Julie DiMauro, US Content Manager
As cybersecurity risks (including insider threats) remain a key concern across industries, regulatory scrutiny of how companies secure data, manage data-breach risk, remain resilient, respond to incidents and accurately report issues in a timely fashion, will remain a regulatory priority.
In 2024, almost every industry experienced critical IT disruptions, many of them highly disruptive and some having significant national security implications.
The CrowdStrike incident, as just one example, put into stark relief how susceptible a truly wide swath of (crucial) industries in the global economy are to software vendor disruptions and overreliance on the same tiny group of vendors.
Jean Hurley, Commissioning Editor
We are expecting to see cyber security legislation introduced in the UK in 2025. The King’s Speech suggested legislation would bring the UK’s cyber security regime more in line with the EU’s NIS2 Directive.
Will this make a difference to the number of threat levels increasing in the UK? Probably not.
Both criminal gangs and state actors will continue to target infrastructure and organizations.
The National Cyber Security Centre has warned that the scale of the problem is not fully understood, with attacks happening more frequently and the consequences and damage ever more severe.
Thomas Hyrkiel, Director, Content and Community
People, organizations and governments have all benefited from the rapid advances in technology.
For example, I deeply appreciate contactless payment technologies – particularly as they have made things more seamless not only for me, but for the various businesses (including local ones) that I spend money with.
However, the adoption of technology and the woof and weave of systems underpinning it has led directly to serious and systemic vulnerabilities (for example Crowdstrike).
Governments are finally taking action when it comes to issues of security and stability, with measures such as DORA and NIS2 in the EU, the Critical Third Parties Oversight Regime in the UK and cybersecurity and the management of third-party risk also firmly in the SEC’s crosshairs.
The obverse of technological progress is also the potential for it to be exploited to cause direct harm. In particular, the proliferation of fraud is deeply damaging and alarming and could potentially become even more prevalent as criminals get their hands on AI technologies.
I would hope that more resources will continue to be thrown into this fight by both governments and institutions and that police forces make strides to combat this type of criminal activity – because the consequences for victims can truly be devastating.
And, although I have no hope for this happening in the short term, a powerful message would be the putting in place of international measures to punish and ostracize countries that shield, shelter or support cyber criminals.
Martina Lindberg, Production Manager
I know that I sound like a broken record, but like I predicted last year, we will see more and more cyberattacks.
And with more wars – and the ease of use and accessibility of hacker tools – the number of cybercriminals will rise as well.
We have already seen companies being fined “for having poor data security” and for not complying with cybersecurity regulation this year, and we will see more of this in 2025 than in 2024 as regulatory expectations of what constitutes ‘adequate’ and ‘reasonable’ in this area change.
Hameed Shuja, Senior Reporter
As we continue to rely on and further integrate resources such as cloud computing, data centres, cross-platform, and inter-regional networking into our way of working, the degree to which we are exposed or vulnerable to cyber-attacks will also increase.
State-backed actors, rogue elements, political activists or simply tech-curious amateurs could all threaten online security globally.
Alex Viall, Chief Strategy Officer
It is likely that corporates will continue to lose ground in the battle against cyber criminals in 2025.
Regulators will keep placing emphasis on the growing importance of systems and controls to deter cyber so that breach disclosures are more transparent.
Individual enforcement might also become a theme where extreme customer detriment has been the outcome and professional negligence is also evident.