In 2026, insurers face mounting exposure from cyber-related class actions, driven by high-profile breaches such as Medibank, Optus and Latitude. Plaintiffs are increasingly seeking damages for emotional distress, reputational harm, and costs incurred in mitigating identity theft. Quantifying loss remains complex, often relying on market-based causation (e.g. share price drops) or aggregated damages across affected groups. The introduction of a statutory tort for serious invasions of privacy adds a new layer of risk. Individuals can now sue for misuse of personal data or intrusion upon seclusion, with courts empowered to award damages, injunctions, and apologies. This tort broadens the pool of potential defendants and may trigger claims under cyber, D&O, and professional indemnity policies. Insurers must reassess coverage wording, exclusions, and aggregate limits, while preparing for increased litigation and regulatory scrutiny. Proactive client engagement and scenario modelling will be essential to manage this rapidly evolving liability landscape.