Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Get ready for threats both old and new in 2025

by Emma McGowan , Senior Writer
Published

Here's what we're looking out for in the upcoming year.

It’s prediction season and while no one can see into the future, we can definitely take some educated guesses. From increasingly severe ransomware attacks to deepfakes that deceive Fortune 500 companies, we’re keeping an eye out for some major events in 2025. And while many organizations are taking steps to beef up their defenses, the reality is clear: no one is immune, and no one can afford to ignore the risks.

And as the cost of cyberattacks continues to climb—impacting everything from operational downtime to reputational damage—cyber insurance is no longer a luxury reserved for large enterprises. It is now a necessity for businesses of all sizes and it’s time for everyone to take a risk-based approach.

Companies today (and tomorrow) need both cyber insurance and cybersecurity; together, they provide a critical framework for resilience in a hostile digital world. With that in mind, let’s take a look at predictions from Resilience experts on what to expect in 2025.

1. A little-known company will experience a major cyber incident

Dr. Ann Irvine, Chief Data and Analytics Officer at Resilience, predicts that the largest cyber incident of 2025 will involve a company most people have never heard of (as not many had heard of  CDK or Change Healthcare this time last year). This revelation underscores a sobering reality: no organization, regardless of size or industry, is immune to cyber risk.  

For smaller or lesser-known companies, the stakes are particularly high. They often lack the resources and expertise of larger enterprises, making them attractive targets for cybercriminals. Yet, their role in supply chains or niche markets means the ripple effects of an attack can be widespread.  

This prediction is a wake-up call for all organizations to invest in robust cybersecurity measures, conduct regular risk assessments, and prepare for the possibility of becoming an unexpected headline.  

2. Deepfakes will target major corporations

Deepfake technology is no longer a futuristic concern—it is here, and it is evolving rapidly. Dr. Irvine predicts that in 2025, a Fortune 500 company will fall victim to a deepfake attack.  

Such an attack could take many forms, from impersonating a CEO in a video to issuing fraudulent directives that result in significant financial or reputational harm. The sophistication of deepfakes makes them especially dangerous, as they exploit trust in human perception and established communication channels.  

3. Nation-state actors will not cause a nationwide internet outage

Contrary to popular fears, Dr. Irvine believes that nation-state actors are unlikely to orchestrate a major internet or service outage in 2025. 

“Some people fearmonger about a potential nationwide internet outage caused by a cyberattack,” Dr. Irvine says. “I just don’t think that kind of thing will happen. I don’t believe that AWS, for instance, will go down for more than 24 hours next year.”

The reasoning is simple: the consequences would be too severe. Such an attack would provoke international retaliation and legal repercussions that even the most brazen actors want to avoid. Instead, these entities are expected to focus on targeted attacks with clear strategic or financial objectives. 

4. Public awareness of cyber risk will continue to increase

The growing drumbeat of high-profile breaches and personal scams has heightened public awareness of cybersecurity risks. Dr. Irvine believes that this trend will continue to accelerate in 2025. 

“More people are receiving security training at work; many got notifications from breaches like Change Healthcare; many know a friend or family member who’s been scammed,” Dr. Irvine says. “I expect this increased level of consciousness about the problem will drive policies that will help keep threat actors on notice. Cybersecurity is a societal problem that we all have to address together.”

With this increased awareness comes the potential for positive change. More individuals and organizations are adopting proactive measures like multi-factor authentication, and policymakers are considering stronger deterrents against cybercriminals. And while heightened awareness won’t eliminate cyber risks, it may create a culture where cybersecurity is prioritized at every level of society.  

5. The financial impact of ransomware attacks will continue to grow

Resilience CISO Justin Shattuck anticipates that ransomware will become even more lucrative for cybercriminals in 2025, with attacks growing more sophisticated and targeting critical sectors like healthcare and energy.  

The financial toll of these incidents—ranging from ransom payments to recovery costs—will escalate, underscoring the importance of prevention. Organizations must invest in layered defenses, robust backup strategies, and incident response plans to mitigate the impact of ransomware attacks.  

6. The CISO will have a more prominent role in the boardroom

The financial implications of cyberattacks are becoming impossible to ignore, and Shattuck predicts that Chief Information Security Officers (CISOs) will gain more visibility in the boardroom.  

“As the financial implications of successful attacks become more understood, CISOs will bring a level of insight and technical acumen that helps boards better prioritize remediation and mitigation of these risks with strategic decision making,” Shattuck says. “As a result, companies with more emboldened and empowered CISOs will fare better when it comes to preventing and mitigating the effects of attacks.”

This shift reflects a growing recognition of cybersecurity as a critical business function, not just a technical issue. In 2025, CISOs are expected to play a key role in shaping corporate strategy, ensuring that cybersecurity considerations are baked into decision-making at the highest levels.  

7. Contract language will include specific cybersecurity requirements

Vendor risk management will take center stage in 2025, with companies adopting stricter contract language to ensure their third-party partners meet specific cybersecurity standards. 

Over the past several years, I’ve seen industry experts and government agencies alike increasingly push for contract language between companies and their third-party vendors to transition from nebulous phrases like ‘should’ into specific, binding phrases like ‘shall’—ie, ‘multi-factor authentication shall be implemented,’” Shattuck says. “In 2025, I anticipate that this push will become more mainstream.”

This trend highlights the interconnected nature of modern business ecosystems and the importance of holding every link in the chain accountable for cybersecurity.  

8. Insurance companies will drive cybersecurity improvements

Dr. Irvine predicts that insurers will become key drivers of cybersecurity improvement by attaching real financial stakes to their policies. In 2025, organizations seeking coverage will need to demonstrate strong security measures, creating a powerful incentive to invest in cybersecurity.  

This dynamic will help shift the industry from a reactive to a proactive posture, rewarding companies that take measurable steps to reduce their risk.  

The year of Resilience

The cybersecurity and cyber insurance landscape is poised for a significant evolution in 2025. From deepfake attacks to heightened public awareness, the predictions outlined above underscore the importance of proactive risk management. Meanwhile, the growing influence of insurers highlights the interconnected nature of cybersecurity and insurance.  

Organizations must rise to the challenge by addressing emerging threats head-on, investing in comprehensive strategies, and working collaboratively with insurers to navigate this complex environment. The stakes are high, but with the right approach, resilience is within reach.  

You might also like

Understanding identity-based attacks and how to defend against them

Breaches used to be primarily carried out via software vulnerabilities: Companies would announce a flaw, take a while to fix it, and attackers would find their way into the system using those exploits. From there they might not only steal information and assets from their primary target, but would also use their access to jump […]

Contrasting and comparing FAIR with the Resilience solution

As market awareness of cyber risk quantification grows, we frequently receive questions from clients and curious risk managers about FAIR (Factor Analysis of Information Risk)—what it is, whether it truly provides accurate cyber risk quantification, the effort needed to set it up and maintain, and more. Clients often ask us to compare the FAIR methodology […]

How does Resilience establish the probabilities presented in my LEC?

Managing risk successfully at any level requires an understanding of a concept called “probability.” As both an insurance company (risk transfer) and a cyber risk management company, Resilience relies on understanding probabilities to price our services and to guide our clients to greater levels of cyber resilience. As we often receive questions from our clients […]

Moving beyond heat maps for better risk management

Heat maps are among the most widely used—and debated—tools for risk managers worldwide to communicate risks in their registries or project portfolios. Despite their popularity, we advise leaders seeking transparency in discussing risk and value to avoid relying on them. What are heat maps? Risk managers often use heat maps (or risk matrices) to represent […]

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]