Hormuz, cyberattacks, cartels, sanctions, and regional violence: the new critical agenda for CEOs with operations in Mexico, the United States, and Latin America.

The business conversation in May can no longer be limited to inflation, sales, talent, or regional expansion. Today’s environment requires CEOs and boards of directors to view risk as an interconnected system: a maritime shutdown in the Middle East can drive up fuel costs in North America; a critical vulnerability in hosting platforms can open the door to ransomware; a U.S. judicial accusation involving Mexican political actors can disrupt supply chains, compliance, and investor confidence; and an escalation of violence in Colombia or Haiti can alter routes, insurance, logistics costs, and business continuity.

The central issue is not simply that the world has become more uncertain. The issue is that uncertainty is already producing measurable effects on real companies: energy, transportation, ports, customs, cybersecurity, compliance, due diligence, reputation, and criminal exposure.

In Grupo BlackIND’s strategic documents, one key thesis has been consistently emphasized: transnational organized crime has ceased to operate only as an illegal economy and has evolved into a hybrid actor with territorial, logistical, financial, technological, and political capabilities. This reading turns corporate security into a strategic business function, not an operating expense.

1. Energy and logistics: Hormuz is no longer a distant problem

The Strait of Hormuz remains the main source of pressure on energy, maritime insurance, and global trade. Reuters reported that traffic through the strait has fallen to levels well below 10% of normal volumes since April, with hundreds of vessels held inside the Gulf and a direct impact on nearly 20% of the world’s oil supply.

For companies in Mexico and the United States, the impact is not limited to the price of Brent crude. The real risk appears across three fronts: rising energy costs, pressure on freight and insurance, and volatility in critical inventories. On May 11, Reuters reported that Brent rose to USD 104.32 per barrel after Washington rejected Iran’s response to a peace proposal, while the market remained tense over the partial closure of Hormuz. Barclays raised its 2026 Brent forecast to USD 100 per barrel and warned that, if the disruption continued through the end of May, prices could reprice toward USD 110.

For a CEO, this means that 2026 financial planning must include adverse energy scenarios. Transportation, manufacturing, agribusiness, retail, pharmaceuticals, data centers, private security, hospitality, and logistics will be especially exposed. The strategic question is not only how much fuel prices will rise, but which suppliers, routes, contracts, and margins become unsustainable under a prolonged high-oil scenario.

2. Middle East: the ceasefire does not eliminate operational risk

The declared conclusion of Operation Epic Fury does not equal normalization. Al Jazeera reported that Secretary of State Marco Rubio stated that the operation had concluded, but also noted that the U.S. position maintained conditions and warnings regarding a possible resumption of attacks if Iran did not accept the negotiated terms.

The attack against the United Arab Emirates confirms that the region remains highly volatile. Reuters reported on May 4 that Emirati air defenses faced missile and drone threats, that a fire affected an oil zone in Fujairah, and that flights to the UAE were diverted or placed in holding patterns because of airspace disruption.

For Latin American companies with Asian suppliers, global maritime routes, imported components, or exposure to commodities, the message is clear: logistics resilience must be reviewed as a board-level priority. Procurement and supply chain teams need alternative routes, strategic inventories, force majeure clause reviews, maritime monitoring, and second- and third-tier supplier assessments.

3. Russia-Ukraine: a tactical truce, but an industrial war persists

The announcement of a three-day truce between Russia and Ukraine, from May 9 to 11, included a suspension of kinetic activity and an exchange of 1,000 prisoners on each side, according to Reuters. However, the truce does not remove the structural risk: the war continues to affect energy, fertilizers, metals, transportation, insurance, defense, and cyber activity.

Ukraine intensified attacks against Russian energy infrastructure. Reuters reported that the Kirishi refinery, Russia’s second-largest, halted operations after damage to three of its four distillation units; the facility accounts for roughly 7% of Russia’s refining volume. Reuters also reported attacks against Tuapse and Perm, including facilities located more than 1,500 kilometers from Ukraine.

The business implication is direct: the war is no longer concentrated only on the military front. It is also being fought against refineries, ports, pipelines, power grids, satellites, data, and public perception. Companies with regional operations must assume that critical infrastructure, whether their own or their suppliers’, can become a vector of indirect disruption.

4. Mexico-United States: compliance, sovereignty, and reputational risk

The Mexico-U.S. front requires a prudent business reading. Reuters reported that a U.S. accusation against Mexican politicians, including the governor of Sinaloa, created tensions within Morena, and that President Claudia Sheinbaum stated that the evidence reviewed by Mexico was insufficient to arrest and extradite the 10 current and former officials accused by the United States of collusion with the Sinaloa Cartel.

