Global cybercrime is on track to cost the world roughly USD 16tn annually by 2029, up from USD 10.3tn in 2025. 94% of surveyed executives now identify artificial intelligence as the single biggest driver of change in cybersecurity, yet 87% also name AI-related vulnerabilities as the fastest-growing cyber risk. The average time an intruder needs to move from initial access to malicious action has collapsed to 29 minutes, a 65% acceleration in a single year. And in April 2026 Anthropic’s Claude Mythos forced US and UK financial regulators to summon the largest banks within 48 hours to discuss whether core software underpinning the global financial system could still be considered defensible. Cybersecurity is no longer a line item in the IT budget, but an important part of sovereign risk management.

For most of the past two decades, cybersecurity was managed as a support function: a control layer bolted onto systems designed primarily for productivity. That framing is now obsolete. Cybersecurity has become a core strategic concern for governments, businesses and societies; language normally reserved for energy security or defence policy. The numbers behind that shift are striking. 91% of the largest organisations globally have materially changed their cybersecurity strategy in direct response to geopolitical volatility; 64% of organisations now consider geopolitically motivated cyberattacks in their overall risk mitigation strategy, making geopolitics the single most influential input into cyber spending decisions in 2026.

Perceived change in cyber risks (%, 2026 vs 2025)

Source: World Economic Forum, InterCapital Research

The single thesis tying together the 2026 cyber research is that cybercrime is no longer behaving like crime, but like an industry. Threat actors now compete on throughput and not innovation. Access brokers, data resellers, malware developers, money launderers and affiliate ransomware operators increasingly function as specialised suppliers in a platform economy, with customer service, reputation systems, escrow and, now, AI-assisted triage layered on top. An entry-level criminal can today orchestrate a campaign whose technical footprint, two years ago, would have required a small team of skilled operators.

The operational consequence is a collapse in the attack lifecycle. AI-enabled cyberattacks increased 89% in 2025 compared to the previous year, while the average breakout time (the interval between an attacker’s first foothold and the first malicious action inside the network) fell to 29 minutes, a 65% acceleration from 2024. A response cycle measured in days or hours is no longer competitive with an attack cycle measured in minutes. This is the operational backdrop every CISO is now being asked to defend against, and it explains why 66% of organisations now lack strong confidence in their ability to detect and respond to threats across their cloud environments in real time, up from 64% a year earlier, despite rising budgets.

The economics are what make this structurally different from previous threat waves. Historically, cybercrime scaled with the number of skilled operators. Today, automation and generative tooling decouple capability from headcount. Industrialised ransomware, automated fraud and converging criminal enterprises are projected to lift the global annual cost of cybercrime to roughly USD 16tn by 2029, a figure that would place global cybercrime, if it were a national economy, close to the GDP of China.

Projected global cost of cybercrime (USD trillions, annualised)

Source: Statista, InterCapital Research

The pace of change in capability is illustrated with uncomfortable clarity in the first half of April 2026. Anthropic, the San Francisco frontier-AI laboratory, disclosed that its new cyber-focused model, Claude Mythos, had crossed a capability threshold the company itself judged too dangerous for general release. Internal testing, corroborated by external security researchers, demonstrated that Mythos could autonomously discover previously unknown, high-severity software flaws in every major operating system and every major web browser, including a 27-year-old vulnerability in OpenBSD, an open-source system underpinning much of global networking infrastructure. Independent assessments concluded the model could autonomously carry out advanced, multi-step cyber attacks that would take human professionals days. In one notable test, Mythos independently engineered a multi-step exploit to break out of a sandboxed environment, contacted an Anthropic researcher, and then published details of the breakout online.

Anthropic’s response, branded Project Glasswing, was to withhold public release and instead grant controlled access to a small group of vetted technology, cybersecurity and financial sector organisations, alongside offering USD 100m in testing credits. US Treasury and Federal Reserve leadership convened the largest US banks the same week; AI threats to the world banking system were a formal talking point at the spring IMF and World Bank meetings; the UK, Canada and other G7 governments summoned bank chiefs for parallel discussions. A competitor frontier lab followed within days with a similarly-gated release.

Regional confidence in national cyber preparedness (%)

Source: World Economic Forum, InterCapital Research

Cybersecurity has been absorbed into the broader sovereignty debate, and nowhere more visibly than in the European Union. Despite comparable GDP, the United States hosts roughly twice Europe’s share of global data centre capacity, with three US-headquartered hyperscalers accounting for approximately 65% of the EU cloud services market.

This matters for cybersecurity because the sovereignty gap is also a security gap. Confidence in national cyber preparedness is falling, with 31% of organisations globally expressing low confidence in their nation’s ability to respond to major cyber incidents, up from 26% a year earlier.

Workforce cybersecurity skills availability by region (%)

Source: World Economic Forum, InterCapital Research

Cybersecurity spend is becoming structurally non-discretionary. Regulatory regimes like NIS2, DORA, and the forthcoming CADA and comparable frameworks elsewhere are converting cybersecurity investment from an optional resilience upgrade into a compliance obligation. The result is a category whose growth profile is becoming more defensive, even against a weakening macro backdrop.

Claude Mythos is the clearest public signal yet that the availability of frontier AI capability is itself becoming a strategic input. When a private laboratory briefs a national Treasury and central bank before publicly releasing a product, the relevant comparison is no longer with other software products; it is with dual-use technologies subject to export controls and national-security-linked allocation. This reinforces two already-visible investment themes: the multi-year AI infrastructure buildout (compute, silicon, data centres and the power and grid investments to support them), and within cybersecurity itself, the structural advantage accruing to integrated platforms that can responsibly embed frontier AI capability. Consolidation is already the dominant operating theme, as tool sprawl pushes buyers from point tools toward platforms that can share context across identity, endpoint, network, cloud and data.

The overriding point is that cybersecurity is no longer about protecting an organisation from a statistically unlikely catastrophe. It has become a continuous operating requirement whose cost and complexity is going up, and whose strategic importance is now visible at the level of monetary policy and industrial strategy.