What is Hybrid IT Risk?

Hybrid IT Risk is the exposure of an organisation’s information and communication technologies to hostile activities that exploit the interdependence of cyber, operational, informational, geopolitical, and regulatory environments. It includes risks that involve state sponsored or state enabled actors, intelligence driven intrusion campaigns, supply chain manipulation, disinformation, and influence operations, directed at undermining an organisation’s technical infrastructure, governance, compliance, and reputation.

Hybrid IT Risk arises where such adversarial actions, whether attributable or plausibly deniable, create or exacerbate vulnerabilities affecting the confidentiality, integrity, availability, continuity, authenticity, or resilience of ICT assets and critical or important functions, and where such actions are capable of generating operational, systemic, supervisory, or national security impacts across multiple sectors or jurisdictions.

Note: We know, IT experts do not like legal definitions, and they prefer the technical accuracy. We cannot avoid the legal definitions. In organizations, law determines what must be protected, how it must be protected, and what evidence must be produced to demonstrate that the protection is effective. For this reason, hybrid IT risk management requires understanding of the legal language too, even if interpreting legal text feels like analysing polymorphic malware in a nested VM that bluescreens whenever a legal footnote hits the hypervisor’s exception handler. The Board must also understand what we do, which means we must somehow convert polymorphic malware level complexity into PowerPoint compatible format.

Hybrid IT Risk Management is the legally mandated and governance embedded framework through which an organisation identifies, assesses, mitigates, monitors, documents, and reports hybrid IT risk in accordance with applicable prudential, resilience, cybersecurity, and critical infrastructure obligations. It requires the establishment of cross domain risk governance structures informed by threat intelligence, geopolitical analysis, and hybrid warfare doctrine.

It includes the implementation of controls designed for the continuity and integrity of critical or important functions, the incorporation of hybrid threat scenarios into risk assessments, resilience testing, and incident handling policies and procedures. It also includes the management of dependencies on third country providers and supply chain actors whose legal or geopolitical exposure may compromise ICT security, and the fulfilment of all statutory and supervisory duties concerning accountability, incident reporting, auditability, board level oversight, and cooperation with national or foreign competent authorities.

Hybrid IT risk management requires the organisation to maintain an intelligence informed and legally defensible defense, capable of withstanding coordinated, sub threshold, multi vector adversarial activity that transcends traditional IT risk categories.

General hybrid risk management deals with the strategic implementation of hybrid campaigns, and the orchestration of data leaks, disinformation, political coercion, proxy actors, espionage, energy leverage, and economic pressure. It is a strategic risk discipline that involves national security, geopolitical analysis, and cross sectoral coordination.

Hybrid IT risk management involves the exposure of an organisation’s information and communication technologies to hostile activities, and it must satisfy the legal obligations of accountability, due diligence, incident reporting, internal control, and board oversight.

Hybrid IT risk management must be auditable, demonstrable, and supervisory ready. It produces evidence, it aligns with the Basel III’s operational risk doctrine, with the EU Digital Operational Resilience Act's ICT governance and resilience requirements, with the NIS 2’s mandatory risk management measures, and with the critical infrastructure legislation’s obligations concerning continuity, resilience, reliability, and systemic protection.

The legal character of hybrid IT risk management is obvious. It transforms elements of hybrid threats into compliance duties, governance mandates, supervisory expectations, audit rights, traceability, resilience testing, incident notification, third country dependencies, lawful oversight mechanisms, and the documented capacity to resist multi vector ICT disruption.

---

Hybrid IT risk management under Basel III, DORA, NIS 2, Critical Infrastructure Law, and Hybrid Warfare Doctrine

In Basel III, technology related risks, including cyber risk, ICT failures, third party outages, and security breaches, are formally treated as components of operational risk. This is because Basel III defines operational risk broadly as the risk of loss resulting from inadequate or failed internal processes, people, systems, or from external events.

Basel iii experts could be tempted to include hybrid IT risk in operational risk only. But hybrid IT risk goes far beyond classic operational risk, and touches multiple Basel III domains.

Why is hybrid IT risk far more than operational risk?

Hybrid IT risk is a multidimensional, coordinated, intelligence driven threat that by design does not fit into any single category.

1. Hybrid threats affect systemic stability. State backed hybrid influence operations, supply chain subversion, cloud disruptions, and identity compromise can generate systemic exposure, affecting markets, liquidity, the payment system, and the broader financial ecosystem. This moves the risk beyond operational loss into the macroprudential regime.

