Hello 👋 get a brew on because these are the top emerging risks between March 9th, and March 23rd, 2026…

Review our report’s terminology here ↗

Our main risk this fortnight is…

1. Economic: Insurance Audits Intensify as Businesses Scramble to Prove Resilience

• Fixinc (owner of Unbreakable Ventures) has observed a marked increase in the frequency, intensity, and on-site presence of insurance audits across their Australian and New Zealand client base over the past three months, with scrutiny previously reserved for $500M+ ARR businesses now extending to smaller organisations.

• Insurers are conducting on-site audits to scrutinise business continuity plans, business impact analyses, emergency management procedures, and cyber resilience documentation, moving beyond traditional remote reviews to hands-on verification of operational resilience.

• Fixinc has identified auditor competency concerns in several cases, where insurance auditors conducting reviews lack adequate training in business continuity frameworks and methodologies, creating risks of incorrect advice, delayed resilience programs, and potentially flawed premium assessments.

• The 2026 Allianz Risk Barometer confirms cyber incidents remain the number one global business risk for the fifth consecutive year, with business interruption ranking third, while only 3% of respondents view their supply chains as “very resilient” amid mounting geopolitical pressures.

• Australian insurers increasingly refuse coverage or impose premium increases for businesses unable to prove baseline security standards, with the Australian Cyber Security Centre’s Essential 8 becoming the de facto standard for insurer assessment of security posture and the cyber insurance market projected to grow from USD 467 million to nearly USD 2 billion by 2034.

Sources

• Perspectives: Policyholders Face Complex Recovery Environment | Business Insurance | February 2026

• Allianz Risk Barometer 2026 | Allianz Commercial | January 2026

• Global Risks Report 2026 | World Economic Forum | January 2026

• Australia's Cyber Posture Shows Progress but Gaps in Controls and Reporting Keep Insurers on Alert | Insurance Business Magazine | February 2026

• Cyber Insurance in Australia: 2026 Trends | CyberPulse | February 2026

• The Business Insurance Market Is More Technical in 2026 | Digital Insurance | January 2026

You should be concerned if…

• Universities and higher education institutions:
  These organisations face heightened scrutiny due to complex stakeholder environments, significant research data holdings, and increasingly targeted cyber threats. Fixinc has directly observed intensified audit activity in this sector across Australia and New Zealand, with auditors examining emergency management procedures and business impact analyses in granular detail.

• Ports, logistics, and supply chain operators:
  The WEF Global Risks Report 2026 identifies geoeconomic confrontation and supply chain vulnerability as top-tier risks, with logistics sectors facing differentiated impacts from geopolitical instability. Insurers are closely examining business continuity documentation for critical infrastructure operators, and Fixinc has observed on-site audits specifically targeting these organisations.

• Critical infrastructure and energy sectors:
  Both the Allianz Risk Barometer and WEF report highlight energy and critical infrastructure as high-risk categories for 2026. Regulatory frameworks including Australia’s SOCI Act layer compliance requirements that insurers increasingly reference during underwriting assessments.

• Financial services and healthcare:
  Industries subject to stringent data protection regulations face dual pressure from compliance audits and insurance underwriting scrutiny. Business interruption losses from cyber events now rival direct incident response costs, making demonstrated resilience critical to coverage terms.

• Mid-market businesses assuming exemption:
  While on-premise audits currently appear reserved for larger organisations, documentation and evidence requirements are extending to smaller businesses. The assumption that only major enterprises face intensive scrutiny no longer holds.

These items are generic assumptions. We recommend considering your own unique risk landscape against your critical dependencies. If you don’t know what they are, get in touch.

Preventative actions

Prepare evidence before the audit arrives

• Review and document your business continuity plans, business impact analyses, emergency management procedures, and cyber resilience posture now rather than waiting for insurer notification. Ensure documentation is current, tested, and evidence-based with clear version control and records of most recent exercises. Fixinc will be publishing a detailed guide on preparing for and managing insurance audits in the coming days, view their blog here.

Understand auditor assessment criteria

• Map the typical areas insurers review including risk management frameworks, incident response plans, backup and recovery procedures, supply chain resilience, and governance documentation. The Australian Cyber Security Centre’s Essential 8 has become the de facto standard for security posture assessment. Ensure you can demonstrate these are operational and tested, not merely documented.

