New research shows cyber risk management is becoming a core business function, with AI accelerating how programs operate

RESTON, Va.: #cyberrisk--GuidePoint Security, the cybersecurity advisor and services partner organizations rely on to protect what matters most, today released the 2026 State of Cyber Risk Management Report. Conducted by The FAIR Institute in partnership with GuidePoint Security and SAFE, the report offers an in-depth look at how security and risk management professionals are building, maturing and communicating their cyber risk management (CRM) programs.

The report reveals the growing significance of CRM in business decision-making, reflecting its emergence as a critical driver of organizational resilience and strategic growth. Cyber risk information is reaching the C-suite and board, with risk appetite and tolerance levels being formally approved at the highest levels of the organization, and AI rapidly becoming integrated into team workflows. Yet the research also points to a meaningful gap between program confidence and consistent execution, particularly around governance effectiveness, cross-departmental communication and cybersecurity silos.

“Organizations have made real progress building cyber risk management programs, but maturity doesn’t always translate into consistent execution,” said Brian Betterton, VP of GRC at GuidePoint Security. “The opportunity now is to make risk practices more visible, repeatable and connected to business decisions. AI is accelerating that shift by moving risk management from a quarterly exercise to real-time decision support.”

Key findings from the report include:

• Cyber risk management is driving business value. The top outcomes organizations attribute to CRM include greater risk reduction, improved credibility of the cybersecurity team and better alignment of cybersecurity resources with business priorities.
• Cyber risk is gaining executive and board-level influence. Risk information is being used across the technology and risk C-suite, with 89% of organizations reporting board-level approval for defined risk appetite and tolerance levels. Among organizations using fully quantitative measures, 90% now express cyber risk in financial terms.
• Automation and AI are reshaping CRM operations. Sixty-four percent of organizations report mostly or fully automated CRM systems, and 80% are currently using or experimenting with AI. Organizations see the greatest AI opportunity in automated risk quantification, workflow automation, and forecasting and scenario simulation.
• Confidence is high, but execution gaps remain. Seventy-six percent of organizations say they are effective at translating risk assessments into business decisions, yet only 35% describe their formal governance groups as fully effective, 46% cite poor cross-departmental communication as a governance and accountability gap and 33% identify gaps between cybersecurity silos as a primary CRM challenge.
• Demand and investment are expected to grow. Nearly 89% of organizations expect demand for CRM to increase over the next three years, and 72% plan to increase their investment in CRM over the next 12 months.

“Cyber risk management has earned a seat at the business table, but that only matters if programs can deliver,” Betterton added. “The next phase will be defined by organizations that stop measuring maturity by what they have in place and start measuring it by what actually gets used. Financial quantification and materiality analysis are the differentiators because they turn risk data into decisions CFOs and boards can act on.”

The report is based on survey responses from 400 qualified cyber risk, security, technology and risk management professionals from organizations with 1,000 or more employees.

The 2026 State of Cyber Risk Management Report is available now at: guidepointsecurity.com/resources/2026-state-of-cyber-risk-management-report/

About GuidePoint Security

GuidePoint Security helps organizations overcome the most complex cybersecurity challenges, mature their security posture, minimize risk and ensure compliance. As a trusted cybersecurity advisor and partner, GuidePoint keeps people, data, and operations safe. We deliver tailored cybersecurity services and offerings that adapt and scale to safeguard the nation’s leading organizations today, while preparing them to confidently face tomorrow's cyber challenges. More than 5,600 organizations of all sizes and across every industry, and all U.S. cabinet-level agencies, rely on GuidePoint to strengthen their defenses and reduce risk. Stronger Together. Protecting What’s Next. Learn more at guidepointsecurity.com.

About The FAIR Institute

The FAIR Institute is a non-profit professional organization dedicated to advancing the discipline of measuring and managing cyber and operational risk. With over 19,000 members worldwide, the Institute is recognized as a leading authority on cyber risk quantification and best practices in management. The FAIR Cyber Risk Management Framework, based on the industry’s leading CRQ methodology, has been adopted by organizations across sectors to enhance security governance and risk-informed decision-making. Learn more at www.fairinstitute.org.

Fonte: Business Wire