2. Hybrid IT risk affects capital adequacy assumptions. Hybrid threats can compromise data integrity, risk model inputs, stress testing assumptions, and reporting accuracy. This affects Pillar 1 and Pillar 2.

3. Hybrid IT campaigns target governance, decision making, and trust. This places hybrid IT risk partially in governance risk, strategic risk, and reputational risk.

4. Supervisory authorities treat hybrid threats as cross risk drivers. Cyber and hybrid threats impact credit risk (through hybrid campaigns against major borrowers), market risk (through price manipulation or destabilisation), liquidity risk (through operational outages and reputation harm), reputational risk (through targeted disinformation), and business model risk. Hybrid IT risk is operational risk, but also enterprise wide risk in substance.

Basel III requires institutions to identify and manage risks that arise from internal and external events. Hybrid threats alter the nature of such events by turning them into coordinated, intelligence driven campaigns that erode the integrity of financial markets or undermine confidence in the stability of institutions. Banks must demonstrate that they recognise the geopolitical dimension of threat actors, the plausible deniability inherent in hybrid campaigns, and the simultaneity of cyber and non cyber vectors. Supervisors increasingly expect institutions to incorporate cross domain threat intelligence into their Pillar 2 corporate governance. The legal duty to ensure adequate capital and robust risk processes cannot be separated from the obligation to maintain situational awareness of adversarial actors whose operations fall below the threshold of war, yet possess the potential to destabilise the financial system.

The EU Digital Operational Resilience Act (DORA) makes hybrid IT risk management a mandatory operational resilience obligation. DORA imposes detailed requirements concerning ICT governance, testing, incident reporting, and third party risk management. It recognises that hybrid threats can degrade the operability of financial services without ever breaching a system directly. Hybrid threat actors may target cloud providers, satellite communications, telecommunications nodes, software supply chains, or cross border data dependencies. They can disrupt the continuity of critical functions without triggering classical indicators of compromise.

As a result, institutions subject to DORA must not only secure their internal ICT assets, but must legally demonstrate the resilience of the entire dependency chain. They must anticipate the combined impact of cyberattacks, disinformation campaigns, political coercion of suppliers, and the intentional exploitation of digital sovereignty conflicts. These exposures must be translated into safeguards, resilient architectures, exit strategies, and a demonstrable ability to recover from systemic events propagated through hybrid methods.

The EU NIS 2 Directive expands the scope of traditional risk management by treating the organisation as part of a larger societal, cross sectoral resilience ecosystem. Under NIS 2, essential and important entities are bound by mandatory risk management measures, heightened corporate accountability, supply chain security obligations, and strict incident reporting timelines. Hybrid threats challenge these obligations by creating multi layered incidents that may involve political manipulation, disinformation campaigns aimed at consumers, cyber intrusions designed to distract from deeper espionage objectives, or coordinated influence operations targeting the governance structures of the entity.

Under NIS 2, an organisation confronted with such scenarios must evaluate whether seemingly disparate events constitute a single hybrid incident that triggers the duty to notify. Supervisory authorities expect entities to appreciate that a politically motivated disinformation campaign undermining public confidence may be operationally linked to a covert intrusion into systems supporting critical services. Failure to interpret the hybrid nature of an event may constitute a breach of the legal obligation to report incidents without undue delay.

At the level of critical infrastructure law, hybrid IT risk represents a direct threat to national security, public order, and societal stability. Legislators have increasingly recognised that the digital, physical, and cognitive dimensions of infrastructure can be targeted simultaneously. The legal obligations imposed on critical infrastructure operators involve IT governance and cybersecurity, but also go beyond that. They include the requirement to maintain the availability and reliability of services whose disruption would have severe societal consequences.

Hybrid threat actors do not necessarily seek to destroy infrastructure. They often aim to degrade, confuse, erode trust, or impose strategic uncertainty. Critical infrastructure law obliges operators to implement comprehensive risk assessments capable of identifying cross domain dependencies, foreign influence risks, AI driven system manipulation, and the exploitation of legal loopholes that allow actors to operate below normal detection thresholds.

Hybrid warfare doctrine provides the conceptual framework, and explains why hybrid IT risk has become central to regulatory design. Hybrid warfare is characterised by the strategic use of ambiguity, the blending of civilian and military instruments, and the simultaneous deployment of cyber, informational, economic, and diplomatic tools. In this domain, information systems are strategic targets. Adversaries aim to undermine institutions by shaping the information environment, causing confusion in governance structures, and leveraging legal processes to constrain organisational responses.

