As the digital threat landscape becomes more volatile and unsettling, cyber insurance is predicted to become a mandatory requirement for doing business, driven by pressure from large corporate clients, according to market predictions by Tom Pelham, Global Head of Cyber and Data, and Arran Roberts, Partner at Kennedys.
It predicts a shift in perception regarding cyber insurance, going from being optional to becoming a mandatory requirement for doing business, similar to public liability policies.
Even smaller companies within the supply chain will be expected to procure cyber insurance as part of the tender process. A rapid increase in demand and a shift in perceptions that moves cyber insurance away from “nice to have” territory is expected, according to the report.
Pelham and Roberts also predict that the supply chain will be used as a primary weapon by threat actors. These will increasingly breach major corporations by targeting smaller, less protected suppliers, creating a domino effect.
“Threat groups know that taking down a crucial vendor, even a small one, can stop the entire operation of a global brand, giving them maximum leverage to demand a ransom,” Pelham and Roberts stated.
Adding: “As governments and regulators demand more extensive vetting of partners, this focus on the supply chain will intensify, making vendor risk management a top priority.”
Another prediction is the shift of accountability to the C-Suite, as a result, cyber-related incidents will stop being seen as solely IT problems.
Regulators, like the UK’s ICO, will focus their enforcement actions on Directors and Officers (D&O), demanding proof that the board has invested properly in security, instilled a security-minded culture, and rigorously audited its partners.
“Expect to see significant fines and, potentially, major lawsuits holding individual executives personally accountable for data security negligence. This will force boards to treat cybersecurity as a fiduciary duty, ensuring it is a standing item on every board agenda,” the executives said.
As companies become more resilient and less inclined to pay ransoms, Pelham and Roberts predict that threat groups will ramp up psychological pressure to force negotiations.
They said: “We predict an increase in threats that extend beyond intangible and remote networks, targeting executives and their families with intimidation, doxing (publishing private information), and even physical threats.”
Furthermore, advanced AI and deepfake technology could be leveraged by threat actors to produce highly damaging, fabricated videos of CEOs or to inject forged evidence of criminal activity into compromised data sets.
“The goal is simple: threaten to crash the stock price and destroy the company’s reputation, forcing a payment to prevent the release of the fabricated, yet believable, lie,” they added.
According to the executives, the takedowns of large threat groups like LockBit have made the attack ecosystem more chaotic, leading to a surge in attacks from smaller, less-sophisticated “Wild West” groups.
This fragmentation means attacks will be less targeted and more pervasive, hitting companies of every size based purely on opportunity. No business can safely assume it is too small to be a target, the report warns.
The UK’s most significant regulatory change will likely be the formal introduction of a targeted ban on ransomware payments by all publicly funded entities.
This new legislation will create a distinct list of UK organisations legally unable to pay ransoms, forcing the public sector to rapidly shift focus and budget toward robust cyber-resilience.
In 2026, intense regulatory scrutiny will fall on suppliers to publicly funded entities, according to the predictions. While the payment ban may not formally extend to the entire supply chain, these suppliers will face significant contractual pressure to also adopt a “no-pay” posture.
About the Author
