Cyber Risk Index: A 2025 Review

In September 2025, Next Peak published the 2025 Geo Cyber Risk Index (GCRI) to give global organizations a strategic and customized view of the combination of state cyber risk, criminal cyber risk, socioeconomic and geopolitical risk, and commercial capabilities and cyber literacy gaps risk. We ran three maps based on differing company profiles: a Chinese retail company, a UK finance company, and a US manufacturing company. 

Both the UK Financial Company map and US Manufacturing Company map highlighted that Russia and China pose high risks to such organizations; however, Canada posed different levels of risks to the two types of organizations as seen below. What contributes to these differences? Further, Russia and China have been posing ‘high-risk’ to Western organizations for over a decade, have the risks that these two nations posed the same to each organization? 

A score or risk level may convey that a certain geographic operating region is concerning, but it does not highlight the drivers behind the risk or the gaps and weaknesses in an organizations’ security controls and processes that allow for those risks to become impacts. Next Peak’s GCRI was built to address these blind spots and provide organization leaders with the ability to translate geopolitical risk into actionable steps for strategic and operational resilienceThus, the expanded US manufacturing company map — that Next Peak published in May 2026 – includes the specific analysis to demonstrate a sample of the “why” behind the risk levels. 

This map emphasizes that while both Russia and China pose high risks, China’s espionage activity and IP theft and Russia’s Presidential Decree No. 250 that requires remote access into socially significant organizations’ networks create security concerns for US manufacturing companies. Recognizing these factors informs the different processes and controls that the organization can implement when operating in Russia and China. 

At the same time, the GCRI can help inform future strategic decisions: perhaps, given that Mexico presents the lowest risk level among major US trade partners, near-shoring to Mexico is a profitable decision. Or even if Saudi Arabia is attracting the most US manufacturing investment, its medium level risk should be explored before significant investment decisions.  

Finally, the risk drivers defined by the GCRI can become the inputs that build an organization’s strategic tabletop exercise: Taiwan continues to face elevated cyber risk with an average of 4,129 cyberattacks per organization per week, the highest volume in the Asia-Pacific, and between March and June 2025, three China-aligned threat groups ran coordinated phishing campaigns against Taiwan’s semiconductor ecosystem, potentially impacting manufacturing supply chains. If a China-aligned threat group conducted a large scale cyberattack against TSMC—a semiconductor producer for at least 17 of the largest US tch companies – creating production delays, semiconductor chip shortage, and more, how would a US manufacturing company maintain resilience through and recover from the incident? 

Looking forward, the 2026 GCRI will be updated to reflect emerging and evolving threats, such as the increasing development of frontier AI capabilities, and even more informative with the addition of more countries with simmering geopolitical tensions to our profiles.  

The GCRI can and will be tailored to your specific organization to help translate risk levels and drivers into actionable intelligence. 

 

Want to have a conversation? Reach out at icr@nextpeak.net to speak with our team. 

FOLLOW US ON LINKEDIN

ABOUT NEXT PEAK

NEXT PEAK was co-founded by two US Air Force and JP Morgan Chase veterans, Dr. Greg Rattray and Jim Cummings. The firm focuses on strategic insight and provides access to a network of battle hardened cyber defenders. The team delivers advisory and consulting services to ensure clients have the deepest possible insight and advanced approaches to meeting their cyber defense challenges.