Skip to main content
Marsh logo

Article

Privacy and ransomware risks intertwine as threat actors change tactics

Guide to cyber investments in Europe - prioritize privacy governance, ransomware readiness, and third party risk management to protect data and reputation.

17/06/2026 · 8 minute read

Navigating an evolving cyber risk landscape

What are European cyber risk leaders most worried about? Amid a complex cyber risk landscape, our Cyber catalyst report: Guiding priorities in cyber investments indicates a clear focus for European companies: Privacy breaches, including loss or theft of personal data, rank as the top threat, followed by ransomware (see Figure 1).

These risks are increasingly interconnected as threat actors’ tactics evolve, often exploiting privacy weaknesses to intensify ransomware extortion efforts. This means that along with the risk of regulatory penalties, lapses in privacy controls may lead to significant financial exposures and substantial reputational damage.

Key takeaways

Coin in the head green

Top threats remain consistent

Privacy, ransomware, and DoS attacks remain dominant both globally and in Europe.

Wall between two people green

Privacy and ransomware risks continue to evolve

Privacy risk has shifted in focus as threat actors exploit vulnerabilities to enhance ransomware extortion tactics, including gradual data leaks to maintain pressure on victims.

Placeholder Image

Regulatory environment remains complex

European companies face a patchwork of regulations, including the General Data Protection Regulation (GDPR), the Digital Operational Resilience Act (DORA), and the European Union Artificial Intelligence Act, with varying enforcement approaches across countries complicating compliance efforts.

Placeholder Image

Supply chain and third-party risks intensify

Europe’s interconnected business environment and regulatory complexity require organizations to assess potential vulnerabilities among their suppliers and vendors to minimize their overall cyber risk exposure.

Placeholder Image

Preparedness and incident response remain critical

As the threat landscape continues to evolve, European organizations need to strengthen their overall readiness to handle intertwined cyber risks.

Placeholder Image

Market favors well-prepared clients

The European cyber insurance is generally offering well-prepared clients with growing capacity and competitive pricing across segments. Demonstrating strong cyber controls, effective aggregation management, and proactive risk governance enables access to broad coverage and attractive terms. Strategic renewal approaches — such as detailed policy reviews, early insurer engagement with evidence-based submissions, and layered placement strategies — help maximize capacity, improve policy wordings, and increase value-added services.

Figure 1: Ransomware attacks and privacy breaches are also the top concerns across regions

Source: Cyber catalyst report: Guiding priorities in cyber investments

Risks persist amid a shifting risk landscape

Europe’s privacy and cybersecurity regulatory landscape is multifaceted. While the GDPR remains the foundational privacy law, new frameworks, such as the EU AI Act, DORA, and the NIS2 Directive, add layers of complexity. Organizations, particularly multinationals, must also contend with extraterritorial regulations, complicating compliance and incident response efforts.

While many organizations have taken action to address privacy, this risk persists (see Figure 2), mainly due to three converging developments.

Figure 2: Privacy and ransomware top the list of risks that senior leaders are concerned about, both globally and in Europe

Source: Cyber catalyst report: Guiding priorities in cyber investments

1.       Shifting ransomware tactics shine a spotlight on privacy risks

Amid a complex regulatory landscape, threat actors are leveraging privacy lapses to scale widespread attacks. New tactics include incremental data leaks to pressure organizations to pay ransom, leading to both financial and reputational concerns. Ransom payments represent only a fraction of the total financial impact. Operational downtime, recovery expenses, legal fees, regulatory fines, and reputational harm often far exceed ransom amounts. Supply chain attacks are becoming a preferred vector, exploiting vulnerabilities in interconnected vendors and service providers to amplify disruption across entire ecosystems.

2.       The regulatory landscape is evolving with increased litigation creativity

The privacy regulatory landscape in Europe is shaped by the GDPR and a patchwork of other laws, including local ones. Further, organizations doing business in other countries, such as the US, need to navigate country- and state-specific regulations, creating increased operational complexity. The evolving enforcement landscape and creative litigation strategies by plaintiffs’ attorneys are notable concerns for European companies.

3.       AI amplifies risks

While generative artificial intelligence has not yet created a new category of risks, it can amplify existing and familiar ones. Most impactfully, AI tools may enable even less technically skilled threat actors to execute complex intrusions into companies’ systems. For instance, threat actors might leverage AI to automate their scouting activities and develop more persuasive social engineering campaigns, potentially heightening the likelihood of incidents that compromise privacy-sensitive data. While the current perspective of Marsh’s cyber specialists is that AI-related privacy risks are already contemplated under broad cyber coverage, insurer responses may differ and insurers remain vigilant in tracking ongoing AI-related litigation concerning alleged privacy infringements.

