Rapid technological innovation and evolving regulations are outpacing the development of organizations’ cyber, data and AI risk frameworks, creating operational risk and cross-border reporting challenges.
Organizations now face a high-stakes and multifaceted risk landscape spanning enforcement, operational, reputational and dispute risk. This reflects headline findings from our 2026 Global Dispute Forecast, where technology and geopolitical pressures were cited as prominently driving disputes risk. In addition, cyber and data topped the list as respondents’ greatest dispute concern.
We’ve asked 600 senior decision-makers to now identify what the true challenges are and how they are tackling them. Among other points of tension, we found that over half of surveyed respondents see risk management and governance around AI as major challenges, while growing compliance demands add further complexity.
Explore the full insights below.
The changing nature of cyber governance
The rapid emergence and development of AI and other new technologies are creating new waves of uncertainty around cyber risk readiness. More than half of respondents express concerns regarding risk management associated with new technology implementation, highlighting the need for adaptable solutions and frameworks capable of accommodating future developments.
Differing definitions of “sensitive information” also create shifting goal posts for businesses. 41% of respondents say that handling information sharing between regulators and law enforcement — and complying with increased obligations for organizations designated as critical infrastructure — are major challenges in mitigating potential cybersecurity risk.
Brian Hengesbaugh, a partner in Chicago, points to a recent development in California that underscores a growing regulatory trend whereby governments no longer view cyber preparedness as a “nice-to-have.” "Under the California Consumer Privacy Act cyber audit rules, with its 18 elements, companies must conduct an annual audit and file under penalty of perjury with the California Privacy Protection Agency. Companies that subsequently experience an exploit of a vulnerability that should have been addressed as per their audit report (e.g., failure to implement Multi-Factor Authentication (MFA)) could be exposed to increased regulatory enforcement risk and expanded claims in any consumer and third-party litigation," says Hengesbaugh.
Governments are introducing new regulations requiring organizations to embed cyber resilience into their operations. What that looks like in practice is not always clear. With the rapid evolution of cyber landscapes, the question of effective governance should be firmly on the board’s agenda. Vin Bange, a partner in London, highlights the need for leaders to ask questions that not only cover areas of compliance, best practice and current standards, but more importantly, to focus on questions around what the convergence of these three areas look like in today’s heightened and multi-faceted threat landscape.
“There is a clear need for more rigorous testing and assurance against these standards, which themselves are still developing and require ongoing discussion and refinement,” notes Bange. “From a governance perspective, prolonged disruption from a cyber incident means conversations with external auditors, shareholders and investors need to take place.”
While it is a positive sign that only 24% of respondents are concerned about establishing board-level accountability, the continually changing threat landscape necessitates ongoing conversations. Singapore principal Andy Leck notes: “Regimes are increasingly imposing director and officer liability, including potential criminal exposure for senior management. Such exposure can ultimately lead to an unforeseen and unnecessary drain of talent, resource and funds.”
This is echoed by Bange, who cautions that organizations should look at the responsibility of directors with regards to both board notifications and corporate governance.
|
|
|
Sector spotlight
57% of energy, mining and infrastructure companies cite managing risk arising from the implementation of new technology as their top challenge.
Besides unclear pricing and slow-moving regulations for new technologies, risk management can also be held back by long approval times for infrastructure changes and the difficulty of working with older systems.
|
|
Jurisdiction highlight
Respondents in the UK (48%) and the US (47%) are the most concerned about complying with increased obligations for organizations designated as critical infrastructure of any other jurisdiction surveyed.
Both the UK and the US are calling for fast reporting of cyber incidents and making boards explicitly accountable. The UK's Cyber Security and Resilience Bill strengthens protections for critical infrastructure. In the US, companies are expected to fully comply with updated SEC requirements.
|
|
|
Stability begins with preparedness
Managing international cyber incidents is complex, with varied and sometimes conflicting regulatory requirements across different jurisdictions. The scope is also vast, ranging from forensic data sharing to discovery and disclosure obligations and more.
Leck notes that weak cyber governance doesn’t just open an organization up to a potential attack but can also worsen outcomes after the fact: “Cyber incidents are no longer signs of system failure, but a sign of systemic governance flaws. Companies not only need to have an accurate assessment of threat levels, but also have organizational speed and agility, robust governance, and effective cross-functional coordination to respond when an incident occurs.”
Our survey found that 43% of respondents cite business disruption in the wake of a cyber incident as a top challenge. Real-world examples illustrate how cyber incidents can lead to prolonged operational downtime and substantial revenue loss, underlining the critical importance of frequent and nuanced tabletop exercises for incident preparedness as opposed to sporadic or superficial testing.
Faced with a rising volume and sophistication of threats, organizations will be wise to focus on and invest in organizational readiness. The dual-pronged challenges of complex structures and under-resourcing will only widen the gap between those who are prepared and those who are taking on exponential risk. Legal leaders can play a critical role in supporting business continuity. They can help prepare their organizations to respond decisively to emerging threats by working to remove internal silos, which improves security and reduces organizational risk.
Preparedness is also dependent on broader context. Washington, DC partner and National Security Co-Chair
Sumon Dantiki draws a strong link between shifting geopolitics and the increasing sophistication of cyber threats, and therefore the deepening of dispute risk. Geopolitical tensions have put a spotlight on cyber operations, with AI increasingly used as a tool of nation-states. The rise of multi-vector attacks and use of cyber operations as a tool for national security objectives have changed the risk-readiness landscape, even for organizations who are more "advanced" in their incident response.
