Listen to this article
Cohesity's fourth annual Global Cyber Resilience Report - Risk-Ready or Risk-Exposed: The Cyber Resilience Divide, published in November - surveyed 3,200 IT and security decision-makers across 11 countries, all at organizations with more than 1,000 employees. The headline number is that 76 percent experienced at least one material cyberattack. The word to notice in that sentence is "material." It is a finance word, and finance is where this report spends most of its time.
Legal consequences, lost revenue, lost customers. Those are not security metrics. They are the line items a board asks about, which is exactly the point: the cyberattack has completed its migration from an IT incident to a financial event.
Cyberattacks are now earnings events
The report's most striking finding is how directly attacks now reach the numbers companies report to their investors. Among public companies that were attacked, 70 percent adjusted earnings or financial guidance afterward, and 68 percent saw stock price impacts. Private firms felt it differently but no less structurally: 73 percent redirected budgets away from innovation to deal with the aftermath.
When seven in ten public victims are restating guidance, change control stops being an operational preference and becomes a fiduciary one. Whatever touches production - a config push, a patch, an agent's action - is now, in a very literal sense, touching the share price.
The admission in the data
Which makes the report's other headline number remarkable, because it is a confession. Cohesity asked IT leaders how their risk management is keeping up with generative AI, and 81 percent said it is not:
81 percent of IT leaders say GenAI is outrunning their risk management. That is not a technology gap. It is an accountability gap.
The answer is not slower AI
The tempting read of that 81 percent is that organizations should pump the brakes on GenAI until risk management catches up. That is the wrong lesson, and most leaders know it - the competitive cost of freezing adoption is real, and the 73 percent of private firms already cannibalizing their innovation budgets after attacks show what falling behind costs. The gap does not close by making AI slower. It closes by making every AI-driven change accountable before it lands.
That is a solvable engineering problem. An AI agent proposing a change is fine; an AI agent landing a change that nobody validated is how a material attack, or a material outage, gets a head start. The augmented model keeps the speed and removes the blind spot: the AI proposes, validation gates verify the change against policy and score its risk, and the consequential ones stop at a named human before production. Risk management stops chasing GenAI and starts standing in front of it.
The AuthorityGate take
Cohesity sells data resilience, so read its resilience report with the catalog in mind. But the two halves of this survey indict each other in a way no vendor spin can soften. Half of it documents that attacks now produce guidance adjustments, stock impacts, and legal consequences. The other half documents that the people responsible admit their risk controls cannot keep pace with the fastest-moving change source in their environment. Boards will eventually connect those halves; better that you connect them first.
Our position is that the connection point is the change itself. Every change - human, pipeline, or AI - should pass a validation pipeline before it takes effect, so that "GenAI moves fast" and "someone is accountable" stop being opposites. The 81 percent are describing a race they set up to lose: capabilities on one side, a policy binder on the other. Put a gate on the track and the race ends.
Three thousand two hundred decision-makers, in aggregate, just told the market that the financial consequences of ungoverned change are already on the income statement, and that the fastest source of new change is the one they govern least. That combination has a short shelf life. The organizations that fix it will do it deliberately, at the gate - not in the 8-K after the incident.
Sources
Go deeper
Every agent action, validated before it takes effect
AuthorityGate's newsletter breaks down real AI incidents and the governance failures behind them. Our configurable 8-gate validation model is how organizations keep a named human accountable for what their AI actually does.