AI poses new forms of cyber risk to organizations
The cybersecurity sector faced historic pressure in 2025. New AI tools changed the way we work, but at the same time posed new forms of cyber risk to organizations who adopt them.
 |
Meanwhile, cybercrime groups employed an evolving menu of techniques to disrupt key industries, forcing businesses and government authorities to shift their emphasis toward operational resilience and managing the long-term financial impact of cyber incidents.
Here are five key trends that will shape cyber in 2026:
1. AI governance and guardrails now front and center
The adoption of artificial intelligence moved faster over the past year than most anyone could have anticipated.
An international arms race has commenced between major economic powers, led by the U.S. and China, over who will lead AI transformation. At the same time, companies are rushing to incorporate AI into their profit models, betting both on major gains in productivity as well as the technology supercharging their core product lines.
But this rapid embrace of AI brings growing concerns over whether companies have created the proper guardrails and governance structures to ensure their AI programs are secure and cannot be used by malicious actors to exfiltrate corporate data, exploit customers or compromise supply chains.
“There is a gap between how fast organizations are adopting AI and the maturity of their governance framework,” Morgan Adamski, cyber, data and tech risk deputy leader at PwC told Cybersecurity Dive. “Many are experimenting with agentic and generative AI to drive productivity or efficiency, but often, there are no guardrails in place from a security perspective.”
AI has moved quickly to become one of the top business cyber risks among global companies. A January report from Allianz Commercial shows AI risk jumped from number 10 to the second-leading business risk concern over the past year, based on a survey of more than 3,300 risk management professionals.
Look for AI risk to drive organizations in 2026 to focus more on establishing proper parameters and security for their AI programs.
2. Cybersecurity regulatory shifts shape disclosures
The regulatory environment for cyber has undergone significant changes in the past year. The Trump administration shifted toward a more nuanced approach, both in terms of oversight and implementation of cyber risk compared with how the Biden administration regulated it. That means oversight in the information security space is not going away but instead will allow markets forces more room to operate.
“Rather than uniformly pulling back or pursuing broad regulatory expansion, the government is continuing to assess where clearer expectations, coordination, or enforcement are warranted in response to a dynamic threat landscape,” said Haiman Wong, resident fellow, cybersecurity and emerging threats at the R Street Institute.
This is particularly the case for critical infrastructure, which is largely owned by the private sector and already faces heightened cyber risk.
A November 2025 decision by the Securities and Exchange Commission to drop a landmark civil fraud case against SolarWinds was widely considered a welcome development for the business community. The 2023 suit alleged that SolarWinds failed to disclose known cyber risks to investors during the years leading up to the 2020 Sunburst cyberattacks.
A federal judge had previously dismissed most of the allegations on the grounds the SEC misapplied a Depression-era law to the company’s alleged failure to implement security controls. That legal resolution was also seen as a win for the CISO community, as SolarWinds’ CISO Tim Brown had also faced enforcement action by the SEC in the regulatory agency’s case.
Sagar Ravi, a partner at McDermott Will & Schulte and a former chief of the Complex Frauds & Cyberscrime Unit at the U.S. Attorney’s Office for the Southern District of New York, said the decision to drop the SolarWinds case hopefully signals a move to recognize companies should not be punished for falling victim to sophisticated cyber threat actors. It also emphasizes the need for cyber risk transparency, he said.
Read More in Strategy
“I think the focus is going to be on [enforcing] cybersecurity disclosure rules” in material incident reports on form 8-K or additional disclosures of strategy in annual reports, Ravi told Cybersecurity Dive.
Ravi hopes the SEC instead emphasizes ensuring proper post-breach disclosure rather than conducting investigations that review pre-incident decision making.
3. Cyber insurance enters new phase in pricing, coverage
The insurance market has seen its share of turbulence as it struggled to address cyber risk. For years, companies struggled to obtain cybersecurity coverage amid the increased threat of ransomware and fears about the rise of state-linked hackers.