For companies, this type of episode should not be read as an isolated political story. It should be read as a signal that the transborder compliance environment is tightening. In the writings of Grupo BlackIND’s CEO, the designation, sanctioning, or prosecution of criminal structures under U.S. legal frameworks is described as a force that can impose a new compliance model: it is no longer enough to “simulate” controls; companies must demonstrate real due diligence regarding third parties, suppliers, beneficial owners, payments, logistics, public procurement, and territorial exposure.

This especially affects companies operating in Mexico with customers, banks, investors, or parent companies in the United States. Exposure is no longer limited to “not doing business with criminals.” It includes risks related to contaminated transportation, front suppliers, customs corruption, indirect payments, extortion, cargo theft, deficient physical security, and failures in documentary traceability.

5. Colombia, Haiti, and the Caribbean: regional security and business continuity

Colombia is entering a critical phase. El Pais reported that between January and April 2026, 48 massacres were recorded, with at least 229 fatalities—the most violent start under this measurement since the 2016 Peace Agreement. AP reported that rebel groups carried out 26 attacks with explosives and drones in the southwest of the country, and that the most serious explosion raised the death toll to 21.

Haiti remains a center of humanitarian, logistical, and criminal risk. The IOM has reported massive displacement of around 1.4 million people due to violence and insecurity, with armed groups expanding beyond Port-au-Prince.

For companies with operations in Latin America, these cases point to a broader trend: organized crime and armed groups no longer affect only physical security. They affect personnel mobility, distribution, routes, insurance, permits, supply, reputation, store continuity, mining, agribusiness, energy, and financial services.

6. Cybersecurity: the cPanel vulnerability confirms the risk of silent exposure

The CVE-2026-41940 vulnerability must be treated as an executive alert. cPanel reported that on April 28 it released security updates for cPanel & WHM addressing an authentication vulnerability in the session management layer; the provider stated that, after confirming the report, it released updates in approximately 28 hours and that more than 98% of servers had been updated by May 10.

The NVD describes CVE-2026-41940 as an authentication bypass vulnerability that allows unauthenticated remote attackers to gain unauthorized access to the control panel. It also records its inclusion in CISA’s Known Exploited Vulnerabilities catalog.

The impact on companies is clear: a vulnerability in hosting infrastructure can compromise corporate websites, email, databases, customer portals, e-commerce, reputation, and operational continuity. This is not solely an IT issue. It must reach the risk committee, audit function, and executive management.

Cyber Black proposes a hybrid model that combines human talent, technology, artificial intelligence, cybersecurity, and its Security Intelligence Center — Ci5 — to support business continuity, risk management, and corporate intelligence. This vision is especially relevant in an environment where attacks combine phishing, credential theft, ransomware, data leaks, disinformation, digital extortion, and exploitation of vulnerable providers.

7. Trade and tariffs: regulatory pressure is also business risk

Trade tension between the United States and the European Union adds another layer of uncertainty. Reuters reported that Washington gave Brussels until July 4 to meet trade commitments or face higher tariffs, including on automobiles; Trump had threatened to raise tariffs on European vehicles from 15% to 25%.

Although the immediate focus is EU-U.S. relations, Mexican companies must observe the second-round effect: supplier relocation, pressure on auto parts, changes to rules of origin, review of USMCA supply chains, logistics costs, and nearshoring opportunities. In a context of expensive energy and stricter compliance, competitive advantage will belong to companies capable of documenting origin, traceability, security, integrity, and resilience.

Strategic reading for CEOs

The risk landscape of May 2026 cannot be explained by a single event. It is explained by convergence.

War affects energy. Energy affects inflation. Inflation affects interest rates, consumption, and margins. Sanctions affect banks and suppliers. Cyberattacks affect continuity. Organized crime affects logistics, reputation, and compliance. Regional violence affects operations and talent. Disinformation affects trust. Institutional fragmentation affects response capacity.

Therefore, the CEO must demand a minimum resilience agenda. These recommendations were consolidated through the work of ASIS International LATAM & Caribbean in Sao Paulo, Brazil.

First, update the geopolitical, logistical, cyber, and regulatory risk map for the next 30 to 60 days.

Second, review critical suppliers, beneficial owners, routes, carriers, third parties, banks, customs brokers, and local partners.

Third, validate energy exposure and contracts sensitive to fuel, freight, insurance, and port delays.

Fourth, confirm critical patches, offline backups, credential monitoring, ransomware response, and continuity testing.

Fifth, elevate third-party compliance to the board level, especially for Mexico-U.S. and Latin American operations.

Sixth, integrate corporate intelligence, cyber intelligence, physical security, legal, finance, procurement, and strategic communications into a single executive dashboard.