DORA and NIS2 changed the compliance landscape in a specific and uncomfortable way. C-suite executives can now be held personally liable for failing to implement adequate security controls. That is not a technicality buried in regulation. It is a direct consequence of years of organizations treating cybersecurity as something the IT team handles. The data behind the 2026 threat landscape is not abstract. Manufacturing has been the most targeted industry globally for five consecutive years. Financial services saw a 27% surge in attacks in 2025 and 2026. Retail breaches from public-facing app exploits are up 44%. And energy infrastructure is now being targeted through the same IoT sensors used to manage grid reliability. So here's the thing: the question for C-suite executives is not whether their organization will face a security incident. It is whether they will be ready when it happens, and whether the board will ask why controls were not in place sooner.
27.7%
Of all cyber incidents observed by IBM occurred in manufacturing and automotive, making it the most targeted sector globally for the fifth year running.
4x
Increase in large supply chain and third-party compromises since 2020, per IBM. The risk is no longer just the office network. It extends to factory floors and software-defined vehicles.
27%
Surge in attacks on financial services in 2025 and 2026, largely driven by credential harvesting. Banking faces the highest triple penalty: regulatory fines, data value on the black market, and operational downtime.
44%
Increase in retail breaches driven by public-facing app exploits. Attackers now use AI to scan for misconfigured systems at a speed that human security teams cannot match.
Manufacturing and automotive: The most targeted sector, with a growing attack surface
Manufacturing has been the number one target for cyber attackers globally for five consecutive years. 27.7% of all IBM-observed incidents occurred here. The just-in-time nature of automotive supply chains makes them attractive targets for extortion: stop a production line and the cost of downtime is immediate and measurable. But here's the problem that is less discussed: the attack surface has expanded significantly. Software-defined vehicles and factory floor operational technology are now entry points that did not exist in previous threat models. New 2026 cyber-physical resilience mandates specifically address the risk of a server-level compromise causing a safety failure in a vehicle or on an assembly line. C-suite executives in this sector are now managing a security perimeter that extends from the server room to the vehicle on the road.
Banking and financial services: Personal liability, regulatory pressure, and credential theft
Financial institutions face what IBM describes as the triple penalty: regulatory fines, the high black-market value of financial data, and significant operational downtime when systems are compromised. The 27% surge in attacks in 2025 and 2026 was largely driven by credential harvesting, which means the entry point was usually a person, not a technical vulnerability. On the compliance side, DORA and NIS2 have introduced a specific provision that C-suite executives in financial services need to understand clearly: personal liability for failing to implement human-centric security controls. And 9% of banks are now fully live with tokenized assets, which moves value into more secure encrypted environments. But the institutions not yet taking that step are managing exposure that regulators are increasingly looking at directly.
Energy and utilities: Extortion without encryption, and IoT as the new entry point
The energy sector is seeing a shift in attacker behavior. Extortion-only attacks have increased, where hackers do not encrypt data at all. They threaten to leak it or disrupt service, which is often enough to extract payment without the technical complexity of ransomware. IBM also identifies a specific compounding risk: extreme weather events create physical disruption that attackers use for reconnaissance, looking for systems that are already stressed and less monitored. And 47% of energy leaders cite cooling and power constraints as their biggest reliability risk. Those same constraints, managed through IoT sensors, are now being targeted. C-suite executives in energy need to treat grid-edge AI and IoT infrastructure as part of their security perimeter, not as separate operational technology outside the security team's scope.
Telecommunications and media: High-value targets for data theft and backbone disruption
Telecoms and media companies are attractive targets because they sit at the center of the AI infrastructure being built globally. A compromise here does not just affect one organization. It can affect the organizations and individuals that depend on the network. Media and entertainment bucked the global trend in 2025 by seeing an increase in breach costs while other sectors saw a slight decline. On the compliance side, 95% of executives believe that clear disclosure of how AI processes user data will be the license to operate in 2026. Telcos are responding to the threat by using AI-driven network slicing to automatically isolate compromised segments of the network. But the organizations that have not built that capability yet are managing risk manually, which at network scale is not a sustainable approach.
Retail: Long-tail breach costs and the credential problem that does not go away
Retail breaches are different from breaches in other sectors in one specific way: the cost does not stop at the initial incident. Customer trust takes months to recover, and the commercial impact of that trust loss often exceeds the direct cost of the breach itself. Public-facing app exploits are up 44%, and attackers are using AI to scan for misconfigured systems faster than security teams can catch them. But the highest percentage of retail breaches still trace back to stolen credentials and phishing, which connects directly to the operational reality of retail: high seasonal staff turnover, inconsistent onboarding, and access controls that do not scale well with headcount fluctuations. C-suite executives in retail need a security posture that accounts for the people who will be touching customer data for three months, not just the permanent team.