Four actions to mitigate privacy and ransomware risks

The Cyber catalyst report: Guiding priorities in cyber investments indicates that 68% of European organizations are very confident in their company’s ability to manage cyber risk, slightly less than the global average (see Figure 3). 

Figure 3: European companies are slightly less confident in their company’s ability to manage cyber risk than the global average

Source: Cyber catalyst report: Guiding priorities in cyber investments

Perhaps unsurprisingly, larger companies tend to be more confident in their cyber risk management and mitigation capabilities than small and medium-sized organizations. But as the risk landscape evolves, there is no room for complacency. Instead, organizations can focus on four critical actions that can help them lower the incidence of privacy risks.

1.       Enhance privacy hygiene and governance

  • Appoint a dedicated data steward to maintain a comprehensive, authoritative record of data collection, processing, and sharing activities that are mapped against applicable regulatory requirements to identify risk exposures.
  • Regularly revise privacy statements, consent procedures, and data retention policies. Mandate privacy impact assessments for all new offerings, with particular attention to AI-related projects.
  • Establish clear governance accountability by involving legal and privacy professionals and embed privacy protocols across product development, marketing, and IT functions.
  • Ensure that privacy notices and consent frameworks explicitly address whether data is being used to train AI models or shared with third parties. Keep detailed logs to demonstrate consistent compliance efforts to both regulators and insurers.

2.       Incorporate privacy considerations into incident response planning

  • Organize a minimum of two cyber tabletop exercises every year, ideally involving executive leadership in one session and technical or operational teams in another. Ensure these exercises address privacy-related scenarios such as regulatory investigations, uncovering undisclosed data tracking, and misuse of AI-generated data, alongside DoS and ransomware attack simulations.
  • Practice workflows for legal, communications, and regulatory interactions, and evaluate the reliability of out-of-band communication channels to be used in case of outages. Access resources, through platforms such as Marsh Central, to be better prepared, informed, and protected when risks emerge.
  • Broaden the scope of tabletop scenarios to encompass privacy issues originating from vendors and simulate regulatory enforcement actions. Assess negotiation strategies and documentation processes that may be necessary if systemic compliance failures are alleged by plaintiffs or regulators, rather than isolated breaches.

3.       Monitor and manage third-party and web-tracking exposure

  • Establish thorough vendor due diligence processes, incorporate privacy and audit provisions into contracts, and perform ongoing monitoring of key suppliers.
  • Use technologies that identify hidden tracking pixels, third-party telemetry, and data flows within the supply chain, focusing remediation efforts based on the significance of compliance gaps.
  • Explore partnerships with specialized providers that conduct public web scans and analyze your dependency network to uncover tracking activities, unauthorized data disclosures, and third-party misconfigurations. Some advanced solutions now include predictive analytics capable of detecting potential issues before they arise.

4.       Evaluate the adequacy of your cyber insurance program

  • Collaborate closely with your broker or insurance advisor to thoroughly review your cyber insurance policies, paying particular attention to clauses related to non-breach privacy risks and AI exposures.
  • Assess whether broader insurance products — such as CyberWall, which offers extensive and comprehensive protection — are better suited to your organization’s specific risk profile.
  • Engage early in insurance renewal conversations to understand your insurer’s perspective on emerging and evolving cyber risks. Avoid assuming that coverage will automatically renew; instead, work with your broker or advisor to gain a clear understanding of your policy terms. Identify any security controls or risk management measures insurers may require to qualify for favorable pricing and policy conditions.

Privacy and ransomware risks are evolving, becoming more deeply interconnected. Mitigating their impact requires a comprehensive approach that combines robust privacy governance, strong cybersecurity hygiene, thorough incident preparedness, and strategic use of cyber insurance. By proactively addressing these challenges, European companies can better safeguard their data, reputation, and operational continuity against today’s sophisticated cyber threats.

Contact us

For tailored guidance on managing your privacy and ransomware risks, contact your Marsh representative.

Contact us

Related insights

Colorful car lights trail in motion on freeway

Event

SMMT International Automotive Summit 2026

30/06/2026
Rows of data storage units are present in a large facility at night. The lights from the units create a blue glow, showing the technology in use. The setting highlights the scale of storage.

Article

Cyber SLA Parametric Insurance for Data Centres

16/06/2026
Code writing in laptop

Report

UK Cyber Claims 2025

09/06/2026
Cyber tech outage

Report

The quiet crisis in cyber insurance

04/06/2026
View more