Virtualization Technology News and Information
Article
RSS
Coalition 2025 Predictions: 2024's Wake-up Call - Addressing Cyber Supply Chain Risks

vmblog-predictions-2025 

Industry executives and experts share their predictions for 2025.  Read them in this 17th annual VMblog.com series exclusive.

By Sezaneh Seymour, VP and Head of Regulatory Risk and Policy at Coalition

The end of the calendar year is a time for reflection and predictions for the year to come, and the cybersecurity policy landscape is no exception. What will captivate the attention of both security experts and regulators in the coming year? Here are three areas to watch.

Increased global attention to cyber supply chain risks

Cyber supply chain-related incidents have proven to be pernicious and costly. 2024's highest-profile breaches all had a cyber supply chain connection: ransomware attacks on Change Healthcare and CDK Global, the Crowdstrike IT disruption that triggered a global outage, and malicious state actors like Salt Typhoon exploiting third-party vendors to infiltrate global telecoms and other critical systems.

Supply chain vulnerabilities and the globally distributed nature of many businesses have dramatically increased opportunities for threat actors. Every person, process, and technology linked to business operations is a point of risk. While these systems enable efficiency, they also open doors to significant risks when a single link is compromised.

Governments are responding. In 2025, we expect regulatory interest in this space to grow - with regulators setting clear expectations that critical and systemically important businesses must go beyond securing their operations and extend due diligence to assess the digital security of their most critical vendors. Such laws have already emerged in Europe with the NIS2 Directive and the Digital Operational Resilience Act. In the United States, we can expect a mix of more voluntary and binding sector-specific cyber-related vendor risk management expectations for critical infrastructure owners and operators.

Beyond national security concerns, financial cost is a big driver behind this shift. The insurance community has long recognized that supply chain vulnerabilities pose significant financial and reputational risks, and we see the proof in claims. For example, nearly 23% of healthcare businesses with over $100 million in revenue were affected by the Change Healthcare attack, as were 11% of businesses with $25 million to $100 million in revenue, according to a recent Coalition analysis.

Scrutiny of edge devices

Edge devices play a critical role in modern infrastructure, public safety, and national security. Their proliferation and difficulty in securing them have increased attack surfaces, making them attractive targets for malicious actors. Vulnerabilities in edge devices prompted multiple CISA alerts in 2024, with CISA urging manufacturers to implement Secure by Design principles.

CISA has cautioned that command injection vulnerabilities allow attackers to remotely execute code and gain system control. The persistent security challenges with these devices, combined with the knowledge that critical services like water treatment plants, medical services, and transportation rely on them, have attracted government attention.

We anticipate greater government attention on the security of these devices in 2025-and one additional shift in the US will be attention to the security of the devices' supply chains. Look for federal policy measures to ensure that the manufacturing of these devices isn't linked to untrustworthy vendors tied to adversarial governments.

Coalition data underscores the need for greater attention to edge devices that manage and control traffic at network boundaries. While firewalls, virtual private networks, and other devices can help reduce cyber risk, boundary devices with known vulnerabilities increase the likelihood of a business experiencing a claim. For example, Coalition found that businesses with an internet-exposed Cisco ASA device were nearly five times more likely to experience a claim in 2023, and businesses with an internet-exposed Fortinet device were twice as likely.

Emphasis on business recovery - financial and operational

Expect governments to support the private sector's redoubled focus on business operational planning to facilitate expedient incident recovery. Disruptions are now a question of when, not if. Governments have already addressed critical service owners and operators, urging them to test analog alternatives to ensure operations can continue during sustained disruptions. These messages will become more prominent as headlines about state-backed hackers and criminal attacks increase.

Beyond achieving operational resilience to maintain essential functions during an incident, expect more scrutiny on a business's ability to withstand the financial harm. To date, government scrutiny of financial resilience has largely focused on critical services where insolvency could affect important public services. In Australia, prescription service provider MediSecure struggled after a data breach, entering voluntary administration for insolvency after being denied a bailout.

However, going forward, government and public interest will likely be broader as the financial impacts of data breaches and cyber incidents become large enough to have a visible impact on the broader economy. For example, the direct and indirect costs of the Change Healthcare incident are already estimated to be in the billions. And with 100 million patient records exposed, it was the largest data breach ever reported to the US government.

The fallout from this year's major security events revealed the profound consequences of digital insecurity compounded by unpreparedness. As threats become more complex, a united, forward-looking approach is essential to safeguarding critical infrastructure and ensuring stability. Businesses must prioritize readiness to withstand attacks in an uncertain threat landscape.

Insurance is one logical way for organizations to transfer some of the financial consequences of an incident, thereby enhancing a company's ability to withstand an incident financially and reputationally. At least in the case of active cyber insurance, policies can also enhance a business's ability to withstand threats operationally.

##

ABOUT THE AUTHOR

Sezaneh-Seymour 

Sezaneh Seymour is the Vice President and Head of Regulatory Risk and Policy at Coalition. Seymour has held various government roles at the nexus of national security, technology, sustainability, and trade. She most recently served as Deputy Assistant U.S. Trade Representative in the Executive Office of the President, and she is the former Senior Advisor to the Deputy Assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology. She also served at the U.S. Department of the Treasury and at the U.S. Department of State. She completed her PhD at Virginia Tech where she remains on faculty.

Published Tuesday, January 14, 2025 7:33 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<January 2025>
SuMoTuWeThFrSa
2930311234
567891011
12131415161718
19202122232425
2627282930311
2345678