Industrial CISOs Gain Boardroom Influence

The manufacturing sector was the most targeted industry for cyberattacks for the fifth consecutive year in 2025, accounting for 27.7% of all incidents. Attackers are increasingly exploiting public-facing applications, valid user accounts, and external remote services to breach manufacturing systems. The Asia-Pacific region continues to experience the majority of these attacks. Ransomware attacks against industrial organizations surged by 49% year-over-year, impacting 3,300 organizations globally. These attacks are not just data theft; they cause significant operational disruptions. For example, a 2025 cyberattack on Jaguar Land Rover led to a global shutdown, illustrating the potential for supply chain paralysis. New, specialized OT threat groups are emerging, with Dragos now tracking 26 such groups worldwide. Adversaries are maturing their tactics from simple reconnaissance to actively mapping industrial control systems to understand how to manipulate physical processes. Groups like VOLTZITE are known for stealthy operations in U.S. critical infrastructure, while others act as initial access brokers for more sophisticated attackers. The regulatory landscape is intensifying globally. In the EU, the NIS2 Directive and the Cyber Resilience Act (CRA) impose stricter cybersecurity and incident reporting obligations on manufacturers. Starting September 11, 2026, the CRA mandates the reporting of actively exploited vulnerabilities. In the U.S., CISA's "Shields Up" campaign continues to urge critical infrastructure, including manufacturing, to harden defenses against geopolitical threats. New SEC disclosure rules now require publicly traded companies to report material cybersecurity incidents within four days of determination, elevating cybersecurity to a core financial and operational reporting issue. This extends scrutiny to the supply chain, as public companies must now assess and document third-party cyber risk, indirectly affecting their private company vendors. Internal audit's role is shifting from traditional compliance checks to forward-looking risk assurance, particularly around OT. There's a growing need for audit functions to bridge the gap between IT and operational staff, who often manage OT systems. Joint IT-OT audits are becoming essential to provide a comprehensive view of vulnerabilities across both digital and physical systems. U.S.-China trade relations remain a significant source of uncertainty, with a series of tariff escalations throughout 2025. Although a February 2026 Supreme Court ruling struck down certain tariffs imposed under the International Emergency Economic Powers Act, the average U.S. tariff on Chinese goods remains elevated at 22.3%. This ongoing friction continues to impact supply chain strategies and material sourcing. On the domestic front, manufacturers face a demanding compliance environment from both OSHA and the EPA in 2026. OSHA is advancing new standards for heat illness prevention and has updated requirements for hazard communication, with a key deadline for manufacturers on May 19, 2026. The EPA is also expected to enforce new rules on PFAS "forever chemicals" reporting.