Skip to main content
Marsh logo

Article

Why privacy is at the top of the cyber risk agenda

Explore why privacy remains a top cyber risk, the evolving regulatory landscape, AI, and effective strategies to enhance cyber resilience.

04/06/2026 · 6 minute read

What is keeping cyber risk leaders up at night?

While the cyber risk landscape remains complex, with multiple potential pitfalls, our Cyber catalyst report: Guiding priorities in cyber investments indicates a clear focus on privacy and ransomware. In North America, privacy breaches remain a considerable concern for organizations, ranking as the top cyber threat in Canada and among the top three in the US (see Figure 1). Ransomware remains a high-impact exposure for North America, while denial-of-service (DoS) is a prominent risk in the US, reflecting reliance on always-available digital services and the high cost of service outages (see Figure 1).

Key takeaways:

  • Top threats are no surprise: Privacy and ransomware remain dominant both globally and in North America, while denial-of-service is a distinctive operational worry in the US.
  • Privacy risk evolves: Privacy risk has shifted in focus from data breaches to business practices, with undisclosed tracking, collection, and use of data driving regulator and plaintiff attorneys’ scrutiny.
  • Regulatory environment increases in complexity: The fragmented regulatory landscape, with obligations varying from one state to another, complicates compliance efforts.
  • Market response is mixed: Insurers’ market responses vary, underscoring the importance of regular policy reviews and early renewal meetings.
  • Effective mitigation strategies are critical: Despite the increasing threat landscape, organizations can take actions to mitigate privacy exposures.

To learn more about how to mitigate your privacy exposure, contact us.

Figure 1: Privacy risks remain a top concern in both the US and Canada

Why privacy remains a top concern

Privacy is hardly a new topic. And while many organizations have taken action to address it, this risk persists (see Figure 2), mainly due to three converging developments.

Figure 2: Globally, privacy and ransomware top the list of risks that senior leaders are concerned about

*Hover over or click the lines to view specific data points by country/region

1. Shift from data breaches to privacy practices

Historically, privacy concerns centered around unauthorized access. Today, however, privacy risk encompasses unauthorized access as well as non-breach privacy risk stemming from how organizations collect, track, aggregate, and use personal data. Newer technologies, such as pixel tracking on websites, are under scrutiny when they are carried out without meaningful consent.

Regulators and plaintiffs may challenge practices that previously drew little scrutiny, meaning organizations can face regulatory enforcement and litigation even in the absence of an actual security incident.

This shift means that companies may be subject to regulator inquiries or class actions based on collection or use practices, potentially driving legal costs and contributing to reputational damage even in the absence of an actual intrusion.

2. Regulatory evolution and litigation creativity

The privacy regulatory landscape in the US continues to evolve, with 19 states having comprehensive data privacy legislation already in place with 17 states having active bills under consideration in their legislature. State-specific regulations can pose a compliance burden as organizations seek to comply to obligations on disclosures, consent, data subject rights, and cross-border transfers that may vary from state to state.

This regulatory patchwork often increases operational complexity, requiring teams to map obligations across jurisdictions while product teams must justify data collection and retention choices in the context of multiple, sometimes overlapping, laws.

At the same time, plaintiffs’ attorneys are becoming more creative in their search for cases to litigate. Some are adapting older statutes and creative legal strategies that were not created with modern data practices in mind. Even cases that do not proceed to trial can be a significant financial burden.

3. AI amplification

To date, the use of generative artificial intelligence has not created a new category of risks; however, it can amplify existing and familiar ones. First, the undisclosed use of personal data in model training can create regulatory and contractual liabilities. Further, attackers may use AI to automate their scouting missions and craft more convincing social engineering campaigns, which may increase the risk of incidents that could expose privacy-sensitive information.

Generative AI’s potential impacts on privacy are under insurer scrutiny amid an expectation of an uptick in AI-related claims as usage accelerates. Although the current perspective of Marsh’s cyber specialists is that AI-related privacy risks are already contemplated under broad cyber coverage, insurer responses may vary Insurers continue to closely monitor existing AI-enabled litigation involving allegations of privacy violations.

How can organizations better address privacy risks?

The Cyber catalyst report: Guiding priorities in cyber investments indicates confidence in managing cyber risk although this varies greatly between regions. Canada sits in the middle of the pack, with confidence in the US a little higher. Perhaps unsurprisingly, larger companies tend to be more confident in their cyber risk management and mitigation capabilities than small and medium-sized organizations. But as the risk landscape continues to evolve, there is no room for complacency. Instead, organizations can focus on four critical actions that can help them lower the incidence of privacy risks. 

  • Designate a data owner and maintain an authoritative inventory of where data is being collected, processed, and shared, overlaying this information over regulatory maps to better understand exposures.
  • Update privacy notices, consent flows, and retention policies. Require privacy impact assessments for new products, especially AI initiatives.
  • Assign accountable governance, including legal and privacy officers, to operationalize privacy practices across product, marketing, and IT teams.
  • Ensure that privacy notices and consent mechanisms explicitly cover AI model training and third-party data sharing, and maintain change logs to demonstrate reasonable, ongoing compliance efforts to both regulators and insurers.

  • Conduct cyber tabletop exercises at least twice per year, ideally once with executive leadership and at least once with technical/operational participants. Make sure they cover privacy scenarios, including regulatory inquiry, discovery of undisclosed data tracking, and problematic data use by AI models, in addition to DoS and ransomware incidents.
  • Rehearse legal, communications, and regulator engagement workflows and analyze the effectiveness of out-of-band communications for use during infrastructure outages.
  • Expand the scope of tabletop exercises to include vendor-originated privacy findings and regulator enforcement simulations. Test negotiation and documentation protocols that may be needed if plaintiffs or regulators allege systemic practice failures rather than a single breach.

  • Implement vendor due diligence, contractual privacy, and audit clauses and conduct regular monitoring of critical suppliers.
  • Deploy tools that detect undisclosed pixels, third-party telemetry, and supply chain data flows, prioritizing remediation according to the materiality of compliance gaps.
  • Consider engaging specialist vendors that scan the public web and analyze your dependence graph to identify tracking, unauthorized data sharing, and third-party misconfigurations. Some newer solutions are integrating predictive models able to flag potential incidents before they materialize.

  • Review your cyber policies with your broker or insurance advisor, paying specific attention to non-breach privacy and AI wording. If needed, coordinate coverage with other policies.
  • Consider whether broader policy forms — such as Cyber CAT that provides comprehensive protection — are suitable for your risk profile.
  • Start renewal discussions early to determine how your carrier views evolving risks. Do not assume automatic coverage, but work with your broker or insurance advisor to fully understand your policy. Determine controls that insurers may require to offer preferential pricing and terms and conditions.

Privacy concerns have evolved but remain a consistent and considerable risk

Organizations that focus on robust privacy hygiene, take action to mitigate the risk of a privacy incident, and have adequate insurance in place are often better placed to proactively address privacy concerns and build resilience.

Speak with a Marsh representative

For more information on how to better manage your privacy risks and other cyber challenges, contact us.

Contact us

Related insights

user typing login and password, cyber security concept, data protection and secured internet access, cybersecurity

Article

Balancing innovation with cybersecurity: Mitigating cyber risk in the REIT landscape

03/04/2026
Creative business group sitting at the round table

Article

Navigating an evolving risk environment

03/01/2026
Hands using smartphone in city

Report,Featured insight

MythBusters: Purchasing cyber insurance doesn’t change your risk of an attack

02/24/2026
Cyber security data protection business technology privacy concept.

Podcast

Evolving Cyber Risks in Energy Amid Transition

02/06/2026
View more