Hybrid IT risk management must acknowledge that threat actors do not simply want to cause operational disruption, but to include coercive pressure, reputational erosion, the theft of sensitive data for long term strategic use, and the exploitation of interdependencies.

The legal requirements across Basel III, DORA, NIS 2, and critical-infrastructure law converge on a single expectation. The organisation must demonstrate resilience to intelligent, adaptive, and strategically motivated adversaries. This requires a shift from static compliance to dynamic, intelligence informed governance.

In this environment, hybrid IT risk management becomes an obligation to protect not only the organisation’s digital assets, but also the wider societal, financial, and geopolitical systems that rely on them. It requires the blending of legal interpretation, supervisory expectations, and strategic foresight.

Institutions must be capable of demonstrating to regulators and supervisory authorities that they understand the nature of hybrid threats, have embedded this understanding into their governance, and maintain the capacity to withstand hostile operations that exploit legal ambiguity, technological complexity, and the interconnectedness of modern critical systems.

---

Steps to improve hybrid IT risk management

1. Build a hybrid threat informed risk baseline. Establish a current, technical baseline of the organisation’s IT environment, including infrastructure, data flows, interconnections, external services, regulatory constraints, and geopolitical dependencies.

2. Identify multi domain attack surfaces. Find exposure points, not only within traditional IT systems, but also within cloud platforms, software supply chains, CI/CD pipelines, authentication ecosystems, privileged access paths, remote work infrastructures, third party integrations, messaging platforms, and areas susceptible to social engineering or disinformation. Recognize that hybrid adversaries exploit both digital surfaces and human workflows.

3. Strengthen identity, authentication, and access governance. Hybrid threat actors consistently target identity systems because they allow covert persistence and high impact manipulation. Enforce hardware backed MFA, strong conditional access, continuous identity monitoring, zero trust segmentation, and strict privilege boundaries. Monitor identity anomalies at a behavioural level to detect hybrid style lateral movement that blends technical and social techniques.

4. Harden infrastructure. Apply security controls consistently across architectures. This includes configuration baselines, policy enforcement, workload isolation, encryption of data in transit and at rest, classification management, endpoint hardening, and continuous attack surface reduction. Treat cloud misconfigurations as strategic risks, since hybrid actors target them for low noise infiltration.

5. Secure the software and supply chain layer. Implement software integrity verification, code signing validation, pipeline hardening, SBOM management, dependency vetting, and continuous scanning of packages. Hybrid actors frequently compromise upstream vendors to reach targets. Build the capability to detect tampered updates, malicious packages, or post-compromise artifact manipulation.

6. Deploy multi domain monitoring and detection. Construct detection mechanisms that correlate cyber telemetry with non technical indicators such as disinformation spikes, credential harvesting campaigns, suspicious supplier behaviour, anomalous cloud access attempts, and geopolitical triggers. Hybrid threats often cannot be detected purely through network monitoring and signatures. They require behavioural, contextual, and intelligence driven correlations.

7. Establish resilience by design architecture. Design systems so that compromise of one domain does not propagate into others. Apply microsegmentation, environment isolation, redundant identity control planes, fail secure cloud configurations, secure by default service meshes, immutable infrastructure where possible, and backup environments insulated from both ransomware and manipulation. Hybrid adversaries aim for simultaneous disruption and confusion. Your architecture must resist both.

8. Conduct hybrid threat scenario testing. Go beyond classic penetration tests. Execute hybrid simulations combining cyberattacks, misinformation targeting employees, tampered supplier software, insider manipulation, and cloud region disruptions. Evaluate detection gaps, decision making friction, and response coordination weaknesses. Validate business continuity assumptions under hybrid stress conditions.

9. Prepare an integrated incident response playbook. Create response procedures that incorporate cyber response, crisis communications, threat intelligence, supplier coordination, regulatory notification, and counter disinformation measures. Hybrid adversaries often create distractions or parallel crises to overwhelm defenders. Your incident response function must be able to analyse misleading signals and maintain operational clarity.

10. Protect human operators and decision makers. Hybrid threats target people as much as infrastructure. Train staff to recognise manipulation campaigns, spear phishing, identity spoofing attempts, deepfake driven social engineering, and adversarial psychological tactics. Equip them with hybrid situational awareness to prevent misinterpretation of incidents.

