Cyber-Security Budgets to Climb in 2026 Amid Rising Third-Party Risks

As global cyber threats grow more complex, organizations are planning substantial increases in cyber-security spending in 2026, according to Marsh's Cyber catalyst report: Guiding priorities in cyber investments. The report is based on survey data from over 2,200 cyber-risk leaders across 20 countries and 8 global regions. It identifies heightened confidence in cyber-risk management alongside intensifying concerns over third-party exposures and ransomware. According to Marsh, most respondents cited ransomware and privacy breaches as their top concerns, with both named by 29 percent of participants.

The report found that 66 percent of respondents intend to increase their cyber-security investments over the next year, with more than one-quarter planning to grow budgets by at least 25 percent. Spending priorities include cyber-security technology and mitigation, incident planning, and cyber-security personnel. Marsh said 70 percent of respondents identified technology investment as a top area, followed by incident preparedness (68 percent) and talent acquisition (67 percent).

Nearly three-quarters of organizations expressed high confidence in their overall cyber-risk strategies, though Marsh noted that specific capabilities, such as incident response planning and employee training, showed lower confidence levels. Among regions, organizations in India, the Middle East, and Africa showed the highest confidence levels at 83 percent, while those in Asia were least confident at 50 percent.

"Today's evolving threat landscape demands not only increased investment but a strategic, holistic approach to cybersecurity," said Thomas Reagan, global cyber-practice leader at Marsh. "Our survey clearly shows that while many organizations are boosting budgets, true resilience comes from balancing technology, talent, and preparedness—especially in managing third-party risks."

Seventy percent of organizations experienced at least one material third-party cyber incident in the past year, underscoring the increasing importance of supply chain risk oversight. Per the report, more than 20 percent of respondents said third-party risks significantly affected their organization's cyber-security posture.

Marsh also noted differences in how decisions about cyber-security investments are made. While some organizations rely on security leaders or chief information security officers, others involve global or regional risk collectives or board-level oversight. According to Marsh, organizations using broader governance structures often demonstrate a higher level of strategic alignment and resilience in cyber planning.