Marsh Data Points To A Cyber Risk Awareness Tipping Point In The C-Suite

by

Estimated reading time: 6 minutes

Marsh has ranked cyber risk as the number one concern facing organizations worldwide. The finding comes from the firm’s 2026 People Risk report. The report draws on responses from 4,517 HR and risk professionals across 26 markets. Its timing is significant. Just two months earlier, Operation Epic Fury, the joint US-Israel military strike on Iran, launched on February 28, triggered a multi-vector retaliatory campaign that reached Western commercial enterprises. A cyberattack allegedly linked to Iran-aligned hackers disrupted operations at Stryker, a major US medical technology company. Dozens of other commercial organizations in financial services, logistics, and critical infrastructure faced attacks they had not modeled and, in many cases, not insured against. Cyber risk awareness is no longer a line item in the training budget. It is a material business risk with direct insurance implications.

Senior executives reviewing cyber risk awareness data in a corporate boardroom, illustrating Marsh 2026 findings on workforce cyber readiness and organizational cyber resilience

What The Marsh Report Actually Says

The report covers a wide range of workforce risks. Cyber risk literacy sits at the top of the global rankings. It outranks labor shortages, financial insecurity, and AI disruption. Marsh’s data shows that more than 70% of organizations experienced at least one material third-party cyber incident in the past year. Phishing and social engineering remain the dominant entry points. AI-enhanced deepfakes are accelerating that problem. The report states that human behavior remains the most consistent driver of cyber losses. Technology controls alone cannot compensate for a workforce that cannot recognize or report a threat. “People risks cannot be secondary concerns,” said Hervé Balzano, Mercer’s President of Health and Benefits. That finding now carries direct urgency for executives navigating the post-Epic Fury environment.

Operation Epic Fury Changed The Threat Baseline

The Iran-Israel conflict put theory into practice for commercial businesses. Iranian state-aligned groups and proxy hacktivist organizations launched attacks against targets far beyond the Middle East. We have tracked the operational scope of those attacks and their cyber insurance implications here. The Stryker attack showed Iran now abuses legitimate IT tools with no malware, a qualitative shift in Iranian operational capability, and a willingness to target Western corporate infrastructure. Over 60 individual hacktivist groups became active, including pro-Russian groups, within days of the first strikes. Iran’s cyber retaliation took aim at Western private-sector companies with real or perceived ties to Israel, to impose economic pain on Israel’s partners. The cyber perimeter of a physical conflict now extends to any organization with perceived links to a belligerent state. That is a new and measurable business reality.

See also  Arch Expands Cyber Liability Insurance In Canada With New Primary Coverage

The War Exclusion Problem Becomes Real

Most standard cyber policies exclude war-related losses. That exclusion has grown tighter since Lloyd’s of London issued market guidance in 2022, requiring clearer war language across all cyber contracts. The NotPetya litigation established that ambiguity in war exclusion language is commercially dangerous for carriers and policyholders alike. Operation Epic Fury has raised the stakes again. The full context of how war exclusions interact with modern cyber policy is detailed here. Stryker’s attackers used legitimate IT management infrastructure rather than malware. That technique is specifically designed to complicate attribution and, by extension, coverage decisions. Businesses that assumed their standard cyber policy covered state-affiliated disruption should review that assumption now. Beazley’s 2026 risk resilience data confirms that many organizations consistently underestimate their cyber exposure.

Canopius Responds With A Dedicated Product

Canopius Group launched a dedicated cyber war insurance product on April 27, 2026. It covers state-sponsored attacks carried out during physical conflicts. It also covers state-sponsored attacks that significantly disrupt a country’s operations, regardless of whether a formal war declaration exists. That second trigger directly addresses the gray zone where most modern state-sponsored operations occur. Camilla Walker, Head of Cyber and Technology UK at Canopius, framed the problem directly: “Regional conflict can escalate into widespread cyber disruption, with state-aligned groups targeting commercial enterprises.” Coverage is available on a limited basis alongside a standard cyber policy where Canopius holds the primary insurer position. The product is a direct market response to the coverage gap that Operation Epic Fury exposed.

What This Means For Underwriters And Brokers

Marsh’s report identifies a workforce readiness gap that functions as an underwriting signal. Organizations with low cyber threat literacy face higher loss frequency from phishing, social engineering, and credential compromise. Those are exactly the entry points Iranian actors used against Western commercial targets during Operation Epic Fury. Edge device vulnerabilities compound the exposure further, as the Lumen 2026 report documents. Underwriters placing cyber accounts in financial services, manufacturing, healthcare, and logistics should assess three things directly. Does the insured run a workforce cyber awareness program with measurable outcomes? Does the insured’s policy contain a war exclusion applicable to state-affiliated attacks? Has the insured modeled a conflict-driven operational shutdown in its business continuity plan?

See also  New Cyber Insurance Compliance Toolkit Launched by Blueclone Networks

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

The Leadership And Culture Factor

The Marsh report adds a dimension that goes beyond technical controls. It identifies inadequate leadership skills as the single biggest risk multiplier across all 25 people risks it tracks. Poor leadership produces weak security culture. Weak security culture produces employees who bypass protocols, ignore alerts, and fall for social engineering. The relationship between AI adoption, risk maturity, and cyber loss is explored in depth here. Marsh’s data shows that organizations with advanced risk maturity run mitigations significantly more effective than peers at earlier stages. Government sector data from NASCIO and Deloitte shows that even well-resourced entities struggle to close this gap.

The Business Case For Acting Now

The Marsh report gives CFOs and General Counsel a direct argument for workforce cyber investment. Organizations that actively managed people risks reported measurable returns. Forty percent saw increased workforce productivity. Thirty-six percent achieved faster progress on strategic initiatives. Cyber threat literacy sits at the intersection of people risk and technology risk. It determines whether a phishing email becomes a breach and whether a breach becomes a covered loss or a war exclusion dispute. The data suggests that C-suite awareness of that connection is growing. Whether organizations act on it before the next conflict-driven attack will define their risk position in 2026 and beyond.

Frequently Asked Questions: Cyber Threat Literacy And Business Risk

Why did Marsh Rank Cyber Threat Literacy as the number one people risk in 2026?

Marsh’s research across 26 markets found human behavior drives more cyber losses than any technical vulnerability. AI is making attacks harder to detect, raising the stakes for workforce awareness programs across every industry.

How Does The Iran-Israel Conflict Relate To Commercial Cyber Risk?

Operation Epic Fury triggered state-sponsored and hacktivist attacks against Western commercial enterprises with no direct role in the conflict. Stryker, a US medical technology company, was among the confirmed targets.

Does Cyber War Insurance Cover These Attacks?

Standard cyber policies may exclude war-related losses. Canopius launched a dedicated cyber war insurance product in April 2026, covering state-sponsored attacks during conflicts, including those without a formal war declaration.

What Should Executives Do Now?

Review your current policy’s war exclusion language. Assess whether your workforce can identify AI-enhanced social engineering. Model a conflict-driven operational shutdown in your business continuity plan.

Martin Hinton

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.

Leave a Comment

×