Most recently, global insurers have expanded their commitment to cyber risk, and recent legal cases involving war exclusions language related to the NotPetya attacks has provided greater clarity on coverage. Even so, the insurance industry has begun questioning its dependence on the U.S. market, and whether current premium levels for cyber insurance can remain over the long haul.
That could mean diversification of the cyber insurance market. Large corporations in the U.S. represent a significant percentage of U.S. policy holders in the cyber market, so insurance companies need to expand into new markets such as small- to midsized businesses, risk analytics firm CyberCube said in a September report. Specialist insurer Beazley late last year said it remains committed to the U.S. market, but warned of a weak pricing environment for cybersecurity coverage.
In order to maintain favorable coverage, insurers are now heavily scrutinizing enterprise security practices, according to risk experts.
“Not too long ago, you could get cyber insurance with basic antivirus and a firewall,” Monica Shokrai, head of business risk and insurance at Google Cloud said. “Today, if you don’t have phishing-resistant MFA, XDR and immutable backups, you won’t just pay more. You may not get access to coverage.”
4. CVE crisis resolved while patching challenges remain
One of the most pressing challenges for security teams in recent years has been how to identify, prioritize and remediate critical flaws discovered in widely used software.
These security vulnerabilities are often the gateway used by hackers to launch malicious cyberattacks by abusing the very security tools and software that critical industries and government agencies rely on to manage and protect their IT networks and maintain operational resilience.
The security sector was thrown into crisis in April of last year when U.S. government funding nearly collapsed for the Common Exposures and Vulnerabilities (CVE) program. An agreement was eventually reached between CISA and the Mitre Corp. to maintain support for 11 months, and CISA officials in September pledged to back future funding, releasing a road map that outlines additional support measures.
“CISA is asserting our leadership role to modernize the CVE Program, broaden adoption of known exploited vulnerabilities and reduce the prevalence of vulnerabilities by driving adoption of Secure by Design principles,” Nick Andersen, executive assistant director for cybersecurity at CISA told Cybersecurity Dive earlier this month. “In collaboration with the global cybersecurity community, CISA is working to deliver a well-governed, trusted, and responsive CVE Program aimed to enhance the quality of vulnerability data and global cybersecurity resilience.”
Software security experts say the CVE funding crisis is a wake-up call for the industry to develop proactive measures to finally address insecure software.
“Organizations need multisource, context-aware intelligence layered on top of CVE so each record reflects what actually matters: Exploitability, reach, prevalence in real dependency graphs, and whether there’s a safe upgrade path,” Brian Fox, co-founder and CTO at Sonatype told Cybersecurity Dive.
5. Operational resilience becomes the new watchword for cyberattack readiness
During much of 2025, companies around the globe were forced to confront a significant shift in cyber resilience. Cyber threat groups were no longer focused just on the exfiltration of data as their main objective, but instead on causing massive disruption to business operations.
A social engineering attack on UK department store Marks & Spencer, the hack of United Natural Foods and a crippling hack of automaker Jaguar Land Rover served as graphic examples in 2025 of how easily a successful cyberattack can disrupt production capacity, as well as major supply chains.
Security researchers said those cyberattacks were part of a deliberate strategy by threat actors to impose maximum pressure on major industries for monetary gain.
“Over the past year, we witnessed a fundamental shift in the attacker playbook, where financially motivated groups like Muddled Libra (Scattered Spider) moved beyond simple data theft to deliberate operational sabotage,” said Sam Rubin, senior vice president, Unit 42 at Palo Alto Networks. “By exploiting the human element through sophisticated ‘vishing’ and manipulating help desks, these actors proved they could paralyze entire enterprise networks and stop businesses in their tracks to maximize extortion leverage.”
Corporate boards and C-suite executives are under pressure to ensure cyber risk is a key factor in their overall business resilience strategy, experts said security leaders will be tasked with developing specific plans on how to maintain operations and protect supply chains in the face of a catastrophic IT or security event.
