Cyber resilience has moved beyond the security function. It now sits at the center of economic stability, business continuity, and long-term value protection. The World Economic Forum Global Cybersecurity Outlook 2026 frames cyber resilience not as the ability to stop every attack, but as the ability to absorb disruption, continue operations, and recover without lasting damage to core business objectives.

This shift matters. Cyber incidents today are not isolated technical failures. They are economic events shaped by geopolitical tensions and digital fragmentation that increasingly influence global cyber risk.

TL;DR

• Cyber resilience now underpins economic stability
• Only 19% of organizations exceed resilience requirements
• Supply chain exposure and legacy systems remain top risks
• IT and OT convergence increases economic impact
• Leadership and ecosystem coordination define resilience

Cyber Resilience: Confidence Is Rising, Risk Is Not Falling

Survey data shows growing confidence in organizational cyber resilience.
64% of organizations say they meet their minimum resilience requirements, while 19% say they exceed them.

This marks a notable improvement. In 2025, only 9% of organizations reported exceeding resilience expectations.

Yet real-world incidents tell a different story. In 2025, ransomware attacks caused major operational disruption across sectors. In the United Kingdom alone, retailers such as Marks & Spencer, Harrods, and Co-op suffered outages and data loss. These incidents reflect the growing scale of cyber-enabled fraud as a global cyber threat, where financially motivated attackers increasingly target operational continuity rather than just data.

Organizational perception of cyber resilience

This table shows how organizations assess their own cyber resilience over time. While more organizations now believe they exceed minimum requirements compared to 2025, the majority still operate at a baseline level, leaving limited margin for large-scale disruption.

What Is Holding Cyber Resilience Back? 

The data highlights that cyber resilience is being strained less by single failures and more by systemic pressures. Rapidly evolving threats, supply chain exposure, and skills shortages together create compounding risk that is difficult to address in isolation.

Organizations report three persistent barriers to strengthening cyber resilience:

These challenges reinforce one another.

Third-party exposure has become especially critical, with attackers increasingly exploiting vendors and service providers as entry points. This risk is examined in depth in our analysis of supply chain cybersecurity risks in 2026.

At the same time, attackers are blending social engineering, financial fraud, and infrastructure compromise, accelerating the growth of cyber-enabled fraud campaigns across industries.

Legacy Systems and Security Debt Are Dragging Resilience Down

While organizations push forward with artificial intelligence, cloud platforms, and automation, many still depend on aging infrastructure.

31% of respondents identify legacy systems as one of their biggest barriers to cyber resilience.

Years of rapid innovation have created deep security debt. Speed often took precedence over secure design, resulting in layered controls rather than resilient architectures.

Cloud adoption highlights this imbalance. Cloud technologies rank as the second most impactful technology for cybersecurity in the next 12 months, even as many organizations remain mid-migration.

Technologies expected to most affect cybersecurity in the next 12 months

This table reflects how strongly organizations expect emerging technologies to shape cybersecurity risk in the near term. Artificial intelligence dominates expectations, but cloud reliance and quantum developments continue to demand sustained security attention.

The accelerating role of AI in both offense and defense is explored further in AI cyberattacks businesses can’t ignore in 2025 and the broader impacts of AI on cybersecurity.

IT–OT Convergence Is Expanding Economic Exposure

In industrial environments, the boundary between Information Technology (IT) and Operational Technology (OT) has largely disappeared.

Manufacturing, energy, transportation, and critical infrastructure now rely on integrated cyber-physical systems. While this convergence drives efficiency, it also increases the economic blast radius of cyber incidents.

OT environments remain difficult to modernize. Downtime affects safety, production, and revenue simultaneously, making resilience failures far more costly than in traditional IT environments.

OT security governance gaps

The figures reveal a significant governance disconnect in operational technology environments. Limited board oversight, fragmented ownership, and low monitoring coverage leave industrial systems exposed to high-impact cyber incidents.

This lack of visibility explains why supply chain exposure now ranks as the top cyber risk concern among highly resilient organizations.

Regulation Helps Build Resilience, but Fragmentation Slows Execution

Cybersecurity regulation is widely viewed as beneficial.
74% of respondents hold a positive view of cyber-related regulations.

Regulations help elevate cybersecurity discussions at the board level and drive baseline security improvements. However, fragmented global approaches introduce complexity, particularly for multinational organizations operating across jurisdictions.

In regions with more mature regulatory frameworks, perceived effectiveness is slightly lower, reflecting compliance burden rather than regulatory failure.

What Highly Resilient Organizations Do Differently

The Cyber Resilience Compass highlights seven traits consistently present in resilient organizations. Survey data reinforces these distinctions.

Hallmarks of cyber-resilient organizations

This comparison makes clear that cyber resilience is driven by leadership, governance, and process maturity rather than technology alone. Highly resilient organizations consistently outperform less resilient peers across skills, procurement, supplier oversight, and incident readiness

As K. Krithivasan, CEO of Tata Consultancy Services, notes:

“The businesses that succeed will not be those that avoid every cyber incident, but those that recover faster and stronger.”

Key cyber resilience trends in 2026, highlighting how emerging technologies, supply chain risk, and leadership practices shape organizational readiness and economic stability.

Cyber Resilience Is an Economic Multiplier

Cyber incidents now produce measurable macroeconomic consequences.

UK government estimates place the average cost of a major cyber incident at £195,000 per business, contributing to £14.7 billion in annual losses. The World Bank estimates that reducing major cyber incidents could raise GDP per capita by 1.5% in developing economies.

The 2025 Jaguar Land Rover cyberattack illustrates this systemic impact:

• £196 million in direct cyber costs
• Nearly 25% revenue decline
• Over 5,000 suppliers affected
• An estimated £1.9 billion loss to the UK economy

As Michael Miebach, CEO of Mastercard, explains: “Cybersecurity is fundamental to trust. True resilience is built through collaboration, not isolation.”

FAQs

What is cyber resilience?

Cyber resilience is the ability to withstand cyber incidents, continue operations, and recover without long-term business damage.

What do IT and OT mean?

IT refers to Information Technology systems like networks and applications. OT refers to Operational Technology controlling physical processes such as manufacturing and energy systems.

Why do supply chains matter so much?

A single weak supplier can expose multiple organizations and amplify economic disruption.

How does AI affect cyber resilience?

AI strengthens defenses but also enables more scalable and convincing attacks, increasing governance and testing requirements.

Does regulation help cyber resilience?

Yes, but fragmented global regulations increase operational complexity for multinational organizations.