Cybersecurity in 2025: Priorities and Best Practices

2025: A Look at What’s Ahead in Capital Markets, Regulatory Compliance, and Cybersecurity Series

Cybersecurity continues to be a critical focus for companies in 2025, with emerging threats such as AI-driven cybercrime and supply chain vulnerabilities testing organizational resilience.

In part three of this three-part series on what’s ahead for 2025, DFIN’s Dannie Combs, Senior Vice President and Chief Information Security Officer, addresses cybersecurity threats and concerns, top priorities for the C-suite, and best practices. Read Capital Markets Outlook 2025: Opportunities Amid Change, the first part in the series. Read Regulatory Insights for 2025: Navigating a Complex Compliance Landscape, the second part in the series.

What are the most pressing cybersecurity threats and concerns you’re anticipating for 2025?

Dannie Combs: There are several key cybersecurity priorities that will dominate the agenda for CISOs and executives in 2025, requiring organizations to be more proactive, agile, and resilient than ever:

• AI in Cybercrime. While AI continues to drive innovation and value for organizations, cybercriminals are leveraging it to advance their attacks, challenging traditional security measures. Tools like deepfakes, automated phishing campaigns, and AI-driven malware are evolving rapidly, enabling bad actors to identify and exploit vulnerabilities in targeted systems with unprecedented speed, enabling them to exploit weaknesses far more rapidly than in the past. This trend will certainly continue to increase in scale and complexity.
• Supply Chain Security. The global nature of supply chains makes them vulnerable to attacks in multiple areas, with cybercriminals targeting suppliers (and suppliers of the suppliers), hardware manufacturers, and distributors to gain access to sensitive data or disrupt operations. Despite recent investments in supply chain security, many organizations still face challenges in assessing risks and mitigating impacts.
• Regulatory Complexity. The regulatory landscape is becoming more complex, with new data protection laws and cybersecurity regulations being enacted worldwide. While frameworks like the European Union's General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) are well-established, new regulations such as the Digital Operational Resilience Act (DORA) are adding layers of compliance. Organizations must stay ahead to avoid penalties and legal risks as regulatory demands continue to increase.

What are the top cybersecurity priorities for the C-suite in the coming year?

Dannie Combs: For the C-suite, the primary cybersecurity priorities should be ensuring CISOs are well-equipped to detect threats and anomalies, rapidly respond and do so quickly and with confidence, contain and mitigate incidents, recover operations, and ensure appropriate measures are in place to meet regulatory reporting requirements where they apply.

Every employee of virtually every organization must be aware of cyber threats and how to report them. This can be achieved through a structured Security Awareness & Training program. I encourage CISOs and executive management to simulate real-world scenarios through unannounced simulations relevant to their business as needed to validate response capabilities as well as to update and test incident response plans to address today’s threats.

More tactically, we will continue to see bad actors attempt to inject vulnerabilities into source code of suppliers, deploy ransomware through unpatched and/or under-patched systems, and of course, continue to seek out undisclosed, net-new vulnerabilities, i.e., “zero-day attacks.”

Nation State sponsored attacks are expected to continue and should be of concern for organizations that support global financial services and critical infrastructure, as well as government agencies at federal, state, and local levels.

Executives should actively collaborate with their CISOs to prioritize the implementation of comprehensive cybersecurity strategies tailored to their business, industry, regulatory requirements, and risk profile. These strategies should encompass regular and ongoing risk assessments, robust employee training programs, a zero-trust architecture, and well-defined and routinely tested incident response plans to effectively mitigate potential threats.

What best practices should companies adopt to stay ahead of cybersecurity threats?

Dannie Combs: To stay ahead of persistent threats, organizations should implement best practices such as adopting a zero-trust architecture, which assumes that threats may exist both inside and outside the network. Fortunately, numerous proven zero-trust frameworks are available and may be tailored to fit organizations of any size, revenue, or industry.

Investing in advanced threat intelligence tools and continuous monitoring are essential to identify potential incidents early and allow for mitigation before attacks escalate.

Integrating cybersecurity risk management across departments is equally critical. For example, Human Resources can help mitigate insider threats and employment fraud, Finance can safeguard against invoice and payment fraud, and Procurement can assess supplier risks. A layered defense strategy and chain of command processes will help to create a comprehensive security defense against potential adversaries.

CISOs and other technical leaders should also collaborate with industry peers and actively participate in Information Sharing and Analysis Centers (ISACs) to ensure they remain informed about emerging threats and effective countermeasures. These platforms facilitate the exchange of critical cybersecurity threat intelligence across industries, equipping organizations to anticipate and counter emerging risks more effectively.

At DFIN, we are committed to being your trusted resource for insights, strategies, and solutions to help you adapt to evolving market conditions, regulatory demands, and emerging risks.

Here’s to thriving in the year ahead!