Cyber Risk Forecast Validation Matrix

Executive Review
A Review of Our Forecast Track Record
April – June 2026 | Executive Review
The following report is provided for public review/validation of the Cyber Risk Forecasts from April to June. Overall, we got things right. We were, however, too optimistic in the state and federal government space that there would be some easing from geopolitical events. Comments are welcome and can be submitted here
Charlene Deaver-Vazquez
Below you will find the Executive Summary followed by a detailed validation matrix.
Executive Summary
1
The forecasts were directionally correct — and the most important signal was persistence, not novelty
Across the April–June forecast set, the strongest conclusion is that the core model held. The same dominant attack categories remained in place across financial services, healthcare, professional services, and government. Multiple reports explicitly state that no previously identified Top Risk was removed, no materially new category needed to be added, and current-cycle incidents validated rather than overturned prior-cycle assumptions. That is especially explicit in Retail & Hospitality, Professional Services, Accounting & Audit, Outpatient Clinics, and State Government Agencies.
For executives: the environment did not become radically different — it became more intense inside a stable set of high-impact risks. Leadership should not be chasing constant reclassification of threats. The better question is whether defenses, governance, and response capacity are keeping pace with rising severity and faster attack execution.
2
AI-driven attacks were not a new category — they were a force multiplier that increased business exposure
The most significant emerging issue was the impact of AI on existing attack categories, especially BEC/fraud and vulnerability exploitation. The Accounting & Audit materials are the clearest example: AI-generated phishing represented over 82% of phishing emails, AI-enabled fraud increased 1,210% in 2025, and deepfake voice attacks required only three seconds of audio. Yet the forecast still treated this as a stronger version of BEC/fraud, not a separate Top Risk.
In financial services and banking, AI-assisted exploit development compressed weaponization time from months to hours, reducing the value of slow remediation and increasing the cost of patch delays. AI is raising the cost of delayed action, especially in sectors dependent on transaction approval, public-facing infrastructure, or large attack surfaces.
3
Geopolitical pressure was the clearest external driver of forecast error — and it pushed risk upward, not downward
Where forecasts missed, they were generally too optimistic about geopolitical relief. Government & Education, State Government, and County/Municipal forecasts all show the same pattern: the model correctly identified hacktivism and state-sponsored activity as major risks, but in some cases expected partial easing that did not materialize. Later reports explicitly link ongoing cyber pressure to geopolitical escalation — especially the U.S.–Israel confrontation with Iran.
For county and municipal government: ransomware was "worse than anticipated," hacktivism relief hopes were "dashed," and OT sabotage gained concrete support through the Minot, North Dakota water-plant incident. Geopolitical cyber risk can directly affect public services, operational continuity, and infrastructure reliability.
4
The real executive issue is converging risk, not isolated risk
Several June sub-industry reports — especially FinTech — show that risk categories are not only remaining high; they are increasingly peaking together. The June FinTech forecast says ransomware/data extortion and API security/third-party breaches both reached Very High (81–100%), while BEC/AI-enhanced fraud stayed High and crypto/state-backed threats also intensified.
Concurrent risk creates strain across funding, leadership attention, incident response, legal, communications, and third-party oversight at the same time. 
Executive Bottom Line
From April through June, the forecast set performed well at an executive level. It correctly framed the dominant risks, did not overreact to novelty, and captured the fact that the real story was escalation inside known attack pathways. The two most important external drivers were:
AI-driven attack acceleration, especially in BEC/fraud and exploit development
Geopolitical escalation, especially in government, education, and critical-infrastructure-adjacent sectors
Forecast Validation Matrix: April–June 2026