Article

Managing cyber risk under escalating threat and enforcement pressure

Managing cyber risk under escalating threat and enforcement pressure

Part of our report

Cross-border white-collar crime and investigations review 2026
Published Date
Jan 27 2026
Related people
Image of Ffion Flockhart
Ffion FlockhartPartner, London
Image of Andrew Tannenbaum
Andrew TannenbaumPartner, New York
Image of Anna Gamvros
Anna GamvrosPartner, Sydney
Image of Charlie Weston-Simons
Charlie Weston-SimonsPartner, London
Image of Steven Hadwin
Steven HadwinCounsel, London

Cyber law and practice have continued to evolve over the past 12 months.

New laws and regulations have been unveiled or come into force, while enforcement authorities have sharpened their focus on issues including board oversight and third party risk. 

The incident landscape has been dominated by a more fragmented and unpredictable ransomware ecosystem, sophisticated state linked campaigns, supply chain breaches and high impact outages. 

This article explores the key themes that we have seen emerge over the last year and the practical implications for organizations in 2026.

Cybersecurity and operational resilience: the state of play

The overall threat picture remains elevated.

Ransomware groups continue to cause significant issues, with operational disruption, data theft and double extortion tactics now routine. The disruption by law enforcement agencies of established ransomware-as-a-service groups was a great success but has led to the emergence of more loosely affiliated groups, whose behaviors are often more aggressive and difficult to predict than has been the case in the past.

State linked actors have expanded their campaigns from traditional espionage to pre positioning in critical infrastructure and supply chains. Insider enabled incidents and fraud campaigns also persist.

Resilience concerns now extend beyond primary systems. Recent outages show how a single defective update affecting a widely used technology solution can disrupt operations across geographies and sectors. Boards and regulators increasingly demand clear evidence of dependency mapping and tested workarounds for supplier failures. As a result, organizations are investing in architectural isolation and manual fallback procedures and are paying close attention to their contractual rights in the event of an outage or security incident.

Regulatory trends

In the UK, the Cyber Security and Resilience Bill is progressing through Parliament, expanding existing legislation (the Network and Information Systems Regulations or NIS) to encompass more critical sectors and services, while imposing tougher incident reporting and allowing for higher fines.

In late 2025, the UK government confirmed its plans to ban ransomware payments by all public sector bodies and operators of critical national infrastructure, and to introduce a mandatory ransomware payment prevention regime (which includes mandatory reporting of ransom payments to the authorities). Details of this reform are likely to be the subject of intense debate in 2026.

In the EU, the first public enforcement of the Digital Operational Resilience Act (DORA), relating to the EU financial sector, is still awaited while the majority of Member States have now transposed the Network and Information Security Directive (NIS2) into national law, broadening the population of in-scope “essential” and “important” entities that are subject to baseline cybersecurity standards.

On the product security side, reporting obligations under the Cyber Resilience Act (CRA) will come into force in 2026, imposing new duties on manufacturers, importers and distributors of digital products for the EU market ahead of full implementation in 2027. The exact scope of these roles is still a matter of some debate, particularly in sectors which are already heavily regulated such as financial services.

In the U.S. securities, consumer protection, and sectoral regulators have each emphasized truthful, complete and timely cybersecurity disclosures. The message from enforcement agencies is now clear that, beyond having technical controls, companies must maintain disclosure controls and procedures that ensure incident assessment, materiality analysis, and escalation to senior management and the board occur on a documented, defensible timeline.

Across APAC, several jurisdictions have expanded incident notification duties, clarified critical infrastructure obligations, and launched sector specific resilience expectations, particularly for financial services, energy, and telecommunications.

While terminology and thresholds differ, there is a clear direction of travel, in APAC and elsewhere: an emphasis on resilience, more entities in scope, specific standards, and greater scope for enforcement.

Third party and supply chain risk

Third party risk management has matured beyond questionnaire based diligence. Supervisors and customers alike now expect proportionate but meaningful assurance mechanisms, including evidence of continuous monitoring, right to audit frameworks, and contractually mandated control baselines. With critical ICT service providers now being directly regulated in some jurisdictions and sectors (in particular, the EU’s DORA and the UK’s Critical Third Parties regime relating to the financial sector), appropriate oversight of key third-party suppliers will be an important theme in 2026.

Incident reporting and disclosure: harmonization and complexity

Faced with new laws and regulations, organizations must navigate an expanding patchwork of notification obligations across privacy, cybersecurity and sectoral regimes. Thresholds vary from “major” to “significant” or “likely to result in a risk to individuals”, with deadlines ranging from hours to days. In the EU in particular, efforts are ongoing to streamline or harmonize overlapping notification regimes (for example, parallel obligations under DORA and the CRA).

"To meet this challenge, many global organizations are developing playbooks that distinguish between security incidents, data breaches and operational outages, each with tailored ownership, timelines, and content."

Ransomware, sanctions, and payments

Sanctions risk and anti money laundering considerations remain central to ransomware response. Authorities continue to stress the need for robust due diligence, documentation of alternatives considered, and encourage prompt reporting to relevant agencies.

Where payments are contemplated, boards and crisis management teams are requiring legal support, insurer engagement protocols and law enforcement outreach strategies. 

This is a particular concern where legislation restricting the payment of ransoms is in force or is contemplated, including in the UK and Australia.

Board and management oversight, and whistleblowing

Management accountability has become a significant supervisory and enforcement theme, with the emerging risk of direct regulatory enforcement against individuals.

Boards and management teams are expected to be conversant in cyber risk, to receive regular and decision useful reporting, and to oversee investment, testing, and remediation with appropriate challenge. Many organizations now maintain a standing cyber risk committee or embed cyber into existing audit and risk committees.

Whistleblowing related to cyber risk is becoming more frequent. Effective programs provide trusted channels for escalation, protect confidentiality, and demonstrate timely investigation and feedback. Misaligned reporting lines, particularly where the CISO lacks direct access to the board or is subsumed within IT operations, remain a common driver of external whistleblowing. Organizations are re evaluating CISO positioning, independence, and resourcing, and ensuring that incentives do not penalise transparent reporting of issues or near misses.

What organizations should prioritize in 2026

Organizations that are performing well against emerging expectations share several characteristics:

  • They maintain a current, risk based control cybersecurity baseline aligned to applicable frameworks and can evidence its operation through testing and audit.
  • They operate mature reporting triggers that connect incident response to legal and regulatory materiality analysis and board reporting.
  • Their third party risk management extends beyond contracting to real operational readiness with critical vendors, including tested fallback procedures.
  • They align public statements about cybersecurity with internal assessments and remediate gaps before making claims.
  • Critically, they prepare for disruption and test their ability to recover. Regular, realistic exercises across legal, technical, operational, and communications teams remain the best predictor of an effective response.

A&O Shearman’s cybersecurity team advises across the full lifecycle, from governance and resilience design through incident response and regulatory engagement to remediation and dispute resolution. Our global team is available around the clock to support complex, cross border matters. Please contact the authors of this article or your normal A&O Shearman contact to find out more.

Quotes

“Unique combination of top experts in the field. Deep knowledge of the law and market practice.” Legal 500 2026: Data protection, privacy and cybersecurity

“A&O Shearman has a wealth of hands-on experience and a practical approach.” Chambers 2025: Data protection and information law

“A&O Shearman is on the cutting edge of emerging areas like AI and cyber. They have a world-class global cyber and data protection team.” Chambers 2025: Data Protection and Information Law

This article is part of the A&O Shearman cross-border white-collar crime and investigations review 2026.

Related capabilities