Challenge findings that contradict best practice

• If an auditor provides feedback that contradicts established business continuity frameworks or your existing resilience methodology, question it directly. Request clarification on the methodology and standards being applied. Fixinc has observed instances where their advisory team has had to guide auditors through best-practice processes, indicating auditor training may not match senior resilience professional standards.

Request real-time feedback throughout the process

• Do not wait until the audit is complete to understand findings. Ask auditors what they are identifying as they review your documentation, allowing you to address concerns immediately and avoid surprises that could impact premium negotiations or coverage terms.

Calculate resource requirements and plan capacity

• Audits consume significant internal resources, pushing teams to capacity while managing daily responsibilities alongside audit requirements. Factor this drain into team planning and consider whether external advisory support is needed to manage the audit process without derailing operations or existing resilience programs.

Demand transparency on resilience-premium linkage

• Strong resilience should directly improve your premium position. If renewal reflects increased premiums despite robust documentation and demonstrated processes, require your insurer to explain the assessment methodology. The connection between resilience investment and insurance outcomes should be explicit and auditable.

2. Technological: Data Centre Strikes Force Businesses to Confront Third-Party Infrastructure Fragility

• Military strikes on data centres during the ongoing Middle East conflict have created unprecedented legal and policy questions about the status of civilian cloud infrastructure during armed conflict, with AWS, Google Cloud, and Microsoft Azure facilities in the region facing potential targeting as dual-use infrastructure.

• The concentration of global business operations on a small number of cloud providers means a successful strike on major data centres could cascade disruptions far beyond direct customers, affecting third and fourth-party suppliers who rely on the same infrastructure and creating downstream ripple effects across interconnected supply chains.

• International humanitarian law traditionally protected civilian infrastructure, but the increasing military and intelligence reliance on commercial cloud services has blurred distinctions, with some legal scholars arguing data centres processing military communications may lose protected status under the law of armed conflict.

• AWS operates data centres across multiple global regions specifically to provide redundancy, yet threat actors increasingly view major cloud providers as strategic targets whose disruption could simultaneously impact government, financial, healthcare, and critical infrastructure systems worldwide.

• Businesses must now consider whether conflict in the Middle East or other regions could affect their infrastructure through indirect pathways, as a data centre they do not directly use may host critical services for their suppliers, payment processors, or logistics partners.

Sources

• The Legal and Policy Fallout From Data Center Strikes in the Middle East War | Tech Policy Press | March 2026

• Global Risks Report 2026 | World Economic Forum | January 2026

• Allianz Risk Barometer 2026: Cyber Incidents Top Global Business Risks | Allianz Commercial | January 2026

• Cloud Infrastructure and Armed Conflict: Emerging Legal Questions | Harvard National Security Journal | February 2026

• Data Centre Concentration Risk and Business Continuity | Gartner Research | January 2026

You should be concerned if…

• Cloud-dependent businesses without geographic redundancy:
  Organisations relying on single-region cloud deployments face acute risk if that region experiences conflict-related disruption. Even well-established providers like AWS cannot guarantee availability if facilities become military targets, and businesses must understand their actual infrastructure footprint rather than assuming provider resilience.

• Companies with complex third-party supply chains:
  Your direct cloud provider may be resilient, but your payment processor, logistics partner, CRM vendor, or accounting software provider may not be. A data centre strike affecting services you do not directly use can still cascade through your supply chain, disrupting operations through fourth and fifth-party dependencies you may not have mapped.

• Financial services and critical infrastructure operators:
  These sectors face heightened regulatory scrutiny around operational resilience and must demonstrate they have identified and mitigated concentration risks in their technology supply chains. Regulators increasingly expect documented evidence of third-party infrastructure resilience testing.

• Businesses with Middle East regional exposure:
  Organisations with operations, customers, or suppliers in the Gulf region face direct exposure to infrastructure disruption from ongoing conflict. However, global businesses must also consider whether Middle East data centres host any services in their extended supply chain, as geographic distance does not guarantee insulation from regional infrastructure attacks.

