Skip to main content
Marsh logo

Article

What is cybersecurity risk?

Understand and manage cybersecurity risk to protect your business from data breaches, operational disruptions, and financial or reputational loss. Learn more.

31/10/2025 · 4 minute read

What is cybersecurity risk?

Cybersecurity risk is the exposure to harm or loss stemming from cyber threats that can compromise an organisation’s information systems, data integrity, and operational stability. Cybersecurity risk includes the potential for financial loss, operational disruption, reputational damage, and legal and regulatory consequences resulting from threats to information technology systems and data. It encompasses the likelihood of cyber threats including hacking, malware, ransomware, phishing, and other cyberattacks that exploit vulnerabilities in an organisation’s digital infrastructure, as well as non-malicious human error and accidents (intentional or not).

Cybersecurity risk management is essential in today’s tech-dependent business environment, and requires a multi-pronged approach that involves insurance, mitigation, and resilience. It involves identifying vulnerabilities, assessing the range of potential impacts of cyber incidents, and implementing appropriate cybersecurity risk mitigation strategies. These include insurance solutions, risk consulting, and resilience planning to help organisations protect their digital assets from cyber events and other risks in order to ensure business continuity.

Common cybersecurity risks in 2026

In the rapidly evolving digital landscape of 2026, cybersecurity has emerged as a paramount concern for businesses across all sectors. The increasing reliance on business and the economy on sophisticated technologies, coupled with the proliferation of interconnected devices and the expansion of cloud services, has broadened the attack surface for cybercriminals. As organisations harness the benefits of digital transformation, they simultaneously expose themselves to new, expanding, and more complex cybersecurity risks. Following are five key cybersecurity risk trends in 2026:

  1. The proliferation of AI and machine learning, both offensively and defensively, is a key trend in 2026 driving cybersecurity strategies. Cybercriminals now use AI for purposes including to automate attacks, enhance the sophistication of phishing campaigns, develop adaptive malware to evade traditional detection methods. At the same as companies rush to engage AI in their business strategies, they are challenges to protect their assets while combating increasingly intelligent and automated threats.
  2. Deepfake technology is increasingly being exploited for identity theft, fraud, more sophisticated phishing attacks, disinformation campaigns, and more. The ability to create highly realistic, fraudulent multimedia content undermines trust in digital communications and poses additional cybersecurity risks.
  3. Ransomware attacks have evolved, fueled in part by AI and deepfake technology, with multifaceted extortion tactics escalating their potential financial and operational impacts.
  4. Supply chain cyberattacks continue to increase. They involve threat actors exploiting vulnerabilities in third-party vendors to gain unauthorised access to other, often larger and more lucrative, targets. The interconnectedness of modern business ecosystems makes supply chains a critical vulnerability point.
  5. Quantum computing, despite the fact quantum computers are at an early stage of development, poses an existential threat to existing cryptographic algorithms. Organisations will need to transition quickly to quantum-resistant encryption methods to safeguard sensitive data.

Key components of cybersecurity risk

It’s important to understand the core concepts within cybersecurity risk, ranging from vulnerabilities and threats to attacks and controls. The following concepts provide a broad framework to help organisations effectively identify, assess, and manage cybersecurity risks.

