Geopolitical Cyber Risk in 2026: A Briefing Framework for Boards and CISOs

Geopolitical cyber risk used to be a concern for government contractors and critical infrastructure operators. In 2026 that boundary has dissolved. Commercial organisations — pharmaceutical companies, logistics firms, financial institutions, technology suppliers — are now regularly caught in campaigns designed to either disrupt or pre-position within Western economic infrastructure. The question for most boards is not whether this risk exists, but how to think about it and what governance response is proportionate.

This briefing provides a framework CISOs can use to structure the conversation with boards that may have limited prior exposure to the topic, alongside specific actions that translate the risk into governance decisions.

Why This Risk Has Changed

The shift has been gradual but cumulative. Three changes in the past three years have moved geopolitical cyber risk from background noise to boardroom agenda:

Targeting has broadened from government to commercial. Salt Typhoon’s documented compromise of US and UK telecommunications providers — gaining access to lawful intercept infrastructure — is the clearest recent example. The targets were not government agencies; they were commercial telcos operating regulated national infrastructure. Volt Typhoon has spent years pre-positioning in US and UK utilities, water systems, and communications networks. The stated intent, per joint intelligence assessments, is to enable disruption capabilities that can be activated during geopolitical escalation, not immediate intelligence collection.

Supply chain compromise has made indirect exposure the norm. The SolarWinds intrusion and its successors demonstrated that nation-state actors are willing to compromise a trusted software vendor to reach thousands of downstream targets simultaneously. For any commercial organisation consuming managed services, cloud infrastructure, or enterprise software, the question is not “are we a target?” but “are any of our suppliers targets whose compromise would reach us?”

Ransomware ecosystem overlap has blurred attribution. Groups with assessed ties to Russian and North Korean intelligence have operated ransomware operations or provided capabilities to criminal groups. Financial damage from a “cybercrime” ransomware incident may be the direct result of a state-linked operation. The DPRK’s Lazarus Group, which has stolen billions from cryptocurrency exchanges and financial institutions, is assessed to fund state weapons programmes through these operations. The distinction between geopolitical and financial cyber risk has become difficult to maintain in practice.

The Four Threat Actor Tiers

For board communication, it helps to frame nation-state risk across four categories of adversary:

China (PRC) — Espionage and pre-positioning: Primary objectives are intellectual property theft, strategic intelligence collection, and establishing persistent access in critical infrastructure for future contingency use. Commercial organisations in sectors relevant to PRC industrial strategy (semiconductors, aerospace, pharmaceuticals, energy technology) face elevated targeting risk. The pre-positioning in infrastructure (Volt Typhoon) has no immediate commercial impact — its significance is strategic.

Russia — Disruptive capability and financial enablement: Russian state operations blend intelligence collection with disruptive capability development. The ongoing conflict in Ukraine has operationalised disruptive techniques at scale, and there is documented spillover to Western commercial targets. Additionally, the ecosystem of financially motivated ransomware groups operating from Russia — some with intelligence service connections — represents both a direct financial risk and an intelligence collection vector.

Iran (IRGC) — Opportunistic targeting and retaliatory disruption: Iranian cyber operations have focused on espionage against defence, energy, and government targets, with a secondary strand of financial fraud (cryptocurrency theft) to circumvent sanctions. The risk profile for most commercial organisations is lower than PRC or Russia, but organisations with Middle East operations, energy sector exposure, or government contracts warrant elevated attention.

North Korea (DPRK) — Financial theft: The DPRK cyber programme is operationally distinct from the others in that financial theft is a primary objective, not a side effect. Cryptocurrency exchanges, DeFi protocols, financial institutions, and their technology suppliers are high-priority targets. For organisations in financial services and technology, the DPRK risk is concrete and financially material.

What Boards Should Ask

Boards are not expected to assess technical threat actor TTPs. They should ask whether the organisation’s risk management framework accounts for this category of risk and whether the security programme is resourced to respond. Specific questions that drive productive governance conversations:

“Which of our critical systems or data would be of interest to a nation-state actor?” This question forces a segmentation of assets by sensitivity rather than just regulatory classification. Intellectual property, customer data in sensitive sectors, access to critical suppliers, and participation in regulated infrastructure all create exposure.

“Are we aware of compromises at our major technology suppliers in the past 12 months, and do we know our exposure?” Third-party breach notification is inconsistent. Organisations should be actively monitoring for incidents at critical suppliers rather than waiting for notification.

“What is our resilience posture if a critical system is unavailable for 72 hours?” Pre-positioned attackers may not activate capabilities for months or years. But when they do, the impact can be disruptive rather than data-centric. Business continuity planning that doesn’t model the loss of IT-dependent OT systems or key SaaS platforms is incomplete.

“How are we monitoring for indicators of pre-positioning activity in our environment?” Persistent access by sophisticated actors is designed to be quiet. Passive network monitoring and standard endpoint telemetry miss much of what nation-state actors do inside networks. Threat hunting programmes specifically focused on living-off-the-land techniques and credential harvesting are necessary to detect this activity.

Translating Risk into Governance Decisions

The practical governance outputs from this risk category are:

Investment in detection, not just prevention: Nation-state actors are resourced to bypass perimeter controls. Board-level security investment discussions should include the detection and response programme, not just firewall and endpoint spend.

Third-party risk programme expansion to include compromise monitoring: Traditional vendor risk management focuses on contractual and compliance controls. In the current threat environment, it needs to include active monitoring of reported incidents at critical suppliers and tabletop scenarios for key supplier compromise.

Resilience planning for destructive scenarios: Most BCP is designed for ransomware (recover the data) or availability incidents (fail over to a backup system). Pre-positioned actors with destructive capability can target backup infrastructure specifically. The resilience model needs to contemplate simultaneous loss of primary and backup systems.

Regular executive and board briefings on the threat picture: The threat actor landscape changes quarterly. Intelligence briefings to the board — drawing on government advisories, industry threat sharing, and the organisation’s own telemetry — should be a standing agenda item rather than an ad hoc escalation when an incident occurs.

The goal is not to alarm boards about risks that are inherently difficult to quantify. It is to ensure that security investment decisions, resilience planning, and supply chain governance are made with accurate threat context rather than assumptions calibrated to the threat environment of five years ago.