At Marchcroft
Innovating Today,
Shaping Tomorrow
7 in 10
Leading operations using predictive analytics to get ahead of failures
Seven in ten pioneering utilities use predictive analytics to manage supply and demand before disruptions occur. Applied to cybersecurity, this is the argument for threat intelligence and proactive monitoring over reactive incident response. The organizations that detect compromises early, before attackers have time to move laterally through a network, consistently limit the damage more effectively than those who find out from a third party.
67%
Managing distributed systems as coordinated security environments
67% of optimizing utilities manage microgrids as both local services and grid-wide assets. For cybersecurity, the equivalent is treating every endpoint, every IoT device, every third-party integration, and every remote access point as part of a coordinated security environment. Organizations that manage security in silos, with separate teams for IT, OT, and product security, consistently have larger blind spots than those with unified visibility.
~65%
Using forecasting to guide where security investment is needed most
Nearly two-thirds of utilities create asset failure forecasts to evaluate network impact before something breaks. In cybersecurity terms, this is the case for regular risk assessments, attack surface mapping, and scenario planning. C-suite executives who know specifically where their highest-value assets are and how they would be affected by different attack types are in a fundamentally different position from those making security investment decisions based on last year's incidents.
01. Map your actual attack surface, not the one from three years ago
Most organizations are securing a threat model that is out of date. The IBM data is clear that attack surfaces have expanded significantly: factory floor OT, software-defined vehicles, IoT sensors, third-party integrations, and AI infrastructure are all entry points that were not part of most security frameworks five years ago. C-suite executives should ask their security teams a specific question: when was the attack surface assessment last updated, and does it include every system that touches customer data, operational technology, or third-party networks? If that assessment is more than twelve months old and the technology environment has changed, the security posture is built on incomplete information.
02. Treat compliance as a floor, not a destination
DORA, NIS2, and the 2026 cyber-physical resilience mandates have all moved the compliance bar upward. But compliance with current regulation is not the same as adequate security. Compliance tells you what the minimum standard was when the regulation was written. Attackers are not constrained by that standard. C-suite executives who treat compliance as the goal end up with organizations that pass audits and still get breached. The right framing is that compliance sets the baseline and security strategy builds above it. That means understanding which threats are most relevant to your specific industry, your specific data, and your specific operational dependencies, not just which controls the regulator requires.
03. Address the credential and human risk problem with process, not just technology
Across retail, financial services, and manufacturing, the data consistently shows that credentials and phishing remain among the most common breach entry points. Technology controls help. Multi-factor authentication, privileged access management, and phishing-resistant authentication all reduce risk. But the IBM data on retail is instructive: high seasonal staff turnover creates credential and access control problems that technology alone cannot solve if the underlying process for onboarding and offboarding is inconsistent. C-suite executives need to treat access management as an operational process question, not just a technology question. Who has access to what, how is that access granted and revoked, and who is accountable for keeping those lists accurate?
04. Build incident response capability before you need it
The difference between organizations that contain breaches quickly and those that do not is almost always preparation. Not technology, specifically. Preparation. That means a tested incident response plan, clear roles for who does what when a breach is detected, established communication protocols for regulators and customers, and leadership that has rehearsed making decisions under pressure before those decisions have real consequences. C-suite executives who have never participated in a tabletop exercise for a serious security incident are making their first decisions about breach response in real time, with real consequences. That is the most expensive way to learn what the plan should have said.
Get Access To Audit Sheet
Unlock valuable insights with our complimentary audit sheet. Streamline your processes, identify areas for improvement, and boost efficiency—all at no cost.
Q: We passed our last compliance audit. Does that mean our security posture is adequate?
Q: How do we manage supply chain and third-party security risk without controlling what our partners do?
Q: What does personal liability under DORA and NIS2 actually mean in practice for us?
Latest Blogs
Marchcroft Editorial - 2026-03-25
DORA and NIS2: What Personal Liability for Security Failures Means for C-Suite Executives
Compliance
DORA
NIS2
Cybersecurity
Marchcroft Editorial - 2026-03-12
Manufacturing Is the Most Targeted Sector. Here Is Why and What to Do About It.
Manufacturing
Cybersecurity
Supply Chain
Marchcroft Editorial - 2026-02-28
The Credential Problem in Retail: Why Technology Controls Are Not Enough on Their Own
Retail
Credentials
Phishing
Security
Want to understand where your actual security exposure sits right now?
Here is what working with us on cybersecurity and compliance looks like.
