The introduction of the NIS2 Directive will create greater liability risks for directors and officers, and increase their risk profile for insurers. The Directive introduces stricter and more detailed technical and organisational cybersecurity requirements for companies in Germany. Although most businesses still do not fall directly within the scope of the Directive, the ongoing trend towards tighter regulation will significantly impact non-binding security standards and any contractually-owed standards of care. Importantly for those in scope, the Directive introduces accountability on the part of directors and other senior managers for ensuring compliance. This takes the form of monetary and other sanctions, which may create additional risks for D&O insurers through coverage issues such as regulatory defence costs and possible financial penalties (such as may be insured). Although the obligations introduced by NIS2 are not new, having already been part of many risk management duties, especially for companies heavily reliant on data processing and digital operations, insurers may seek to ensure that their policyholders are familiar with any obligations.

As quantum technology develops, we expect cyber insurers to start considering the potential systemic risks associated with the post-quantum era. Developments in quantum technologies are advancing rapidly and will offer huge opportunities to improve our lives. However, quantum computing will also pose the next significant challenge to cybersecurity and organisations are being urged to take steps to prepare for this now. The National Cyber Security Centre has already published guidance on the timeline for the migration to post-quantum cryptography (PQC) which starts now by identifying information, systems and cryptography which is at risk and ends in 2035 with the complete migration to PQC for systems, services and products.

In a recent ruling by the Spanish Supreme Court, it was determined that banks are liable for unauthorised transactions resulting from digital fraud, such as phishing or SIM swapping, unless they can demonstrate gross negligence on the part of the customer. This ruling reinforces the quasi-objective liability framework established by Directive 2015/2366 on Payment Services, shifting the burden of proof to financial institutions to demonstrate that the transaction was authorised or that the customer acted with gross negligence. The decision is based on the special duty of care that banks must exercise when, among other matters, opening a bank account (e.g. verifying the ID or the contracting party’s information is accurate) or monitoring certain operations (such as unusually timed large transfers by a user). This legal precedent could have significant implications for the insurance sector, particularly regarding policies held by banks. Liability insurers of banks may face an increase in claims related to digital fraud, as banks are more likely to be held responsible. Additionally, insurers should reassess the risks covered and the security measures implemented by banks. Underwriters should consider the adequacy of cybersecurity protocols and banks’ incident response capabilities when evaluating risks.

Cyberattacks are becoming increasingly frequent and severe in Sweden, affecting both businesses and municipalities. Despite being one of the most digitally advanced countries, many organisations remain vulnerable to ransomware, data breaches, and other cyber threats. In December 2023, the prominent Swedish retail chain Coop was hit by a cyberattack that disrupted operations and left payment systems offline for several days. In August 2025, a large-scale ransomware attack compromised systems in numerous municipalities, raising concerns over data breaches and operational disruptions. As these attacks continue, cyber insurance is becoming an essential tool for managing risk. More organisations are expected to adopt coverage to protect operations and recover swiftly after incidents. Implementing basic safeguards, such as response plans and staff training, is becoming standard practice. With digital threats on the rise, the importance of cyber insurance in Swedish risk management will only grow.

Hong Kong recently saw the passage of the Protection of Critical Infrastructure (Computer System) Ordinance into law, the provisions of which will come into effect on 1 January 2026. The new laws aim to protect local infrastructure in certain sectors designated as critical. Banks and financial institutions (in addition to those operating in other prescribed sectors) will be required to implement measures to prevent and report security breaches. Failure to do so may attract a fine of up to HK$5 million (US$640,000). We expect increased regulatory activity in encouraging organisations to bolster the security and reporting any breaches of their computer systems in 2026.

With the advancement of AI, we expect to see an increase in the sophistication of cyberattacks. Gone are the days of simple phishing emails sent to unwitting employees asking them to change their password, which often contain obvious errors that are easily detected. Threat actors are now using AI to create sophisticated attempts, such as deepfakes, to deceive employees into handing over their credentials. One recent example was an employee who transferred large sums of money following receipt of a deepfake video showing the company's senior executive instructing employees do so. We also anticipate that threat actors will use AI to assist with password decoding and data mining of large datasets to determine the value of the data that they have accessed and possibly exfiltrated. Datasets that were traditionally thought to be difficult to translate in Asia, e.g. Japanese or Korean, can now be easily and accurately translated with the improvement in AI-assisted translation tools. As a result, we anticipate that through the use of AI, attacks based on deception and abuse of confidence will become more sophisticated and increasingly convincing, which is likely to result in an increase in cyber claims of this nature.

By 2026, all financial institutions in Ecuador will be required to comply with mandatory cybersecurity standards. The regulator is aligning local regulation with international norms, imposing obligations on data protection, technology risk management, business continuity plans, and cyber incident reporting. This rule will encourage banks and insurers to adopt cyber insurance, strengthening the financial system’s resilience against digital attacks and ensuring the continuity of critical operations. The measure demonstrates a regulatory commitment to technological stability and market trust.

In 2026, the rise in cyber threats and digital dependence will push Peru to adopt stronger cybersecurity frameworks and to expand the market for cyber insurance policies. Companies in banking, telecommunications, and critical infrastructure will increasingly seek cyber risk coverage to safeguard against ransomware, data breaches, and business interruption caused by digital attacks. These policies will become essential not only to mitigate financial losses but also to strengthen corporate resilience and regulatory compliance. Additionally, government institutions will be urged to enhance co-operation with the private sector in order to build more robust cyber defence mechanisms. Cyber insurance is expected to evolve into a critical pillar of risk management, particularly as businesses accelerate their digital transformation and AI adoption.

The aviation sector faces escalating cyber risks as digitalisation deepens across flight operations, maintenance, and passenger services. Cyber threats are becoming increasingly sophisticated, targeting critical systems such as avionics software, flight planning tools, and airport IT infrastructure. A successful breach could disrupt navigation, compromise safety, or ground entire fleets, leading to severe financial and reputational losses. Regulators are tightening cybersecurity compliance, pushing operators to invest in robust defences. Insurers are responding by expanding cyber liability offerings, often bundling them with traditional aviation policies, while introducing stricter risk assessment protocols and premium adjustments for operators with inadequate cyber resilience.