackdown on large threat groups like LockBit has muddied the attack ecosystem, leading to a surge in attacks by smaller, less sophisticated “Wild West” groups.
This fragmentation means attacks will become less targeted and more pervasive, targeting companies of all sizes based purely on opportunity. The report warns that no business can safely assume it is too small to be targeted.
Perhaps the most significant regulatory change in the UK is the formal ban on ransomware payments by all publicly funded entities.
This new legislation will create a unique list of UK organizations that are legally unable to pay ransom, forcing the public sector to quickly shift focus and budgets towards strong cyber resilience.
It is predicted that by 2026, suppliers to publicly funded entities will be subject to intense regulatory scrutiny. While the payment ban may not formally extend to the entire supply chain, these suppliers will face significant contractual pressure to adopt a “no payment” stance as well.
