What is your view about the effectiveness of cyber-related regulations? High resilience (%) Insufﬁcient resilience (%) 20% 40% 60%Positive, they help us raise awareness of security with our board and in our organization Positive, they help us to improve our security posture/reduce cyber risks in our organization Positive, they help us to increase customer trust and brand reputation Positive, they help to secure budget for cybersecurity Negative, difﬁcult to ensure third-party vendors comply with relevant requirements Negative, difﬁcult to fully understand applicability of the amount of regulations throughout our business Negative, difﬁcult to ensure consistent implementation across business units/departments Negative, we have limited internal resources or expertise to track and implement changes 0% 20% 40% 60% 0%57% 56% 44% 44% 22% 17%50% 44% 20% 33% 18% 20% 18% 34% 6%7%Sentiment on regulations, by organizational resilience level FIGURE 33 People and culture Only 22% of highly resilient organizations report lacking the necessary workforce to achieve their cybersecurity objectives – a stark contrast to the 85% of insufficiently resilient organizations that face this challenge. Business processes Defined business processes that support cybersecurity posture are a key characteristic of resilient organizations. Survey data indicates that 76% of highly resilient organizations involve their security function in the procurement process, compared to just 53% in insufficiently resilient organizations. Technical systems Resilient organizations take a structured approach to designing, deploying and maintaining technical or digital systems: 44% of highly resilient organizations monitor OT security, compared to only 9% of insufficiently resilient ones. Additionally, 71% of highly resilient organizations regularly review the security of their AI tools, compared to only 20% of insufficiently resilient organizations. Does your organization have a process in place to assess the security of AI tools before deploying them? (select all that apply) 20% 40% 60% 100% 80%High resilience (%)71% 20% 20% 6% 55%13% 7% 10% Insufﬁcient resilience (%) 0% Yes, we review periodically Yes, we review once I don't know NoAI security assessment, by organizational resilience level FIGURE 34 Global Cybersecurity Outlook 2026 41