Xceedance/Insurtech Insights/Blog Posts/Cyber Risk in 2026: AI Scales the Threat, While Risk Assessment Struggles to Keep Up

Cyber Risk in 2026: AI Scales the Threat, While Risk Assessment Struggles to Keep Up

By Awani Saraogi, Associate Vice President, Strategic Offerings at Xceedance

Cyber risk is no longer a niche exposure. It is continuous, interconnected, and operationally disruptive. Attackers industrialize social engineering, weaponize vulnerabilities quickly, and exploit third-party dependency at scale. The result is a loss environment where speed, volume, and correlation matter as much as technical depth.

A clear signal sits at the top of board agendas. In 2026, cyber incidents rank as the number one global risk for the fifth year in a row, with 42% of responses and a 10% lead over the next-ranked risk. Cyber incidents also rank as the top concern across regions and across large, mid-sized, and smaller companies, according to Allianz Risk Barometer 2026.

The threat landscape is driven by scale and initial access efficiency

Most breaches still begin with basic entry paths, but those paths are becoming sharper. Recent European threat landscape reporting indicates that phishing is the most common initial access vector, with vulnerability exploitation a distant second.

This matters for cyber insurance because frequency is no longer the hard part to imagine. The hard part is quantifying loss potential when entry is cheap, repeatable, and industrialized, and when the same techniques can be run across thousands of targets in parallel.

AI changes the economics of social engineering

Generative AI does not invent phishing. It removes the friction. It lowers language barriers, improves writing quality, and enables fast tailoring by role, industry, and context. ENISA-linked reporting also suggests that by early 2025, AI-powered phishing represented over 80% of observed social engineering activity worldwide. That claim is attributed to ENISA Threat Landscape reporting, and it reinforces a simple point: attackers can scale persuasion faster than defenders can retrain users.

Separately, industry reporting has also pointed to sharp increases in phishing volumes since late 2022, coinciding with the mainstreaming of generative AI tools. For example, a CNBC report cites a 1,265% increase in malicious phishing emails since the fourth quarter of 2022, based on data from cybersecurity firm SlashNext.

Speed compresses response windows

AI also compresses time. McKinsey notes that AI is accelerating the speed of cyberattacks, with breakout times now often under an hour, and highlights AI’s role in creating convincing phishing emails, fake websites, and deepfake videos that bypass traditional detection. For risk owners, this reduces the margin for error. Controls built for quarterly reviews and annual insurance renewals will not match an hourly threat tempo.

Why current cyber risk assessment struggles

Cyber risk modeling has matured, but inputs remain fragile. Many approaches still rely on frequency-severity concepts, heavy-tail distributions for extreme losses, and dependence modeling to capture correlations across insureds. Underwriting also often leans on questionnaires and point-in-time assessments. The problem is structural: cyber risk is non-stationary, loss data is sparse and inconsistent, and correlation is hard to model when many firms share the same cloud, identity providers, software supply chains, and managed services.

Common constraints persist:

  • Limited historical claims data with the granularity needed for robust modeling
  • Rapidly changing attacker behavior that makes static scoring degrade quickly
  • Privacy and disclosure constraints that reduce data sharing
  • Portfolio aggregation risk from shared dependencies and common architectures

Bottom line

AI has shifted cyber risk from “more attacks” to “more effective attacks at machine scale.” The underwriting challenge is not whether cyber incidents will happen. The question is whether current assessment methods can price loss potential under conditions of rapid change, sparse data, and systemic dependencies. The market will continue to grow, but cyber risk assessment needs to become more dynamic, evidence-based, and resilient to correlation shocks.

February 05, 2026

Related Insurtech Insights

Our latest thinking and case studies
MGA Ecosystem as a Service (MEaaS)
Whitepapers
MGA Ecosystem as a Service (MEaaS)
Read More
Xceedance Appoints Gavin Lillywhite to Drive Expansion Across Distribution Ecosystem and European Market
Press Releases
Xceedance Appoints Gavin Lillywhite to Drive Expansion Across Distribution Ecosystem and European Market
Read More
Manuscript Insurance: Why Custom Coverage Demands a New Approach to Technology
Blog Posts
Manuscript Insurance: Why Custom Coverage Demands a New Approach to Technology
Read More