Board Priorities in 2025: Cyber readiness
16 January 2025
Redefining cyber readiness
The cyber security threat will remain pervasive in 2025 as it continues to evolve. The use of AI and the commercialization of malware/ransomware as a service means that threat actors have a lower bar to entry and their ability to compromise and evade security controls needs to be met with a high level of proficiency, readiness and cyber resilience. In the UK, the National Cyber Security Centre's new CEO announced at the end of November that there is a widening gap between the exposure and threat we face and the defences that are put in place to protect us. Not enough organisations are implementing the advice, frameworks and guidance, meaning that they are ill-prepared to face a cyber attack.
Boards must continue to focus on this increasing threat in 2025, including a rise in insider threat for many of our critical infrastructure clients, and a sharp focus on critical third party vulnerabilities and outages, spectacularly demonstrated by the CrowdStrike outage.
And if that wasn't enough, we anticipate growing disruption, financial loss and reputation damage caused by highly sophisticated mis (and dis) information campaigns.
In response, we have seen renewed efforts by governments around the world to increase the regulatory obligations related to data, AI, privacy and cyber.
While in some cases regulatory changes are motivated by improving industry and government partnerships to build national resilience, the majority of regulatory change – and regulator enforcement focus - is introducing a regime of ever-increasing accountability (including personal accountability) for Boards to ensure their organisations are secure.
The regulatory bar is set very high. Boards are increasingly expected to ensure organisations are taking steps to secure data and systems, including that of their critical suppliers. We anticipate 2025 to be the year of increased regulatory scrutiny.
Ashurst is working with Boards to redefine cyber readiness and cyber risk governance. This is about building a regulatorily defensible approach to cyber breaches, before they occur.
In 2025, cyber will clearly be a lot more than "just an IT" issue.