Preventative actions

Map your complete infrastructure dependency chain

• Identify not only your direct cloud providers but the infrastructure dependencies of your critical third-party services including payment processors, logistics platforms, communication tools, and SaaS applications. Understand which data centre regions these services use and whether concentration risks exist that could create correlated failures during a regional disruption event.

Test for unlikely but possible scenarios

• Conduct tabletop exercises specifically modelling scenarios where major cloud infrastructure goes offline due to conflict, cyberattack, or physical damage. Many businesses have never tested for simultaneous loss of multiple cloud services, yet this scenario is now plausible given the targeting of data centres as strategic infrastructure.

Demand transparency from cloud providers and vendors

• Request documentation from your cloud providers and critical SaaS vendors about their geographic distribution, redundancy architecture, and continuity plans for regional infrastructure loss. Evaluate whether contractual SLAs address conflict-related disruptions or contain force majeure exclusions that would leave you unprotected.

Implement geographic and provider diversification

• Where feasible, architect systems to operate across multiple cloud providers and geographic regions. While this increases complexity and cost, concentration on single providers or regions creates systemic risk that may be unacceptable for critical business functions.

Establish offline fallback procedures

• Identify which business processes could continue with degraded or offline cloud services and document manual or alternative procedures. For functions that cannot operate without cloud infrastructure, ensure leadership understands the recovery time implications of extended outages measured in days or weeks rather than hours.

Quick snippet stories

1. Strait of Hormuz Shipping Crisis Shows No Signs of Resolution
   Tanker attacks in the Strait of Hormuz continue to compound global shipping disruptions, with Iran maintaining mobile oil infrastructure positions as the conflict with the United States extends into its fourth week. The critical risk for businesses is the absence of any diplomatic pathway to resolution, meaning each passing week doubles the compounding economic impacts through sustained high oil prices, shipping delays, insurance premium spikes, and supply chain bottlenecks that ripple far beyond the energy sector.
   Main link to resource

2. Global Businesses Maintain Gulf Investment Despite War Volatility
   Despite ongoing regional conflict and shipping disruptions, multinational companies continue expressing strong confidence in Gulf markets for long-term investment and expansion. The apparent contradiction reflects recognition that Middle East economies offer significant growth opportunities that outlast current instability, with businesses differentiating between short-term operational challenges and fundamental market potential while building enhanced contingency planning into their regional strategies.
   Main link to resource

3. Domain Expiry Phishing Campaign Targets Australian Businesses
   MailGuard has identified a phishing campaign impersonating Vodien that sends fraudulent domain expiry notices designed to harvest payment card details from Australian businesses. The risk extends beyond credential theft to potential domain hijacking if victims provide login credentials, enabling attackers to redirect business web traffic, intercept emails, and conduct further fraud using legitimate company domains as cover for malicious activity.
   Main link to resource

4. Asian Manufacturing Faces Oil Supply Knock-On Effects
   Morgan Stanley warns that ongoing oil supply disruptions will cascade across key Asian sectors including manufacturing, transportation, and chemicals production, with knock-on effects extending to consumer goods pricing and export competitiveness. Businesses dependent on Asian manufacturing in their supply chains should anticipate production delays, cost increases, and potential component shortages as energy costs flow through regional industrial capacity over coming months.
   Main link to resource

5. China Warns Regional Escalation Threatens Global Economic Stability
   China has urged an immediate halt to military operations in the Middle East, warning that regional escalation threatens global economic stability at a time when supply chains remain fragile from previous disruptions. The intervention signals Beijing’s concern that conflict-driven oil price spikes and shipping route closures could undermine Chinese economic recovery objectives, while simultaneously positioning China as a potential diplomatic intermediary seeking to preserve trade route access.
   Main link to resource

Want to discuss how these risks might effect your business?
Book 30 minutes with us, free ↗

Need support?

At Fixinc, we are passionate about helping people get through disasters. That’s why our team of Advisors bring you this resource free of charge. If you need help understanding these threats and building a plan against them, the same Advisors are here to help over a 30-minute online call. Once complete, if you like what was provided, you can choose to provide a donation or subscribe to Unbreakable Ventures to support this channel.

Book your 30min call here