Looking Forward to 2026 in Cybersecurity: Attacks are on the Rise (Shocker)

Cybercrime Statistics

With the new year approaching, it is a good time to look back on cyber incidents in 2025, and to start making plans for 2026.  In 2025, cyber-attacks continued to rise as reflected in some key statistics[1], including:

• Cost of Cybercrime:
  • $10.5 trillion – “If cybercrime were a country, it would boast the world’s third largest economy, trailing only the U.S. and China.”
• Data Breach Costs:
  • Global average: $4.44M;
  • S. average: $10.22M.
• Ransomware Stats:
  • Involved in 44% of breaches;
  • Median ransom $115k;
  • 64% of victims didn’t pay (this is a good thing!).
• Attack Vectors:
  • Phishing (16%)[2];
  • Supply chain compromises (15%).
• AI in Attacks:
  • 1 in 6 breaches involves AI (deepfakes, phishing);
  • 99% of companies have exposed data to AI tools.
• Most Affected:
  • Healthcare spends the most in response to cybersecurity attacks; but,
  • Small businesses are highly vulnerable.

By some estimates the cost of cybercrime will skyrocket to $16 trillion by 2029[3], and the sheer number of attacks will continue to increase. 

Despite the threat of these increases, companies do not plan to change operations.  According to the report 74% of business managers and 81% of C-suite leaders are confident in their ability to detect and respond to cyberattacks in real-time.  However, when asked if their company had suffered a cyber-attack, 79% of managers responded that a successful cyberattack hit their organization in the past year.  This dichotomy is even greater when we discover that only 65% of C-suite leaders believe their organization was hit by a cyber-attack.  There is a clear disconnect between the C-suite and IT managers, as well as the confidence to deal with an attack versus the number of organizations affected by such an attack.

Legislative Response

AI will continue to affect attack increases as well.  The same report quoted above noted that 97% of companies are reporting AI security issues and breaches.

The continued rise in attacks has not gone unnoticed by state legislatures.  Although recent legislation does not seem to have deterred any attacks, 49 different states have considered 800 bills or resolutions, and 44 states have enacted 200 bills in 2025[4].  Some legislative highlights include:

• Arkansas passed a Cyber Security Act to ensure all agencies are meeting cybersecurity standards;
• Mississippi enacted legislation that establishes limits on claims due to cyber claims; and
• Virginia created requirements related to the purchase of school-issued devices to ensure the devices have good cyber security.

While the attention legislatures give to cyber-attacks provides some comfort to businesses and individuals, the attacks have not subsided. 

Legal Implications

From a liability perspective, legislatures, such as Mississippi, are trying to limit the liability from cyber-breaches, but plaintiff’s attorneys have become more emboldened to file class action lawsuits.  Many of these suits are filed within days of the filing of notice letters with attorney general’s offices as plaintiff’s attorneys are racing against each other to be the first to file.  While many of the claims made in these complaints are without merit or in anticipation of potential events, such a suit can cost an organization money to defend.

Organizations should take care at the start of the year to reassess their:

1. Potential cybersecurity risks;
2. Potential financial, regulatory, and contractual implications in connection with cybersecurity breaches;
3. Changes in legal requirements, including statutory and regulatory requirements; and,
4. Potential legal consequences from class actions lawsuits.

While you’re enjoying the holiday, also make this season a time for reflection on cybersecurity threats and implications.