Regulators focus on resilience as threat of devastating cyber-attacks grows

The advance of artificial intelligence, the emergence of a new generation of hacking gangs, and an increasingly volatile geopolitical environment are combining to create a more complex and menacing cybersecurity landscape.

While law enforcement agencies have succeeded in dismantling major ransomware groups such as LockBit, a more diffuse and unpredictable set of threat actors has emerged in its place.

There is currently limited intelligence on their make-up but their early activities point to a sophisticated, persistent, and aggressive adversary. Recent attacks have been accompanied by threats of violence against senior executives, and from a technical perspective they are targeting cloud infrastructure and launching attacks from “ghost” machines outside organizations’ traditional security mapping. They are also adept at covering their tracks, including by deleting emails and access logs to hinder forensic investigations. 

AI shapes cyber threats and cyber defenses

AI is reshaping both the offensive and defensive sides of the cyber battle. AI-generated deepfakes are enabling new forms of social engineering, and AI-enabled cyber defenses are improving real-time monitoring and response. AI systems themselves are also vulnerable to novel attacks, including data poisoning and prompt injection strikes. 

Meanwhile, model developers are in cyber gangs’ sights due to the vast amounts of data they hold. Hacking groups also appear to be leveraging large language models to rapidly scan data exfiltrated in ransomware attacks to increase their leverage in negotiations with their victims. 

Focus on operational resilience from regulators

Alongside sector-based rules and structures that apply to providers of critical infrastructure, the cyber regulatory landscape broadly comprises three spheres—cybersecurity frameworks, data protection regulations, and operational resilience regimes. Enforcement agencies are increasingly focused on the ability of businesses to recover from cyber-attacks, given the potentially devastating financial and reputational consequences of prolonged disruption.

The EU’s cyber frameworks include the Network and Information Systems Directive 2 (NIS2), the Cybersecurity Act, the Cyber Resilience Act, and the Digital Operational Resilience Act (DORA, which imposes stringent requirements on financial entities and senior management). The UK’s Cyber Security and Resilience Bill imposes strict notification timelines and operational resilience standards across sectors. 

In the U.S., companies must navigate a web of largely state cybersecurity and data laws, as well as requirements imposed by regulators such as the Securities and Exchange Commission. 

Recent policy shifts by the U.S. government have scaled back several Biden- and Obama-era cyber initiatives, shifting away from “compliance checklists” and empowering agencies to tailor cybersecurity strategies to their operational needs and budgets. 

At the same time, budget cuts and leadership departures at U.S. cyber bodies including the National Security Agency, U.S. Cyber Command, and the Cybersecurity and Infrastructure Security Agency have caused disquiet in Washington. 

Cutbacks are also affecting the FBI, where a cadre of field agents aligned to different threat actors supports businesses during cyber and ransomware incidents. 

Policymakers have raised concerns that the reductions are impacting the agency’s cyber mission and proactive intelligence-gathering, which can alert companies to suspicious activity in their systems before they are even aware themselves.

Effective governance requires clear understanding of threat landscape

As cyber threats escalate, boards and management teams are under increasing pressure to ensure their organizations can respond decisively to an attack. The first 24 hours of a cyber incident are critical, with regulators now expecting businesses to define and document recovery time objectives (RTOs), particularly for critical products and services. 

Effective cyber governance requires a clear understanding of the threat environment, regular updates to risk assessment frameworks, and robust incident response plans that preserve legal privilege from the outset. With criminal gangs proving adept at tampering with access logs, technical systems should be calibrated to regularly archive and secure data to support forensic investigations and any subsequent regulatory inquiries. 

Legal risks triggered by cyber-incidents range from commercial litigation and data protection claims to regulatory investigations, insurance disputes, and shareholder suits. Tabletop exercises simulating real-world scenarios are evolving to reflect the rising aggression of hacking gangs, including the governance implications of senior executives making operational decisions under threat of violence. 

From a broader governance perspective, disclosures to authorities should reflect how companies have described their cyber maturity in annual reports and investor communications while post-attack disclosures should accurately reflect what has been uncovered during the incident. Any misalignment between these realities and external messaging can expose organizations to significant regulatory and reputational risk.