2026 Cybersecurity outlook: Consumer markets

The rise of agentic commerce is upending legacy business models in the consumer markets industry, with AI-powered shopping agents reshaping how consumers discover products, compare them, and make purchases. Across the sector, organisations are accelerating digital transformation efforts to keep pace, but the rapid adoption of AI is expanding attack surfaces and intensifying cybersecurity risk exposure.

Alongside this shift, the sector faces longstanding issues rooted in a complex and fragmented tech environment. Many organisations continue to operate with a mix of legacy mainframes, on-site systems, cloud infrastructure, and assorted homegrown apps. This patchwork of systems exacerbates tech debt, complicating efforts to modernise cyber defences and effectively manage vulnerabilities across the extended ecosystem. This helps explain why consumer markets (CM) organisations say the threats they’re least prepared to address are cloud-related threats, third-party breaches, and attacks on connected products. 

Our survey data shows that 76% of CM companies plan to increase their cybersecurity budgets in 2026. Geopolitical volatility is a significant factor, with 56% of CM respondents saying they’ll increase cyber investments in response to heightened global uncertainty and emerging threats.

Even so, only 18% of CM organisations currently spend significantly more on proactive security measures (e.g., monitoring, assessments, testing, controls) than they do on reactive measures (response, remediation, recovery, fines). Most (74%) say their proactive/reactive cost ratio is roughly even or skewed toward reactive measures, which can be more costly. And just 16% measure the financial impact of cyber risks ‘to a significant extent’, potentially affecting decisions about which risks to prioritise.

Drawing on a subset of PwC’s 2026 Global Digital Trust Insights survey, this report captures the latest thinking from 603 global leaders in the CM industry, including consumer goods, retail, hospitality and leisure, and transportation and logistics. It explores the critical threats they feel least prepared to face, the factors influencing security investment and decision-making, and the role emerging technologies like AI and quantum computing are playing in shaping their cybersecurity strategies in 2026 and beyond.

Unclear ownership of critical cybersecurity systems and fragmented data environments are leaving key assets exposed across the CM industry. Siloed teams and differing views on security priorities contribute to inconsistent implementation of defences throughout the extended ecosystem. These internal challenges, combined with an evolving external threat landscape, create widening gaps that adversaries can exploit, potentially jeopardising operations and customer trust. 

• Loyalty programmes drive fraud risk: As consumer-facing brands expand loyalty programmes to deepen customer engagement, they accumulate vast amounts of personal data that should be secured. Our survey reveals that data protection is the No. 1 influence on cybersecurity spending decisions in the sector. The complexity of program rules and multiple access points amplify the risk of fraud and identity theft, making the safeguarding of loyalty programmes a central cybersecurity challenge. 
• OT vulnerabilities expose critical systems: Limited visibility and unclear ownership across manufacturing equipment, connected devices, and logistics technology can create blind spots. In our survey, CM leaders say gaps in OT skills, lack of network segmentation, and gaps in understanding the risks are their top three challenges to securing OT.
• Hybrid cloud security remains a persistent vulnerability: Migrating legacy systems to hybrid cloud architectures is exposing organisations to misconfigurations and gaps in protection. This complexity often leads to inconsistent security controls and increased risk across multiple environments. Our survey confirms this key cyber challenge, with cloud being both the top threat CM organisations are least able to address and the No. 2 cyber budget priority.
• Supply chain blind spots amplify cyber exposure: Dependencies on a vast network of suppliers and technology partners increase risk exponentially. Third-party breaches are the No. 2 threat CM companies feel unprepared to address. Without robust oversight, breaches in the supply chain can cascade into significant operational and reputational damage.
• Fragmented data undermines trust and AI potential: For many CM companies, customer data is scattered across hundreds of systems and locations, complicating both protection efforts and the effective use of AI for security automation. This dispersed environment heightens the risk of breaches and hampers the ability to maintain data integrity, which is essential for sustaining customer trust and leveraging AI-driven defences.
• Low investment in proactive security limits resilience: Only 18% of CM companies report spending significantly more on proactive versus reactive security measures, well below the all-sector average of 24%. This may reflect a disconnect between business leaders who expect early security involvement in new initiatives, and cybersecurity teams focused on threat detection and incident response. The resulting gaps increase vulnerability to evolving threats.

CM organisations should confront a uniquely complex cybersecurity landscape marked by fragmented technologies, sprawling supply chains, and rapidly evolving AI-driven risks. Building resilience requires a shift from siloed, reactive security efforts to coordinated strategies that align with business realities. To get there, consider these steps.

1. Modernise data management: Consolidate fragmented data and upgrade legacy systems to enable effective AI deployment and improve security operations. Coordinate with tech, risk, and data leaders to secure sensitive training data and reinforce AI model input/output governance.
2. Build AI security from the ground up: Embed Responsible AI principles across AI deployments and classify AI systems (including models, agents and their identities, applications and training data) based on sensitivity, criticality and exposure. Secure AI by expanding existing security controls to AI systems and identifying gaps where new capabilities are required.
3. Strengthen OT security and accountability: Conduct inventories of OT assets and establish clear ownership and responsibility. Create strong perimeters between IT and OT networks to prevent cross-contamination and lateral threat movement. Integrate OT governance into your architecture strategy to gain end-to-end visibility and controls across distributed environments.
4. Leverage AI for cyber defence: Deploy AI-powered tools to enhance threat detection, automate routine tasks, and provide faster, clearer insights to security teams. Integrate AI-enabled solutions across your security operations, from cloud security and endpoint protection to insider threat detection, allowing your teams to identify risks sooner and respond more effectively without overloading analysts.
5. Fortify third-party resilience: Map and understand critical dependencies on third-party providers. Identify single points of failure and design resilient architectures focused on enabling rapid recovery, acknowledging that multi-cloud redundancy is often impractical. Shift toward continuous monitoring of third-party risks rather than relying solely on periodic assessments, improving real-time visibility and response readiness.
6. Secure identity and access management: Adopt a secure-by-design framework for connected products throughout the operational life cycle. Enforce consistent identity, access, and policy controls across third-party platforms, APIs, and integrations.
7. Invest proactively: Assess the long-term costs of reacting to security incidents versus investing proactively in cyber defences, managed services, insurance, compliance, etc. Business and cyber leaders should work together to proactively map future budget needs and foster ROI-driven funding models so the organisation can invest wisely in security technologies and skills.