The global business landscape in 2026 faces a paradox of progress. While digital transformation has accelerated operational efficiency to unprecedented levels, it has simultaneously created a complex web of vulnerabilities that traditional safety nets can no longer catch. A significant alarm was recently sounded by Eric Schmitt, the Chief Information Security Officer (CISO) at Sedgwick, who warned that business continuity frameworks are fundamentally lagging behind the sheer velocity and sophistication of contemporary cyber threats.
- The Sedgwick Warning: A Stark Reality Check for Executive Leadership
- The 2026 Cyber Threat Landscape: Velocity and Complexity
- Agentic AI and Autonomous Attack Cycles
- Cloud Supply Chain Fragmentation
- Quantum Readiness and the Cryptography Gap
- The Great Misalignment: Business Continuity vs Disaster Recovery
- The Minimum Viable Company (MVC) Model
- Cyber Insurance and the Requirement for Proven Resilience
- Strategies for Closing the Resilience Gap in 2026
- 1. Embracing Zero Trust Architecture
- 2. Implementation of Immutable and Air-Gapped Backups
- 3. Continuous Exposure Management (CEM)
- 4. Human Centric Security Awareness
- Regulatory Pressure: DORA, NIS2, and Beyond
- The Role of Managed Detection and Response (MDR)
- Transforming the Corporate Culture Toward Resilience
- The Future of Business Continuity: Predictive and Proactive
- Conclusion and Strategic Outlook
This warning comes at a time when the distinction between a technical glitch and a total enterprise collapse has blurred. For many organizations, the strategy for staying afloat during a digital storm is rooted in decades old logic that assumes threats are linear and predictable. However, the reality of 2026 is one of non-linear, AI-driven, and multi-vector assaults that do not just target data but aim to dismantle the very core of business operations.
The Sedgwick Warning: A Stark Reality Check for Executive Leadership
Eric Schmitt’s insights serve as a critical wake-up call for boards and executive suites worldwide. During his recent address, he highlighted a recurring flaw in corporate strategy: the conflation of business continuity with disaster recovery. While these terms are often used interchangeably in boardrooms, Schmitt clarifies that they represent two distinct pillars of resilience.
Disaster recovery is the technical restoration of systems. It is the tactical effort to get the servers back online and the data restored from backups. Business continuity, conversely, is the preservation of business operations. It focuses on how the company continues to serve its clients, manage its supply chain, and fulfill its brand promise while the technical restoration is still underway.
The warning from Sedgwick is clear. Most organizations have invested heavily in the technical side of recovery but have neglected the operational agility required to function during a prolonged outage. As cyberattacks become more disruptive, the gap between technical restoration and operational survival is widening, leaving companies exposed to catastrophic financial and reputational losses.
The 2026 Cyber Threat Landscape: Velocity and Complexity
To understand why business continuity is failing to keep pace, we must examine the specific nature of the threats emerging this year. The digital battlefield of 2026 is characterized by several high impact trends that bypass traditional defenses.
Agentic AI and Autonomous Attack Cycles
We have moved beyond the era of simple automated scripts. Today, threat actors utilize agentic AI. These are autonomous programs capable of making real-time decisions, identifying vulnerabilities on the fly, and pivoting their tactics without human intervention. When an attack can evolve in seconds, a business continuity plan that relies on manual triggers and human assessment is already obsolete by the time the first meeting is called.
Cloud Supply Chain Fragmentation
The move to the cloud was supposed to simplify resilience, but it has created a new form of systemic risk. Companies are now dependent on a massive ecosystem of SaaS providers, API integrations, and cloud infrastructure layers. A single point of failure in a third party service can trigger a domino effect across thousands of businesses. Sedgwick’s CISO emphasizes that many organizations lack visibility into these deep dependencies, making their continuity plans theoretical rather than practical.
Quantum Readiness and the Cryptography Gap
As quantum computing capabilities continue to advance, the encryption standards that protect global commerce are under threat. While “Q-Day” might still be on the horizon, the “harvest now, decrypt later” strategy used by nation-state actors means that the data being backed up today may be vulnerable tomorrow. Business continuity in 2026 must now account for long term data integrity and the transition to post-quantum cryptographic standards.
The Great Misalignment: Business Continuity vs Disaster Recovery
The fundamental reason continuity is failing to keep pace is a lack of alignment between IT departments and business units. In many organizations, the IT team builds a disaster recovery plan in a vacuum, focusing on Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) based on technical feasibility rather than business necessity.
When a major cyber incident occurs, the business leadership often discovers that the “technical recovery” takes much longer than the “business survival” window allows. If a retail giant cannot process transactions for 48 hours, the fact that their database was “successfully restored” on day three is a cold comfort. The business has already suffered irreparable damage to its market share and customer trust.
Eric Schmitt’s advocacy for a more holistic approach suggests that business continuity should be lead by business leaders, with IT serving as an enabler. This ensures that the most critical business functions are prioritized based on their impact on the bottom line and the customer experience, rather than which server is easiest to reboot.
The Minimum Viable Company (MVC) Model
A trending strategic concept in 2026 for addressing the resilience gap is the “Minimum Viable Company” or MVC. This approach strips away the non-essential functions of an organization to identify the absolute core processes required to remain operational during a crisis.
