Cybersecurity and operational resilience
Despite notable law enforcement successes last year, the consensus across the global cybersecurity community is that there will be no reduction in the severity and frequency of incidents in 2025. While ransomware remains a key concern, the recent attack on U.S. telecommunications companies by Salt Typhoon illustrated the sophistication and prevalence of nation-state affiliated threat actors undertaking cyber espionage.
Other features of a very challenging cybersecurity landscape include the risks presented by cyber terrorism, hacktivism, and insider threats, as well as non-traditional attack vectors and the possibility of generative AI being used to enhance attacker capabilities.
On the resilience side, the CrowdStrike outage in July 2024 caused by a defective software update highlighted the problem of risk concentration in global IT supply chains; an issue that organizations and regulators will be seeking to address throughout 2025 and beyond.
Cybersecurity legal and regulatory reform
Against that backdrop, new laws and regulations focusing on cybersecurity and operational resilience are either coming into force or are likely to see enforcement activity for the first time. Examples include:
- the Australian Cyber Security Act 2024, which notably includes ransomware reporting requirements;
- the new tiered regulatory framework for U.S. defense contractors and subcontractors that was recently introduced by the new Cybersecurity Maturity Model Certification (CMMC) 2.0 program;
- the EU Network and Information Security Directive (NIS2) which aims to achieve a high common level of cybersecurity within entities providing essential and important services in the EU; and
- the Digital Operational Resilience Act (DORA) which is now in effect across the EU financial sector and sets out detailed standards to be enforced by national competent authorities.
Across this evolving legal and regulatory landscape, there is also a notable trend towards management accountability for cyber risk, with DORA (for example) providing for the possibility of direct penalties on management bodies (and therefore, potentially, the individuals within those bodies including company directors).
U.S. SEC enforcement for misleading statements
We have seen the SEC bring an action under the anti-fraud provisions of U.S. securities laws against a company and its CISO relating to a ‘Security Statement’ on the company’s website containing favorable (and in the SEC’s view, misleading) representations about the company’s cybersecurity practices. There has also been criminal liability in the U.S. found against the CISO of another company for misleading the FTC and concealing a historic data breach.
Steps that companies should be taking now
As well as investing in their technical defenses, companies and legal teams can take various steps to enhance their cyber-resilience while meeting legal and regulatory expectations. These include:
- Identifying new laws and regulations: increasingly, global organizations have specific personnel (or even teams) who are responsible for identifying and monitoring compliance with new laws and regulations that are coming into force in relevant jurisdictions. In some cases, it is not a straightforward matter to determine whether some or all of an organization is in scope, and an organization may move into or out of the scope of laws or regulations as it changes in size, or its business activities evolve.
- Boards and management teams: companies can support their Boards and management teams in various ways. These include the implementation of a cyber sub-committee or working group to oversee cyber risk, board packs containing information that is necessary for effective decision making on cyber risk, as well as skills assessments and training programs.
- Focus on supply chains: as well as taking the steps mandated by law and regulation to address supply chain risk (for example, DORA requires financial entities to include specific contractual provisions in contracts with all ICT service providers and identify all ICT service providers who support critical and important functions), companies should regularly audit their key suppliers’ cybersecurity compliance and develop contingency plans for supply chain incidents.
- Incident response preparedness: regular tabletop exercises simulating a major cyber incident at an operational or strategic level are now a common feature of many companies’ resilience programs. As a major cyber incident is likely to require input and oversight from the company’s legal advisors (both internal and external) it is important that they are in attendance. Incident response plans should also be reviewed and updated regularly.
- Regulatory notifications: all organizations, but especially global organizations operating in multiple jurisdictions, need to know the timing, form, and content of their notifications to regulators for incidents meeting the required thresholds.
Cyber whistleblowing
There is anecdotal evidence that cyber whistleblowing is on the rise, both during and outside of major incidents. In the latter case, the result can be that confidential information relating to an ongoing incident is leaked to the press or investigators, with a consequent risk that incorrect information is disseminated which compromises decision-making processes or results in unnecessary disclosures. Companies and legal teams can do the following to address this issue:
- Whistleblowing protocols. Consider implementing communication channels (or adapting existing channels) for individuals who wish to escalate their cyber-related concerns, with protocols for prompt investigation and resolution.
- Scenario planning. Build the possibility of information leaks and whistleblowing into incident response planning.
- Governance and reporting lines. Confirm who is responsible for reporting issues and whether your CISO has (or should have) direct access to the Board. In some cases, concerns are raised via whistleblowing channels because an individual believes that they will not otherwise be escalated appropriately.
A&O Shearman's cybersecurity team helps with all legal and regulatory aspects of the cybersecurity lifecycle, from resilience, readiness, and incident response, to managing and mitigating legal exposures. Through our 24/7/365 incident response hotline, we can mobilize and coordinate multi-jurisdictional teams immediately. Please contact the authors of this article or your normal A&O Shearman contact to find out more.
This article is part of the A&O Shearman White-Collar Crime and Investigations Review 2025.
