The year 2025 redefined the cyber threat landscape, as attacks escalated from data breaches to crippling business-wide disruptions. Last year’s cyberattack on Jaguar Land Rover halted production lines for five weeks, prompting the British government to step in with a $2 billion bailout.
This episode captures what changed in 2025: Rather than stolen data making headlines, it was business stoppage that triggered attention. Moving into 2026, the board’s focus should be on ensuring business continuity and building resilience in the face of emerging risks generated by AI usage and attack vectors, quantum computing and geopolitics.
Below we look at four risks reshaping organizational resilience—risks that can impact operations, supply chains, revenue and credibility.
1. AI as force multiplier for cybercrime
AI risk is not only about attack severity, but also about frequency and more surgical attacks at scale. But what the board forgets is that AI can attack at the very root of an organization’s fabric, and that concerns trust. Data drives executive-level decision-making, that’s a fact. And the more organizations lean on dashboards, automated workflows and AI-assisted decision-making, data integrity itself assumes greater importance. If inputs are manipulated, incomplete, or quietly corrupted in the background, organizations will start to drift operationally, and this will only become apparent when course correction is no longer feasible, and the damage has already been done.
2. Supply chain risk is first-party risk
Partners form the backbone of every successful organization, which operates as a dispersed ecosystem with data moving among cloud platforms, suppliers, managed services providers, and vendors. Attackers continuously probe weaknesses across the supply chain, and when an incident begins with a third-party, the organization cannot divest itself of responsibility. Any reputational and commercial impact falls on the organization because it is the better known entity. Public opinion doesn’t care where an attack originated; their focus is on the brand they associate with as a customer.
3. Quantum risk looms large on the horizon
With quantum computing, the challenge isn’t that the most “unbreakable” encryption will break tomorrow. The problem lies in making the transition to post-quantum cryptography (PQC). Encryption is deeply embedded across legacy system devices, applications, and partner communication, therefore the shift towards PQC will take considerable time. While quantum computing deployment is relatively years away, an organization’s failure to plan for this new order will be caught on the backfoot. Another quantum risk is the amount of time organizations are storing sensitive data. If there is incentive to protect it over a long term, the risk increases when quantum arrives on the stage.
4. Geopolitics makes cyber harder to plan and resolve
Organizations caught in the crosshairs of a geopolitical tug-of-war between nation-states will encounter a greater degree of unpredictability while addressing cyber risks. They have to manage crime, disruption, and strategic pressure, which are the core objectives of attacks launched by state actors. More importantly, the defense and containment mechanism has to manage cross-border complications, especially for organizations operating across multiple jurisdictions. Geopolitical risk demands a public-private partnership to build resilience, but the board must keep in mind that corporate actions shouldn’t be driven by political ends. This tension can become a large part of the risk environment.
A Pragmatic Roadmap for Addressing Risks
AI, geopolitics, third-party and quantum are obvious risks, but they are also drivers of an organization’s journey towards resilience in 2026 and beyond. To enable safe AI use and clip its wings when needed, pre-define decision rights and escalation triggers. Assign human ownership (“human-in-the-loop”) to system isolation, slowing or stopping high-risk activity, and pressing the kill switch. Also consider who notifies regulators and approves external communication when things go south.
From a geopolitical standpoint, be sure to gain complete visibility into critical suppliers, cross-border data flows, and technology dependencies concentrated in a single region. This will help inform the organization as to which business function is most vulnerable in the event of a sudden shift in geopolitical winds.
Whether AI or geopolitics, the focus should be to lead with resilience by setting a threshold for the organization to operate without reliance on critical systems. This helps to define the “minimum viable company”—the processes and datasets that must remain available and trustworthy during any disruption.
Third-party risk can be managed by following the data. Draw a map of how information and its access move across the supply chain and partners, and zero in on weaknesses that can be exploited by attackers. Work with vendors and suppliers to plug these gaps. Prepare fallbacks to ensure business continuity.
In Summary
Build future-readiness into the resilience strategy. Inventory all organization-wide assets that are protected with encryption, prioritizing sensitive data, and commit to a staged multi-year plan to be prepared for a quantum world.
Boards will be rewarded for treating AI, third parties, quantum, and geopolitics as a single connected resilience agenda, not as four separate issues. Resilience is not about preventing every attack, but about keeping the business functioning despite attacks that disrupt operations.
