I still live in hope, that 2026 will mark the point at which cyber security is no longer treated as a technical or compliance function, just a security issue but accepted in its true global economy role as a core pillar of trust, resilience and macro-economic stability a systemic risk. Helped in no small part by the AI Frontier Model revolution that has peeled back the evidence of cyber risk we all honestly knew existed, as I have written about earlier on ‘Duty of Care in a Post-Mythos World‘ … That having been said the ghost of years past may rear its head and prove 2026 yet another year we reflect back on to review a litany of yet more headline grabbing cyber failures on an unprecedented level before it is treated as a pillar of any business model.
I pose this following a reflection on the 2008 financial crisis, which was not caused by bad actors alone but by a system that rewarded leverage, obscured risk and socialised losses until trust itself failed. I believe cyber risk now exhibits similar uncanny structural characteristics that is now clearly evidence using Mythos class AI capabilities (so no hiding Mr. Board members) and can draw some lessons from the past.
Automation, platform concentration and AI have created digital leverage that amplifies small vulnerabilities into systemic shocks, not just through the discovery at machine speed of unidentified vulnerabilities but also by chaining together and weaponising both unknow and formerly identified as inert vulnerabilities, while accountability remains fragmented and losses diffuse. The lesson of 2008 was that stability cannot be achieved through firm-level controls alone; it requires system-level oversight, transparency and enforceable responsibility.
It is long overdue. For years, cyber-crime has been framed as a technology problem or a matter for law enforcement. That framing is now obsolete.
At today’s scale, cyber-crime behaves less like isolated criminal activity and more like a systemic economic risk, analogous to the conditions that preceded the global financial crisis. The danger is not simply that organisations are breached, but that trust in the digital economy’s foundations identity, integrity, provenance and availability is steadily eroded.
Modern cyber-crime exploits a form of digital leverage. Automation, cloud platforms, credential reuse and on steroids with AI to allow a single vulnerability or exploit to be replicated globally at near-zero marginal cost. Losses propagate non-linearly across sectors and borders, while responsibility fragments across supply chains and jurisdictions. This mirrors the pre-2008 financial system, where leverage and complexity outpaced governance. Just so we recognise the magnitude of what is at play in cyber.
At $212 billion, cybersecurity spending is substantial in scale to mid-sized national economies, with double-digit growth rates (often 12 to 15%+ annually). Despite which, only a fraction (2%) of the projected $10.5 trillion in cybercrime damages that are caused. That gap highlights the scale of persistent risk and under-investment relative to harm. Harm that would rank it 3rd on a GDP scale only behind the US and China.
On capital efficiency alone, cyber-crime outperforms almost all legitimate economic activity. Criminal platforms such as ransomware-as-a-service and industrialised fraud operate much like synthetic financial instruments. They do not create new value, instead malevolently multiply exposure to the same underlying weakness. Returns are privatised, while losses are diffuse, absorbed by victims, customers, insurers, shareholder and ultimately the state or do I need to remind you the taxpayer! This is classic moral hazard.
Cyber-crime compounds faster than almost any legitimate economic sector. As long as probability of capture × penalty < expected proceeds, rational actors continue.
Whilst defensive cyber spend continues to rise, it remains structurally misaligned. Defence is lamentably organisation-centric and reactive; whilst the attack is hyper efficient system-centric and compounding. As in finance, resilience at the individual organisation level does not guarantee stability of the system.
The true systemic failure mode is not ‘more breaches,’ but a collapse of trust that slows transactions, raises verification costs and constrains digital growth, the cyber equivalent of a credit freeze.
We have crossed the Rubicon, cyber-crime is no longer merely a security concern, it is a macro-prudential risk and needs a commensurate response. As history suggests from the partakes with the financial crisis of 2008, the cost of delayed recognition is high and touches every pocket. Until treated accordingly, cyber-crime will continue to outperform most legitimate economic activity on pure return metrics.
If this resonates, you might like to dip into a longer thought piece that expands this argument and outlines why stabilising the digital economy will require system-level regulatory mechanisms, not just more tools, independent assurance, verifiable provenance, breach-assumed stress testing and clearer accountability.
Posted on May 20, 2026
0