The next cyber crisis may start in someone else’s supply chain

Organizations are getting better at some aspects of risk management but remain underprepared for the threats reshaping the business landscape, according to a new Riskonnect report. The findings show a growing gap between awareness and action as technology, politics, and global markets shift faster than most companies can adapt.

Political and geopolitical risks move to the front

Political instability has become one of the top three threats to businesses. Nearly all risk leaders in the survey said political risks are affecting their organizations, and many described the impact as significant or severe. Hiring, technology investments, and expansion plans have all been delayed due to domestic political uncertainty.

Despite this, only a small share of respondents said they feel well prepared to manage or recover from political risks. Companies had time to anticipate policy changes but failed to act early. The report suggests some underestimated how fast those shifts would take effect, while others assumed campaign promises would not become law.

At the same time, geopolitical risk planning is improving. Two-thirds of companies entered 2025 with a plan to manage geopolitical volatility, up from just 19% a year earlier. Still, only 18% feel very prepared to manage or recover from such events. Many plans focus narrowly on specific conflicts or trade policies and fail to address cascading impacts like supply chain disruptions or cyberattacks.

Cyber exposure grows with global tensions

Trade conflicts and political rifts are creating more opportunities for cyberattacks. Most risk leaders said restrictive trade policies or long-term disputes would increase their exposure to state-sponsored threats. These risks are amplified by weak visibility into digital supply chains, where vulnerabilities often lie beyond direct partners.

Organizations have improved oversight of their direct partners, but few can see beyond the first layer. This limited view leaves blind spots that attackers can exploit, particularly through third-party software or service providers.

“We’re in a new generation of risk, one where cyber, geopolitical, technology, political risk, and other factors are converging and reshaping the landscape. The impact on markets and operations is unfolding faster than many organizations can keep up,” said Jim Wetekamp, CEO of Riskonnect.

AI creates opportunity and risk

Agentic AI, which can act autonomously within defined goals, is gaining attention as a useful tool and a major risk factor. Nearly 60% of companies are considering using agentic AI in operations or products, but over half have not assessed the risks. Some leaders do not even know whether their organization is exploring the technology, revealing a lack of oversight.

For generative AI, only 12% of companies feel very prepared to assess or manage related risks. Most lack policies for employee use or for partners and suppliers. This limited view leaves blind spots that attackers can exploit, particularly through third-party software or service providers.

Third-party weaknesses

Third-party and nth-party risks continue to expose companies to disruption. Most organizations have business continuity plans for supplier disruptions, but their monitoring often stops at direct partners. Only a small fraction can monitor risks across multiple tiers of their supply chain, and some cannot track their critical technology providers at all.

Organizations still underestimate how dependent they are on third parties and continue to rely on paper-based continuity plans that offer a false sense of security.

Risk teams lean on AI

Risk teams are turning to AI to help manage their workloads. Seventy percent of organizations are using or planning to use AI for risk management, up from 62 percent last year. The top use cases include assessing risks, forecasting, and scenario planning. More companies are also running worst-case simulations, suggesting AI tools are helping teams take a more proactive approach.

More companies now have a chief risk officer, but funding for technology and tools has barely moved. Most risk leaders say their budgets have stayed the same even as they are asked to cover more ground. Many are turning to automation and specialized software to do more with what they already have.