11. Strengthen third party and geopolitical dependency controls. Monitor external vendors, cloud providers, telecom carriers, data centres, and offshore service teams for emerging risks arising from geopolitical pressure, foreign legal exposure, or hybrid influence campaigns. Incorporate rigorous onboarding, continuous monitoring, exit strategies, and dependency failover capabilities.

12. Establish continuous adaptation and intelligence integration. Hybrid adversaries constantly evolve their playbooks. Maintain a continuous feedback loop between threat intelligence, IT operations, security engineering, and governance teams. Update controls, detection logic, and resilience strategies based on emerging hybrid tactics observed across sectors and regions. Introduce unpredictability in defence.

13. Build an adversary emulation model for hybrid threats. Hybrid stress testing must begin with a realistic adversary model that reflects how genuine hybrid threat actors operate. This requires constructing profiles of state backed cyber units, long horizon cyber espionage actors, supply chain subversion teams, influence operation specialists, and groups capable of targeting identity and cloud control planes. The objective is to emulate coordinated hybrid operations. Such adversary models must incorporate timing, deception patterns, and multi vector techniques that hybrid actors use to establish persistence and create strategic disruption.

14. Stress test decision making, governance, and cognitive load. Hybrid adversaries intentionally target human decision making. For this reason, hybrid stress tests must examine how executives and crisis teams perform under conditions of confusion, misleading telemetry, parallel incidents, and artificially induced noise. Exercises must assess alert fatigue, decision paralysis, governance hesitation, and the risk of misinterpreting hybrid signals. Simulated false flags, fake indicators of compromise, and manipulated communication channels create a realistic cognitive load environment in which defenders’ judgment can be evaluated.

15. Apply regulatory and reporting stress during the scenarios. A hybrid campaign often places an organisation under regulatory, legal, and reputational pressure. Hybrid stress test scenarios must include IT disruption, data leaks, service disruption, systems failure, but also overlapping reporting deadlines, contradictory or ambiguous regulatory notifications, and intense external scrutiny. Test conditions should recreate an environment in which technical teams, legal staff, and executives must simultaneously handle operational instability, external communications, and supervisory expectations. The purpose is to evaluate the organisation’s ability to maintain coherence under legally induced stress.

16. Evaluate multilayer dependency collapse and recovery paths. Hybrid scenarios must examine the resilience of complex dependency chains, including cloud services, telecommunications, identity infrastructure, MFA providers, and critical third-party vendors. Stress tests should simulate conditions where several dependencies fail together, forcing the organisation to respond to correlated disruptions. The objective is to assess whether system architecture, controls, failover strategies, and cross domain dependencies can withstand simultaneous failures triggered or exploited by a hybrid threat.

17. Quantify hybrid resilience gaps and failure thresholds. Effective hybrid stress testing requires quantification. This involves identifying and measuring the organisation’s thresholds for resilience and disruption. Traditional operational metrics are insufficient. Hybrid risk demands new forms of measurement that capture complexity, ambiguity, and adversarial intent.

18. Integrate threat intelligence feedback loops into stress testing. Hybrid stress testing is not a static exercise. Threat intelligence must serve as the engine that continuously refreshes scenario design. Every update in geopolitical conditions, adversary tooling, cross sector campaigns, cloud targeting techniques, or AI based exploitation must feed directly into the next stress testing scenarios. This integration ensures that hybrid stress tests evolve at the same pace as real world hybrid actors and remain aligned with the threat environment.

19. Test internal and external communications against hybrid manipulation. Communication channels are critical targets in hybrid operations. Stress tests must simulate manipulation attempts, including spoofed regulator messages, deepfake based social engineering, falsified internal alerts, and orchestrated misinformation campaigns. The objective is to evaluate how well the organisation’s communication protocols, identity confirmation procedures, escalation chains, and verification controls withstand adversarial attempts to distort perception or erode trust.

20. Conduct post stress test forensics. After completing a hybrid scenario, the organisation must perform a forensic reconstruction. This includes analysing identity compromise paths, reconstructing timelines, assessing cross domain impact, and evaluating detection effectiveness. The forensic phase reveals blind spots, control failures, and weaknesses in hybrid detection capability that cannot be identified through conventional post exercise reviews.

21. Feed hybrid stress test results into architecture and governance. Hybrid stress testing must produce actionable change. Findings from adversary emulation, cross domain stress scenarios, cognitive load analysis, forensic investigations, and dependency collapse assessments must be incorporated directly into architecture redesign, governance updates, detection engineering, incident response playbooks, cloud configuration changes, and threat monitoring logic. Hybrid stress testing must become a continuous source of architectural intelligence and change.

---