Back To The Blog

Taking Mid-Year Stock of Clients’ Cyber Risk Management

Cybersecurity / July 06 , 2026

The cybersecurity landscape has seen major changes in the first half of 2026:

  • Attacks become more sophisticated and evasive as criminals use artificial intelligence (AI).
  • Other emerging technologies, such as 5G connectivity and the Internet of Things (IoT), have expanded the attack surface, giving threat actors new entry points and opportunities to exploit weaknesses.
  • Stricter data protection laws and compliance requirements have prompted many organizations to pay renewed attention to cyber risk management.

Taken together, these developments have reshaped how businesses and IT security professionals are approaching and implementing security protocols and data breach response plans.

Recently, the NetDiligence® Ransomware Advisory Board (RAB) met to discuss how threat actors’ tactics are evolving; what organizations can and should do about them; and what cyber insurance brokers need to know about these matters.

The RAB is a quarterly private forum in which senior incident response practitioners share their candid, firsthand insights from active cyber extortion and ransomware matters.

Because their discussions are grounded in real-world cases, they provide brokers with a practical view of how attacker tactics are evolving, and how their clients can move toward greater resilience and proactive risk management.

What Cyber Brokers Must Know About Identity-Based Attacks

In their Q2 2026 discussion, RAB members agreed that the threat environment is getting busier, not quieter.

Fully 73% of members reported that the volume of ransomware incidents and cyber extortion cases had increased in the last three months. No members reported a decrease.

What accounts for this elevated level of ransomware attacks? Board members attribute much of it to less-skilled attackers using AI and other widely available tools to accelerate social engineering and credential theft.

Instead of exploiting purely technical weaknesses, attackers are targeting people, identities, and account recovery workflows. Indeed, research reveals that identity abuse now drives the majority of all breaches.

The RAB highlighted these persistent paths into client environments:

Identity Compromise

Identity compromise is often how more sophisticated breaches begin. When attackers can impersonate legitimate users and exploit stolen credentials to gain unauthorized access to sensitive systems and data, they can move laterally across networks and potentially evade detection for extended periods.

Help-Desk Impersonation

Attackers, masquerading as legitimate support personnel, can deceive an organization’s staff into divulging sensitive credentials. This strategy enables them to infiltrate critical systems and data, potentially causing extensive damage.

SaaS Access Abuse

Software-as-a-Service (SaaS) access abuse occurs when malicious actors exploit vulnerabilities in applications to gain unauthorized access to data and systems. By targeting these cloud-hosted platforms, attackers bypass traditional security measures and infiltrate sensitive business operations.

In short, although malware and other exploits are growing more advanced, today’s attackers often do not need them. They simply need one person to trust the wrong message, prompt, or caller.

Risk Mitigation Steps Clients Need to Take

The takeaway is clear: Organizations may have multifactor authentication (MFA) and other security tools in place, but are still exposed if password resets, MFA changes, and support requests are not tightly verified. A single mistaken approval or weak recovery process can give attackers access to email, cloud platforms, and sensitive business data.

Organizations must move away from assuming perimeter defenses are infallible and instead embrace a “zero-trust” posture that assumes breach as a starting point.

The RAB suggested that Cyber Insurance brokers talk with their clients about these key aspects of cyber risk management:

Contain More Than the Password

If an account is suspected of being compromised, take immediate actions to contain the breach. Such actions include reviewing active sessions associated with the account to identify any unauthorized connections, resetting access credentials to eliminate the breach avenue, and monitoring for lingering connections that could indicate continued unauthorized access.

Additionally, communicating with affected clients about potential vulnerabilities and encouraging them to review their own security settings is vital.

Treat Account Recovery as High Risk

Password resets, MFA changes, and other account recovery processes are fraught with risk due to their potential to provide unauthorized access if not carefully managed. Organizations must enforce stronger identity verification protocols during these processes to ensure only legitimate users can make such changes.

These protocols could include biometric verification, one-time codes sent to verified devices, or additional security questions. Implementing such measures helps protect against unauthorized access and mitigates the risk of a data breach by ensuring simple circumvention of authentication processes does not occur.

Verify Support Requests Via Trusted Channels

Use trusted communication channels to verify the authenticity of support requests related to access issues. Independently confirm any unexpected calls, messages, or prompts related to account access before taking action. Doing so can prevent a malicious actor’s impersonation of an employee or client to gain access to sensitive systems.

Organizations should train their staff to recognize and verify support requests accurately and establish clear procedures for handling them. This proactive approach helps defend critical systems and data by ensuring only legitimate access requests are processed.

Expert Insights to Enhance Cyber Risk Management

For brokers looking for additional insights and practical talking points for clients, log in to the eRiskHub® and visit the Insurance Insiders section to access the full Q1 and Q2 NetDiligence Ransomware Advisory Board executive recaps.

These summaries provide added context on ransomware incidents, cyber extortion, identity abuse, and evolving attacker tactics.


Related Blog Posts

Download 2025 Cyber Claims Study

The annual NetDiligence® Cyber Claims Study uses actual cyber insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective.

Download

© 2026 NetDiligence All Rights Reserved.