IO comments on cybersecurity trends

​​

As organizations adopt new technologies, threat actors leverage AI to automate attacks, making threats more sophisticated, frequent, and personalized.  With the cybersecurity landscape set to experience a radical shift, driven by the rapid maturation of AI and the growing interconnectedness of digital infrastructure, we talk to Sam Peters, Chief Product Officer, IO, about key trends and challenges facing cybersecurity over the next 12 to 24 months.

Cyber resilience takes centre stage as businesses prioritize continuity over defence
“Cyber resilience will emerge as a core business strategy, as companies shift from merely defending against threats to ensuring continuity and swift recovery.  With frameworks like ISO 27001 expanding to address resilience, and regulations like NIS2 introducing stricter risk management, governance oversight, supply chain security and incident reporting, including 24-hour initial notification obligations, organizations will be required to proactively prepare for and respond to cyber disruptions.

At the same time, proposed UK reforms through the Cyber Security and Resilience Bill signal a similar tightening of expectations for essential services and digital infrastructure providers.

In parallel, the Cyber Resilience Act introduces mandatory security-by-design requirements for digital products sold in the EU, pushing resilience obligations into the software development lifecycle itself.

This rapidly changing regulatory landscape will lead to a stronger focus on disaster recovery and operational continuity. Companies will invest heavily in systems that allow them to quickly bounce back from cyber incidents, especially in critical infrastructure sectors, while regulators will increasingly assess not just whether organizations can recover from incidents, but whether they can evidence governance, preparedness and continuous improvement.”

Cyber insurance tightens, requiring higher security standards
“Cybersecurity insurance will come with stricter regulatory oversight, compelling organizations to bolster their security practices to qualify for coverage.  Insurers will increasingly require proof of compliance with standards like ISO 27001, ensuring that businesses have robust defences in place.

Major marketplaces such as Lloyd's of London have already mandated exclusions around state-backed cyber operations, and insurers are now demanding far greater evidence of preventative and resilience controls before offering or renewing coverage.

Organizations are increasingly required to demonstrate:

•  Multi-factor authentication across privileged and remote access
•  Tested and isolated backup strategies
•  Formalized incident response plans
•  Ongoing risk assessments and vulnerability management
•  Documented governance structures aligned to recognized standards

As enforcement under NIS2 accelerates and product security requirements under the Cyber Resilience Act take effect, insurers are incorporating these expectations into underwriting questionnaires.  In effect, cyber insurance is becoming a parallel compliance mechanism.

Over the next two years, organizations with immature governance or weak third-party oversight may face significantly higher premiums, or reduced insurability altogether, reinforcing the need for structured, auditable security management rather than ad hoc controls.

This shift will elevate cybersecurity standards across industries, making compliance a key factor in securing affordable insurance coverage.”

Rising cyber threats spur global action to secure critical infrastructure
“Critical infrastructure will face mounting cyber threats, prompting governments and operators to adopt stronger defences and risk management frameworks.

Regulations like NIS 2 will push EU operators to implement comprehensive security measures, enforce prompt incident reporting, and face steeper penalties for non-compliance whilst extending obligations beyond traditional “essential” operators to a broader category of “important entities.”  This will significantly increase the number of organizations subject to mandatory cybersecurity governance, reporting and supervisory oversight.

Governments globally will invest in safeguarding essential services, making sectors like energy, healthcare, and finance more resilient to attacks. Heightened collaboration among nations will also emerge, with increased intelligence sharing and coordinated responses to counteract sophisticated threats targeting critical infrastructure.

Over the next 12–24 months, critical infrastructure protection will become increasingly intertwined with national security policy, with regulators expecting demonstrable resilience, board engagement and proactive risk management rather than reactive incident handling.”

What impact does Digital Operational Resilience Act (DORA) have on businesses?
“Complying with DORA undoubtedly introduces additional financial burdens for organizations, particularly around enhancing ICT risk management, conducting regular resilience testing, and investing in specialised personnel; these upfront costs can feel disproportionately burdensome, especially for smaller organizations that may lack economies of scale to absorb them.
 
From our perspective there is a clear approach that could help smaller companies with DORA compliance and that is to adopt an integrated compliance platform that streamlines DORA compliance alongside other regulatory frameworks.  This could really be a game-changer for firms looking to manage costs more effectively, and leverage the expert knowledge within these platforms.  An integrated compliance platform would reduce the administrative burden and make the process far more accessible to firms with more limited resources, helping to level the playing field.
 
DORA could of course also strain an already resource-constrained market in the short term.  The demand for expertise in areas the Act mandates will grow meaning smaller companies, in particular, may struggle to attract and retain the skilled professionals needed as they compete with larger organizations offering higher salaries and more attractive career development opportunities.  However, we would hope this may create an increased willingness to develop more structured training programs, certifications, and initiatives to narrow the skills gap as a result.
 
Balancing these immediate costs against the long-term benefits is essential.  Enhanced operational resilience reduces downtime and mitigates financial losses associated with cyber incidents.  Meanwhile, improved risk management frameworks can help avoid regulatory fines and maintain customer trust, which are all invaluable factors in an increasingly digital economy. It is absolutely an investment that evolves over time, so landing that message will undoubtedly be tricky for those needing to see immediate returns to justify any investment.  One significant benefit we can see is the potential for lower insurance premiums for firms demonstrating robust cybersecurity postures.
 
While the path to DORA compliance may be challenging, the potential for greater security, trust, and stability is a return on investment worth pursuing.”