Upstate NY attorneys outline top business risks for 2026

Listen to this article

As Upstate New York companies close out 2025, attorneys say the year revealed key vulnerabilities — from succession-planning gaps to mounting cyber and AI-driven risks. Their insights highlight the issues gaining speed heading into 2026 and the actions companies should prioritize to stay ahead of emerging threats.

Barclay Damon: Succession planning, AI pressures, and cyber preparedness

“One of the most significant risks this year was the widespread lack of deliberate succession planning among long-established, owner-operated businesses,” said Mike Moore, a partner at the law firm Barclay Damon and the firm’s Corporate Practice area co-chair. “Many owners are only beginning to explore transitions, which can jeopardize both financial outcomes and long-term legacy if delayed.”

Moving into 2026, a key emerging risk Moore identifies is the accelerating pace of artificial intelligence (AI) development and the need to understand how it can be applied effectively within existing operations.

“It’s democratization and market-wide impact will reshape how work gets done, making early awareness and adaptation critical,” he said.

In his practice, Moore says he’s fortunate to work with many entrepreneurs, fast movers, and big thinkers who are highly cost-conscious, so formal risk audits aren’t always top of mind, but cybersecurity assessments are the major exception.

“With rising threats, clients increasingly seek our firm’s technical and coverage-focused cybersecurity audits to shore up vulnerabilities early,” he said.

Some proactive steps companies can take to identify and mitigate risk before it becomes costly or disruptive are to engage with their trusted advisors early, said Moore, explaining that quick, focused conversations with legal, financial, or insurance professionals can help surface risks before they escalate.

He also says that internally, leaders should increase communication with employees at all levels, as candid frontline insights often reveal emerging issues sooner.

“In bigger organizations, distributing risk discussions across departments — rather than siloing them with the general counsel or CFO — can improve early issue spotting,” Moore continues. “For smaller companies, involving counsel in strategic meetings enhances both communication and the quality of legal advice.

Harris Beach Murtha: Cyber risk, immigration exposure, and geopolitical challenges

David M. Clar, a partner in the law firm Harris Beach Murtha’s Corporate Practice Group and co-leader of the Industrial and Consumer Manufacturing industry team, identifies digital disruption, immigration, geopolitical instability, and continued supply chain disruption as the most significant risk factors his clients saw in 2025.

“I definitely see cybersecurity and associated risks continuing, as threats become more sophisticated every day,” said Clar, about risks he anticipates in 2026. “I also see AI becoming more disruptive both in terms of how to capitalize on it and properly utilize it.”

Regarding an initiative-taking step companies can take when it comes to cybersecurity risk in 2026, Clar recommends having a cybersecurity consultant come in to evaluate risk and also ensuring that employees are well educated when it comes to best practices in cybersecurity.

In terms of a proactive step companies can take to get ahead of immigration related risk in 2026, Clar recommends I-9 audits for those in which they would be appropriate. Such an audit checks whether an employer has properly completed, stored, and maintained all I-9 forms, which are federal documents that U.S. employers must complete for each new hire to confirm identity and work eligibility in the United States.

He encourages business owners and leaders to spend time with corporate counsel in ways that are less formal, like lunch or coffee.

“Make the relationship less transactional,” he said. “Learn more about each other. I find such meetings to be very helpful.”

Nixon Peabody: Embedding risk management across the organization

Tyler Savage, a partner in the law firm Nixon Peabody’s M&A and Corporate Transactions practice, says that it’s important for all companies to appreciate that risk management is no longer a siloed compliance function but needs to be an enterprise-wide discipline instead.

“Legal departments should ensure that risk governance is structurally embedded throughout the organization—with regular reviews of exposures related to AI, cyber, regulatory, and supply-chain risks,” Savage said.

Reflecting on 2025, he said many upstate companies, especially advanced manufacturers, healthcare providers, and higher ed‑affiliated entities, as well as companies with national footprints, wrestled with talent shortages, escalating cybersecurity threats, and macro-economic and global uncertainties.

One of the most heightened risk categories this year, Savage said, remained cyber incidents like data breaches, ransomware, and IT outages, which are now layered with the added dimension of AI-enabled exposure and an evolving regulatory regime.

Heading into 2026, Savage said corporate leaders should watch three fronts: 1. tightening data and AI governance expectations, including New York’s evolving privacy proposals and new child data protections, 2) evolving environmental and energy transition mandates impacting facilities and fleets, and 3) more complex risk allocation related to AI-centric tools and critical suppliers.

Caurie Putnam is a Rochester-area freelance writer.