Managing the New “C” in GRC – What Every GRC Professional™ Needs to Know Now About Cyber Risk

Of course, we all know the “C” in GRC is compliance – but given the importance of digital risk and resilience, I’d argue it could almost be “cyber!”

No longer is cyber risk just the provenance of IT. It’s an enterprise-wide business risk that affects us all, and it’s reshaping the entire governance, risk, and compliance landscape.

Just for context, according to the latest “Cost of a Data Breach” report from the Ponemon Institute, a renowned thinktank focused on cybersecurity and data:

• The average cost of data breach is now $4.9M -- $9.6M in the U.S.
• Healthcare breaches are the most expensive, as we saw last year with Change Healthcare. That attack, one of the largest ever, brought health systems to their knees, exposing patient data and even causing hospitals to revert to paper processes, stopping invoicing, prescriptions, and ambulance service.
• 49% of organizations report being breached by a third party.

On the good news side – organizations are investing heavily in AI, and the same report shows that it’s having a positive impact on security.

As you can see, cyber risk is driving a major transformation in GRC. Not only are risks – from third party to geopolitical to ransomware -- accelerating, regulators are cracking down with new legislation like DORA in the EU. AI is driving solutions but also arming bad actors with new tools and creating new risks of its own. CISOs, Chief Risk Officers, and GRC professionals across the board are upskilling and becoming both more business-oriented and more technical, collaborating in more ways than ever before.

So how can we as GRC professionals stay ahead now and into 2026?

Here’s a breakdown of what’s coming, what’s already here, and how to get your Cyber GRC programs in top shape.

1. Cyber Compliance Is the New Compliance

2024 set the stage, with the SEC’s new Cybersecurity Rule, EU’s DORA, HIPAA revisions, and a patchwork of US state laws with new rules. The message from regulators is clear: theydon’t just want to know that you’ve thought about cyber risk. They want proof that you’re managing it continuously, comprehensively, and strategically.

The SEC now requires breach disclosures of material eventswithin four days. DORA mandates third-party risk monitoring as well as threat sharing and resilience testing. And the EU Cyber Resilience Act has made it clear that product security is now a lifecycle responsibility, not a one-time audit.

If you haven’t already, now is the time to harmonize your control sets across frameworks and invest in automated control testing and regulatory horizon scanning. Cybersecurity compliance is a board-level conversation, not an audit checklist.

2. From Point-in-Time to Real-Time: The Rise of Continuous Monitoring

Cyber risk doesn’t wait for your next quarterly audit. Legacy approaches of sample testing, manual forms, spreadsheets now longer work. They’re tedious, frustrating, and inefficient.

Real-time risk intelligence is now expected. Whether it's continuous control monitoring, real-time vendor scoring, or predictive alerts about regulatory changes, organizations are expected to know that their risk controls are effective.

As one GRC executive put it, “The pace of change used to be X. Now it’s 10X or 20X. You need plumbing that can handle that pressure.”

Automated compliance platforms can centralize risk data and use AI to flag issues early. Don’t just digitize the old way of doing things. Rethink the process entirely.

3. AI: Both a Cyber Risk and the Key to Managing It

2024 was the year of AI adoption. 2025 and beyond will be the years of AI accountability.

Generative and agentic AI can already auto-populate risk assessments, detect control redundancies, scan regulations, and even summarize weekly risk reports into executive insights. But while AI promises big gains in productivity, it also introduces new risks: hallucinations, bias, data privacy violations, and unclear ownership.

GRC professionals must now manage AI for GRC and GRC for AI.

Build AI-ready governance: Implement explainability, observability, and accountability standards for AI agents. Ensure proper model management. Create a culture of AI readiness that includes clear policies, readiness, and ownership. Define it now before regulators (or incidents) do it for you.

4. Third-Party and Fourth-Party Risk: More in the Spotlight than Ever

Third-party risk is more critical than ever, and fourth-party risk (your vendors’ vendors) is no longer optional to consider.

Vendor ecosystems are sprawling, cloud reliance is the norm, and geopolitical instability can take out entire supply chains overnight. Regulators like the EU and US now expect dynamic, not just periodic, risk assessments of third parties.

Make sure your third party assessment and management is up to date:

• Use AI to dynamically score vendors based on live threat feeds, dark web alerts, and geopolitical signals.
• Map out your supply chain dependencies (including fourth and nth parties).
• Continuously recalibrate vendor risk scores and integrate with procurement and legal processes.

5. The New Role of the CISO and GRC Experts

CISOs are no longer just technical experts. They are boardroom voices guiding business strategy, and the GRC function is evolving right along with them.

Risk professionals are becoming “cultural architects,” helping their organizations build a risk-first mindset. Anti-fragility -- the idea from author Nicholas Taleb that failure makes you stronger, and practicing it helps you prepare – is becoming a core resilience strategy.

GRC isn’t just about protecting the business. It’s about enabling growth by helping the business take smart, calculated risks.

To lead the mindset shift:

• Start every risk conversation with business objectives.
• Think of risk as a decision accelerator, not a brake.
• Build alliances with product, strategy, and customer teams to embed GRC early.

6. Looking Ahead: What to Expect in 2026

So what does the rest of the year hold for CyberGRC? We see intensifying focus on:

• Expanded AI governance frameworks, especially in regulated sectors.
• Cross-functional GRC integration (cyber, compliance, third-party, audit). Siloed GRC is the past. Connected, AI-powered GRC that includes cyber risk is the way forward.
• More mature AI use cases like auto-remediation, risk pattern recognition, and GRC insight bots.
• Expansion of AI-specific regulation globally, building on regulation like the EU AI Act.
• Greater convergence between cybersecurity and operational resilience.
• Wider adoption of quantification models for cyber and compliance risk.
• A push toward AI-generated evidence for compliance and audit.

Cyber GRC is about building systems that can adapt, anticipate, and recover. As one GRC leader put it, “We’re not just playing defense anymore. We’re steering the ship through a storm.”

So get your AI agents ready. Sharpen your control harmonization tools. And prepare to lead your organization into the next era of risk and resilience – as CISOs, CROs, and GRC leaders work in connected harmony to safeguard their organizations and drive strategic outcomes.