National Security: The Overlooked Business Risk

The updated U.S. National Security Strategy, released in December 2025 (the “Security Strategy”), places an emphasis on the Western Hemisphere and protecting U.S. interests, which is in alignment with the “America First” focus of the current U.S. presidential administration.1 Notably, the Security Strategy discusses the importance of establishing economic security through balanced trade relationships, reindustrialization, and a strengthened defense sector.2 Other key points in the Security Strategy include an emphasis on sharing defense responsibilities with allies and maintaining U.S. leadership in emerging technology.3 Further, the Security Strategy notes that “[s]uccessfully protecting our Hemisphere also requires closer collaboration between the U.S. Government and the American private sector.”4

These focus areas, combined with recent geopolitical events, including the involvement of the U.S. military in Venezuela, heightened cross-border tensions, and the convergence of cyber and physical threats, emphasize the need for domestic and international organizations alike to consider national security as a business risk, rather than simply a political concern.5 National security threats are increasingly intertwined with business operations, as government scrutiny and enforcement are heightened worldwide. Similar to overlooking traditional business risks like market volatility, overlooking national security as a business risk can result in damaging impacts to operations, reputation, and financial performance.

Increasing National Security Risks for Businesses

The shifting geopolitical landscape makes national security more relevant than ever for the private sector. Each of the increasing national security threats below can have a significant impact on the bottom line of a business.

Cyber Risks. Offensive cyber operations are used as a geopolitical tool with increasing regularity. Adversaries are shifting their focus with these attacks to the private sector, especially to organizations within critical infrastructure. Because of the reliance on critical infrastructure in everyday life, infiltrating this sector has significant potential to cause widespread harm or disruption, giving geopolitically-motivated threat actors an avenue to advance their agendas. The Security Strategy specifically highlights this concern, calling on the private sector to “help maintain surveillance of persistent threats to U.S. networks, including critical infrastructure,” to enable “the U.S. Government’s ability to conduct real-time discovery, attribution, and response” to cyber threats.6

Emerging Technology Risks. Emerging technologies, including artificial intelligence (“AI”), create and increase national security risk to organizations and throughout their supply chains due to potential exploitation of information technology (“IT”) vulnerabilities that can be leveraged for espionage or competitive advantage. This has led to greater regulation and scrutiny of cross-border data flows by several government agencies.7 Without appropriate protections put in place during implementation, AI systems and sensitive data can be exploited by threat actors with global motives. Further, nation-state affiliated threat actors can use agentic AI systems to do the work of entire teams of experienced threat actors, including analyzing target systems, producing exploit code, and scanning vast datasets of stolen information more efficiently than a team of people.8

Federal Frameworks and Regulations. Federal oversight of national security risk across the private sector is becoming more prominent, as evidenced by the publication of several new regulations and frameworks related to national security. While the new Security Strategy highlights the need to “resist and reverse measures such as targeted taxation, unfair regulation, and expropriation that disadvantage U.S. businesses,”9 efforts are underway to ensure the U.S. protects its supply chain, intellectual property, and critical infrastructure. For example, the Department of Justice’s Data Security Program is aimed at safeguarding sensitive personal and government-related data, while the One Big Beautiful Bill Act Prohibited Foreign Entity rules set restrictions on foreign influence through supplier due diligence.10,11 Other updates from the current administration have included the designation of cartels as “Foreign Terrorist Organizations”.12

Shifting Perspectives

These increasing risks, combined with the priorities outlined in the Security Strategy, emphasize the need for domestic and international businesses to incorporate national security considerations into their traditional risk portfolio, helping navigate a complex landscape of evolving threats. Rather than viewing national security considerations as a regulatory burden, organizations should shift their perspective to think about national security as a strategic imperative that affects the viability of their business.

National security threats can have a significant impact across departments, including IT, legal, compliance, finance, and operations. As such, these risks cannot be mitigated in a silo with input solely from compliance functions; they require a holistic, overarching strategy elevated to board-level strategic planning.

National security threats are projected to continue to increase, and businesses across all industries need to be prepared to meet the growing risk. A properly implemented, comprehensive approach to mitigating national security risk leads to a dual outcome of protecting against threats and positioning the organization to thrive in a complex landscape of security-related challenges. This achievement becomes a value-add and a market differentiator for forward-looking organizations that shift their perspectives on national security.

Moving Forward

As organizations develop their own national security strategies, a proactive mindset that anticipates threats and allows for agility in an increasingly dynamic and unpredictable geopolitical risk environment is vital. In order to mitigate national security risks, organizations should:

  • Build and reinforce a strong compliance program that incorporates national security regulations and embeds a culture of compliance across all levels of the organization.
  • Conduct regular, risk-based assessments that include cybersecurity and IT due diligence, investigative due diligence, data governance audits, and supply chain reviews.
  • Evaluate both inbound and outbound foreign investments for national security implications.
  • Implement an insider threat program that includes event logging and review, integrity checks, and independent audits of network activity to ensure the detection of any suspicious or anomalous activity.
  • Engage external legal counsel and national security experts to provide independent assessments, identify gaps, and implement protections to enhance cyber resilience.
  • Leverage government tools, guidance, and resources to support compliance and security efforts.
  • Proactively coordinate with government agencies to mitigate the risk of prosecution and penalties for national security-related incidents.

National security threats are no longer just a public sector issue. These risks can have financial and reputational impacts to private sector companies, in addition to putting employees’ physical safety and sensitive data at risk. Domestic and international organizations need to view national security as a business risk, holistically incorporated across departments, to prevent significant impacts within the shifting geopolitical landscape.

Footnotes:

1: President of the United States, “National Security Strategy of the United States of America,” The White House (Nov. 2025, p. 5)

2: Ibid., 11–14.

3: Supra note 1, at 5.

4: Supra note 1, at 18.

5: Cullen, Michael, et al., “Venezuela in Flux: Commercial Implications,” FTI Consulting (Jan. 7, 2026)

6: Supra note 1, at 21.

7: “Protecting Americans’ Data from Foreign Adversaries Act of 2024 (‘PADFAA’),” Federal Trade Commission (April 24, 2024)

8: “Disrupting the first reported AI-orchestrated cyber espionage campaign,” Anthropic (Nov. 13, 2025)

9: Supra note 1, at 19.

10: Cybersecurity and Infrastructure Security Agency, “Security Requirements for Restricted Transactions: E.O. 14117 Implementation,” U.S. Department of Homeland Security (Jan. 2025)

11: The One Big Beautiful Bill Act, Pub. L. No. 119-21, § 70512 (2025)

12: President of the United States, “Designating Cartels And Other Organizations As Foreign Terrorist Organizations And Specially Designated Global Terrorists,” The White House (Jan. 20, 2025)

Related Insights

Related Information

Published

January 15, 2026

temp Key Contacts

Paul M. Abbate

Senior Managing Director

Mike Driscoll

Senior Managing Director

Sara Murray

Managing Director

Most Popular Insights

  1. Navigating Tariffs: 10 Strategies to Protect the Bottom Line
  2. The Hidden Risk for Data Centers That No One is Talking About
  3. It’s La La Land Again in Financial Markets
  4. Geopolitical Risk Management: No Longer Just a “Nice to Have”, But a Corporate Imperative
  5. Corporate Sustainability Report

Sign up to get access to FTI Consulting Insights

Subscribe