“Threat actors are becoming increasingly motivated amid geopolitical and technological shifts,” says Dantiki. “And they are poised to leverage artificial intelligence for offensive cyber operations ahead of the ability of most organizations to defend themselves. Although the defensive cybersecurity benefits of AI may prevail in the long term, a significant gap exists in the near-term.”
|
|
|
Sector spotlight
49% of healthcare and life sciences organizations are concerned about responding to regulatory investigation or enforcement action.
The expansion of multi-agency and cross-border investigations may be exacerbating this concern, alongside sector-specific triggers such as global clinical trials, specific sanctions or export-control sensitivities and cross-border pricing practices.
|
|
Jurisdiction highlight
In the event of a cyber breach, respondents in Germany are more concerned about ensuring business continuity (51%) and responding to regulatory investigation or enforcement action (46%).
Germany currently has a complex compliance framework, with no single cybersecurity law, and companies face the added pressure of multiple notification obligations across GDPR (General Data Protection Regulation), Bundesamt für Sicherheit in der Informationstechnik (BSI), Network and Information Systems Directive 2 (NIS2) and more.
|
|
|
AI: A multifaceted source of potential disputes
AI-related risks are proliferating, with more than half of organizations citing new regulations (56%), lack of governance frameworks (54%), and intellectual property risk (51%) among their top concerns.
As regulatory frameworks continue to evolve, these foundational risks are likely to become an increasingly important source of dispute exposure around the world. In the EU, the recent
EU AI Act is a milestone development creating new obligations for deploying AI systems and reinforces the need for effective frameworks, oversight and guardrails around the use of AI systems to ensure regulatory compliance.
In Singapore, where respondents are also particularly concerned about business continuity in the face of a cyber incident (44%), there is no single omnibus law for AI use. However, the government maintains that personal data used to train and improve AI models must be regulated and are subject to Personal Data Protection Act (PDPA) laws. Businesses therefore should establish clear ownership of AI risk, board visibility over the use of AI, and robust, documented governance structures.
Changes in new and evolving cyber threats and AI compliance regulations, paired with heightened national security concerns, will also expose gaps in companies’ preparedness levels. Dantiki shares that with the seismic shifts in dispute management due to the proliferation of AI, companies will see “a huge amount of legal risk” arising from these changes.
“In terms of incident response, this picture is going to move quickly. There will be new attacks that have different motivations, methods and means. Even more sophisticated companies are not going to be able to ward off some of these risks in the short term, especially without the right investment," says Dantiki.
Companies must not only move faster and sharper, but also with consideration for multiple enforcement parameters and jurisdictional-specific disclosure requirements. “Speed and effectiveness are key tenets of a robust disputes risk mitigation strategy,” notes Hengesbaugh. “AI will make attackers more successful and incidents more damaging, and organizations should do preparation to develop roadmaps to address the proliferation of privacy, public company, critical infrastructure, and other reporting obligations applicable to their operations.”
According to Hengesbaugh, when it comes to getting ahead of AI-driven disputes, companies should also consider third-party risk exposure, including contract management with third parties. This includes having a clear understanding of their rights under contracts with customers, vendors and other relevant third parties, particularly regarding liability, responsibility, costs and potential recourse.
|
|
|
Sector spotlight
Healthcare and life sciences companies are the most concerned that a lack of effective frameworks, oversight and guardrails around the use of AI-related systems and data could open their organization up to a potential dispute (62%).
In particular, algorithmic errors and AI hallucinations or automation bias may create risks across product liability and medical malpractice. Patient data sensitivity also raises concerns over improper data usage, and re-identification risks even when data is anonymized.
|
|
Jurisdiction highlight
Respondents in the US are most concerned about a lack of effective frameworks, oversight, and guardrails around the use of AI related systems and data (59%) opening their organization up to a potential dispute.
Fragmented guidance and regulation in the US across Federal Trade Commission (FTC), Equal Employment Opportunity Commission (EEOC) and Securities and Exchange Commission (SEC), and state laws create a particularly challenging environment for US businesses.
|
|
|
Key actions
As regulators address cyber risk as a national security concern and governance structures are tested by more frequent and sophisticated attacks, integrated legal advice can help to address the complex risks posed by emerging technologies like AI as well as regulatory compliance challenges and cross-border obligations.
Organizations should:
- Prepare for cyber incidents through robust governance, business continuity planning and investment in resilience.
- Enhance governance and risk management frameworks for AI and emerging technologies, ensuring compliance and effective oversight to address regulatory gaps.
- Remain current with evolving legal requirements and cross-border reporting obligations, and facilitate timely, accurate regulatory responses during cyber incident.
- Obtain legal guidance early in developing business continuity, preparedness and resilience strategies to break down siloes across departments.
The Convergence of Risk: Today's pressures, tomorrow's disputes
A series overview
Our flagship Global Disputes Forecast survey revealed that in 2026, geopolitical flux, technology and supply chain disruption are driving disputes risk externally, while resource constraints mean that organizations must also be intentional and flexible in where they allocate resources.
With robust disputes preparedness key to building organizational resilience, we commissioned another wave of research to delve further into these initial findings. In this series, we explore the intersection of key risk areas and identify how respondents are taking action.
Methodology
We surveyed 600 senior decision-makers with oversight or key roles in legal, risk, compliance, or tax functions. Respondents included Directors in Legal, Risk, Compliance, or Tax, Heads of Function/Departmental Leaders, and C-suite roles such as General Counsel, Chief Legal Officer, Chief Risk Officer, and Chief Compliance Officers.