  • Vulnerabilities are weaknesses or gaps in an organisation’s systems, processes, or controls that can be exploited by threats, such as unpatched software, weak passwords, misconfigured security settings, and outdated hardware. Vulnerabilities increase the likelihood of successful attacks, making systems more susceptible to exploitation.
  • Threats are potential sources or actors that can exploit vulnerabilities to cause harm, and include cybercriminals, nation-state actors, insider threats, hacktivists, and malicious software. Threats pose the risk of initiating an attack that can compromise systems, data, operations, or other aspects of a business.
  • Attacks are the actual malicious actions carried out by threat actors exploiting vulnerabilities, including through phishing campaigns, ransomware infections, distributed denial of service (DDoS) attacks, and data breaches. Attacks can lead to data loss, operational disruption, financial costs, regulatory actions, and reputational damage.
  • Events, on the other hand, refer to incidents that occur without any intent to cause harm or exploit vulnerabilities. Examples include system misconfigurations, software bugs, and accidental data exposure resulting from human error. Unlike cyberattacks, these events are not driven by threat actors and do not involve deliberate malicious actions. However, despite the lack of malicious intent, the impact of such events can still be significant.
  • Impacts from cyberattacks may include financial loss, legal penalties, regulatory fines, loss of customer trust, or operational downtime. By assessing the impact of a cyberattack, organisations  can better understand and prioritise their risks and where to best invest their cybersecurity budget.
  • Likelihood refers to the probability that a threat will exploit a vulnerability and lead to an attack. Factors influencing likelihood include the attractiveness and size of the target, existing security controls, threat actor capabilities, and the current threat landscape. Assessing threat likelihood helps prioritise risks and allocate resources effectively.
  • Cybersecurity risk is the potential for loss or damage when a threat exploits a vulnerability, and is often expressed as: Risk = Likelihood x Impact. Understanding cybersecurity risk enables organisations to quantify and compare exposures, guiding decision-making on mitigation strategies.
  • Controls and mitigation are the measures an organisation uses to reduce vulnerabilities, detect threats, and prevent attacks lower cybersecurity risk to an acceptable level. These include firewalls, intrusion detection systems, employee awareness training, encryption, incident response plans, and other controls.
  • Residual risk is the risk that remains after implementing controls and mitigation measures. It’s important to recognise residual risk as it helps organisations understand the risks that still need monitoring or additional mitigation.
  • Risk management lifecycle refers to the stages of identification, assessment, mitigation, monitoring, and review. It’s a continuous process used to adapt to evolving threats and vulnerabilities, ensuring ongoing cybersecurity resilience.

Understanding the above concepts is part of the foundation for a comprehensive view of cybersecurity risk. Managing such risks involves not only understanding vulnerabilities and threats, but assessing likelihood, implementing controls, and continuously monitoring the risk landscape.

Managing cybersecurity risk

When it comes to managing cybersecurity risk, companies typically gravitate toward technology solutions, including security hardware and software, cyber consulting and penetration testing services, and cyber risk scorecards. Many organisations, however, lack a true view of organisational cyber risk and its potential economic and operational impact on their business.

Marsh helps clients better manage cyber risk throughout their organisation and improve their cyber resilience. We can help quantify cyber risk exposures with scenario-based loss modelling, benchmark potential cyber event losses and costs, consider the effectiveness of cybersecurity controls from a financial perspective, and assess the economic efficiency of multiple cyber insurance programme structures.

Part of building up cyber resilience is to assess and measure your organisation's cyber risk appetite. Key questions to ask yourself include:

  • Which assets and services are mission critical and must absolutely be protected?
  • What would it cost — in money, time, and reputational damage — if those assets and services were exposed or disrupted?

Next, you can decide the steps and costs that are reasonable to take to protect your organisation’s digital footprint, as well as what it would take to recover efficiently and effectively if compromised. In doing so:

  • Focus on ways to recover mission-critical operations.
  • Use tabletop exercises, vendor assessments, and case studies to help determine your defence and recovery measures.
  • Establish and communicate robust processes and policies, so that everyone knows their role when a crisis materialises.
  • Finally, build a recovery plan and test it regularly.

FAQs

Any organisation that uses technology or data is exposed to cybersecurity risk. The list of cyber risks is endless, and the potential disruptions to your business are enormous. But, like any business risk, cybersecurity risk can be understood, measured, managed, and responded to effectively. 

Cyber insurance can help organisations recover losses and other costs from breaches, business interruption, ransomware, and other types of cyberattacks. Coverage can provide you with resources and reimbursement for items such as legal fees, incident preparation and response support, employee training, forensics services, and breach notification services. Policies can also offer balance sheet protection for first- and third-party costs and liabilities, such as lost revenue and extra expenses, regulatory fines and penalties, data and hardware restoration and repair, and reputational harm.

There is seemingly no end to the number and types of products and services available to apply to cybersecurity. Still, our research continues to demonstrate that, regarding controls, it’s critical to focus on cybersecurity fundamentals, from multifactor authentication to endpoint detection and response to cyber incident response planning and testing.

Good foundational cyber control practices correlate highly with a reduction in the likelihood of cyber incidents. By prioritising essential controls and adhering to best practices, organisations may minimise their risk exposure and enhance cyber resilience.

Speak with a Marsh representative

Let’s start a conversation. Provide some details and let’s connect.

Contact us

Additional resources