Industry executives and experts share their predictions for 2025. Read them in this 17th annual VMblog.com series exclusive. By Sezaneh Seymour, VP and
Head of Regulatory Risk and Policy at Coalition
The
end of the calendar year is a time for reflection and predictions for the year
to come, and the cybersecurity policy landscape is no exception. What will
captivate the attention of both security experts and regulators in the coming
year? Here are three areas to watch.
Increased global attention to
cyber supply chain risks
Cyber
supply chain-related incidents have proven to be pernicious and costly. 2024's
highest-profile breaches all had a cyber supply chain connection: ransomware
attacks on Change Healthcare and CDK Global, the Crowdstrike IT disruption that
triggered a global outage, and malicious state actors like Salt Typhoon
exploiting third-party vendors to infiltrate global telecoms and other critical
systems.
Supply
chain vulnerabilities and the globally distributed nature of many businesses
have dramatically increased opportunities for threat actors. Every person,
process, and technology linked to business operations is a point of risk. While
these systems enable efficiency, they also open doors to significant risks when
a single link is compromised.
Governments
are responding. In 2025, we expect regulatory interest in this space to grow -
with regulators setting clear expectations that critical and systemically
important businesses must go beyond securing their operations and extend due
diligence to assess the digital security of their most critical vendors. Such
laws have already emerged in Europe with the NIS2 Directive and the Digital Operational
Resilience Act. In
the United States, we can expect a mix of more voluntary and binding
sector-specific cyber-related vendor risk management expectations for critical
infrastructure owners and operators.
Beyond
national security concerns, financial cost is a big driver behind this shift.
The insurance community has long recognized that supply chain vulnerabilities
pose significant financial and reputational risks, and we see the proof in
claims. For example, nearly 23% of healthcare businesses with over $100 million
in revenue were affected by the Change Healthcare attack, as were 11% of
businesses with $25 million to $100 million in revenue, according to a recent Coalition analysis.
Scrutiny of edge devices
Edge
devices play a critical role in modern infrastructure, public safety, and
national security. Their proliferation and difficulty in securing them have
increased attack surfaces, making them attractive targets for malicious actors.
Vulnerabilities in edge devices prompted multiple CISA alerts in 2024, with
CISA urging manufacturers to implement Secure by Design principles.
CISA
has cautioned that command injection vulnerabilities allow attackers to
remotely execute code and gain system control. The persistent security
challenges with these devices, combined with the knowledge that critical
services like water treatment plants, medical services, and transportation rely
on them, have attracted government attention.
We
anticipate greater government attention on the security of these devices in
2025-and one additional shift in the US will be attention to the security of
the devices' supply chains. Look for federal policy measures to ensure that the
manufacturing of these devices isn't linked to untrustworthy vendors tied to
adversarial governments.
Coalition
data underscores the need for greater attention to edge devices that manage and
control traffic at network boundaries. While firewalls, virtual private
networks, and other devices can help reduce cyber risk, boundary devices with
known vulnerabilities increase the likelihood of a business experiencing a
claim. For example, Coalition found that businesses with an internet-exposed
Cisco ASA device were nearly five times more likely to experience a claim in
2023, and businesses with an internet-exposed Fortinet device were twice as
likely.
Emphasis on business recovery
- financial and operational
Expect
governments to support the private sector's redoubled focus on business
operational planning to facilitate expedient incident recovery. Disruptions are
now a question of when, not if. Governments have already addressed critical
service owners and operators, urging them to test analog alternatives to ensure
operations can continue during sustained disruptions. These messages will
become more prominent as headlines about state-backed hackers and criminal
attacks increase.
Beyond
achieving operational resilience to maintain essential functions during an
incident, expect more scrutiny on a business's ability to withstand the
financial harm. To date, government scrutiny of financial resilience has
largely focused on critical services where insolvency could affect important
public services. In Australia, prescription service provider MediSecure struggled after a
data breach,
entering voluntary administration for insolvency after being denied a bailout.
However,
going forward, government and public interest will likely be broader as the
financial impacts of data breaches and cyber incidents become large enough to
have a visible impact on the broader economy. For example, the direct and
indirect costs of the Change Healthcare incident are already estimated to be in the billions. And with 100
million patient records exposed, it was the largest data breach ever
reported to
the US government.
The
fallout from this year's major security events revealed the profound
consequences of digital insecurity compounded by unpreparedness. As threats
become more complex, a united, forward-looking approach is essential to
safeguarding critical infrastructure and ensuring stability. Businesses must
prioritize readiness to withstand attacks in an uncertain threat landscape.
Insurance
is one logical way for organizations to transfer some of the financial
consequences of an incident, thereby enhancing a company's ability to withstand
an incident financially and reputationally. At least in the case of active
cyber insurance, policies can also enhance a business's ability to withstand
threats operationally.
##
ABOUT THE AUTHOR
Sezaneh Seymour is the Vice President and Head of Regulatory Risk and Policy at Coalition. Seymour has held various government roles at the nexus of national security, technology, sustainability, and trade. She most recently served as Deputy Assistant U.S. Trade Representative in the Executive Office of the President, and she is the former Senior Advisor to the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology. She also served at the U.S. Department of the Treasury and at the U.S. Department of State. She completed her PhD at Virginia Tech where she remains on faculty.