The MVC model asks a difficult question: What is the smallest version of our company that can still provide value to our customers and meet our legal obligations? By defining this MVC, organizations can focus their limited resources on protecting and rapidly recovering these essential pillars. This mindset shift moves the goalpost from “recovering everything” to “maintaining the core.”
Cyber Insurance and the Requirement for Proven Resilience
The insurance market in 2026 has become a major driver of business continuity standards. Gone are the days of simple check-the-box questionnaires. Cyber insurers now demand evidence of “proven resilience.” This includes verified immutable backups, documented tabletop exercises that involve executive leadership, and clear evidence of network segmentation.
Companies that cannot demonstrate a robust business continuity plan that addresses modern cyber threats are finding themselves either uninsurable or facing astronomical premiums. The warning from Sedgwick’s CISO is not just about operational risk, it is also a financial warning. Resilience is now a prerequisite for financial stability and risk transfer.
Strategies for Closing the Resilience Gap in 2026
Closing the gap between cyber threats and business continuity requires a multi-layered approach that integrates technology, policy, and culture. Here are the core pillars for a modern resilience strategy.
1. Embracing Zero Trust Architecture
Zero Trust is no longer a luxury, it is a foundational requirement. By assuming that every user and device is a potential threat, organizations can limit the lateral movement of attackers. In the context of business continuity, Zero Trust ensures that even if one part of the business is compromised, the rest can continue to function. This containment is essential for maintaining operational integrity during an ongoing incident.
2. Implementation of Immutable and Air-Gapped Backups
Ransomware in 2026 is specifically designed to seek out and destroy backup files. To counter this, business continuity plans must include immutable backups, which cannot be changed or deleted for a set period. Additionally, physical or logical air-gapping ensures that a copy of the critical data remains completely isolated from the primary network, providing a “gold copy” for recovery even in the event of a total environment wipe.
3. Continuous Exposure Management (CEM)
Static vulnerability scans once a month are insufficient. Modern organizations are moving toward Continuous Exposure Management. This involves real-time monitoring of the entire attack surface, including shadow IT, forgotten cloud buckets, and third party API connections. By identifying and patching vulnerabilities before they can be exploited, companies reduce the likelihood that they will ever need to trigger their continuity plans.
4. Human Centric Security Awareness
Technology alone cannot solve the resilience crisis. The human element remains the most frequent entry point for cyberattacks. However, in 2026, security awareness has evolved. Instead of generic annual training, companies are using AI to deliver personalized, behavior-based coaching. Employees are trained not just to spot phishing, but to understand their role in the business continuity process, empowering them to act as a distributed defense layer.
Regulatory Pressure: DORA, NIS2, and Beyond
Governments and international bodies are not standing idly by as the resilience gap widens. Significant regulations such as the Digital Operational Resilience Act (DORA) in the EU and the updated NIS2 directive have set high bars for how financial institutions and essential service providers manage cyber risk.
These regulations explicitly require organizations to have robust business continuity and disaster recovery plans that are regularly tested. Failure to comply can result in massive fines and personal liability for board members. The warning from Sedgwick’s CISO aligns perfectly with this regulatory shift, emphasizing that resilience is a matter of legal and fiduciary responsibility.
The Role of Managed Detection and Response (MDR)
For many mid-sized and even large enterprises, the cost and complexity of building an in-house SOC (Security Operations Center) that can handle 2026-level threats is prohibitive. This has led to the surge in Managed Detection and Response (MDR) services.
MDR providers offer 24/7 monitoring, threat hunting, and rapid incident response. By integrating an MDR partner into their business continuity plan, organizations can ensure that they have the expertise and the scale to respond to a major incident without overwhelming their internal teams. This external support is often the difference between a minor disruption and a major catastrophe.
Transforming the Corporate Culture Toward Resilience
Ultimately, the gap Sedgwick’s CISO warns of is a cultural one. Many organizations still view cybersecurity as a “no” department, a hurdle to be cleared so the “real” business can get done. To survive the threat landscape of 2026, this mindset must be inverted.
Cyber resilience must be seen as a competitive advantage. A company that can prove its ability to remain operational during a global cloud outage or a massive ransomware wave is a more reliable partner, a safer investment, and a more trusted brand. Resilience is not a cost center, it is a value driver.
The Future of Business Continuity: Predictive and Proactive
As we look toward the remainder of 2026 and into 2027, the future of business continuity lies in AI-powered predictive modeling. Instead of reacting to an incident, organizations will use digital twins to simulate thousands of different attack scenarios, identifying weaknesses in their continuity plans before a real crisis occurs.
This proactive approach will allow companies to “harden” their most critical processes, ensuring that the gap between the speed of the threat and the speed of the response finally begins to close.
Conclusion and Strategic Outlook
The warning from Sedgwick CISO Eric Schmitt is a timely reminder that the tools and strategies of yesterday are insufficient for the challenges of today. Business continuity must evolve from a static document sitting on a shelf to a dynamic, living part of the enterprise’s DNA.
By focusing on the Minimum Viable Company, embracing Zero Trust, and aligning technical recovery with business operations, organizations can bridge the resilience gap. The goal is no longer just to prevent attacks, but to ensure that when they happen, the business remains standing, resilient, and ready for whatever comes next.
