According to Cowbell, a cyber and specialty insurance provider focused on small and medium-sized enterprises, the cyber insurance market is poised to continue growing at “great speed over 2026.”
Simon Hughes, Senior Vice President, Global Distribution & GM UK, Cowbell, commented, “Insurers are evolving from pure risk transfer to risk partnership. At Cowbell, for example, we’re embedding continuous risk assessment, offering policyholders real-time visibility of their cyber posture through data-driven tools.
“The underwriting approach has become more dynamic: coverage, limits, and conditions reflect a company’s live cyber hygiene rather than a static questionnaire. We’re also seeing growth in incident response readiness services being bundled into policies, so the support starts before a breach ever happens.”
In Cowbell’s 2026 predictions, the firm stated that attacks on both system failures and supply chains are growing. As more SMEs become digitally dependent on outsourced IT infrastructure, large-scale outages, and attacks will be more frequent.
The firm explained, “data is the new hostage,” while system failures and supply chain attacks rise, SMEs should expect attackers to pivot from locking systems to stealing sensitive data, creating longer, costlier recoveries.
Claud Bilboa, RVP Underwriting & Distribution, Cowbell, said, “This year, we are still largely seeing the same types of attacks, although threat actors’ tactics are evolving. We’ve continued to see a huge amount of ransomware, for example, although we’ve started seeing trends more towards data theft than full system encryption as threat actors recognise the value in PII – and expect this to continue into 2026. This pivot to data theft still carries a great deal of severity from a cost perspective and can also take years to conclude due to the time it typically takes to settle these matters with individuals and regulators. We are also seeing an increase in non-malicious cyber events (system failure events).”
Attackers are using artificial intelligence (AI) to adopt a forward-looking tech, upping their game and testing quantum-aware encryption for a post-quantum future, warned the firm.
Kirsten Maley, Director of Claims, UK, Cowbell, explained, “As AI becomes more accessible, the barriers to entry for attackers are falling, and we’re already seeing threat actors evolve their tactics as a result. Because of this, in 2026, I expect a clear rise in cybercrime and BEC, alongside more AI-driven activity as adversaries continue to grow in sophistication.”
Hughes added, “Deepfakes and generative AI have made phishing far more convincing and much easier to do. We’ve seen CFOs approve payments based on voice-cloned messages or synthetic emails. There are also early signs of quantum-aware encryption testing, as threat actors prepare for the post-quantum era.”
Sectors like manufacturing, healthcare, public sector, retail, and education remain irresistible to hackers and will continue to be top targets, according to the Cowbell team.
Hughes believes that the education sector is becoming increasingly exposed due to outdated systems and low cyber maturity, along with security-as-a-service vendors. As outsourced IT dependency grows, these tech firms have become a “gateway” into larger enterprises.
Bilboa said, “For a number of reasons, some of these sectors suffer from underinvestment and also have legacy and out-of-date systems within their IT/OT estates. They are popular targets owing either to the operational impact a cyber incident has on their business operations, the manufacturing sector is a great example of this, or the fact that they hold lots of very sensitive information, which is lucrative in the hands of threat actors. ”
While concluding, Bilboa emphasised that prevention is not a static topic; like many things in cyber, it is constantly evolving. His “message” to businesses is ‘It’s not if but when’.
Bilboa stated, “Invest in key controls, policies and procedures so that when you are faced with a cyber attack, you are in the very best position possible to navigate through it. Cyber insurance plays a pivotal role in this, too. Assessing what cybersecurity tools you use, along with further developing your policies and procedures, is something that should be addressed at least annually.
“In 2026, we may start to see a wider adoption of AI policies amongst businesses as they look to implement the use of AI within their own businesses. They too will need to consider the risks that this comes with; these could be privacy risks or the risk of shadow AI within their businesses.”
About the Author
