Cyber Threats, Geopolitics, and Business Resilience: The Board's Playbook

Escalating geopolitical tensions and increased cyber threats continue to affect corporate risk, making cybersecurity a top priority for board directors. With increasing state-sponsored and criminal cyberattacks, evolving regulations, and the rise of AI-driven threats, boards must work to improve business resilience.

Directors joined us to learn key strategies for enhancing board oversight, mitigating cyber risks, and strengthing business resilience from our expert panel including moderator Patrick Huston, and industry experts Vijay Jajoo, Travis LeBlanc, Rob Sloan, and Anthony Soohoo.

View the Recording

Key Takeaways:

Overview of the Current Cybersecurity Landscape

• Complex Landscape: Rising geopolitical tensions (e.g., Russia-Ukraine, Middle East crisis) have heightened cybersecurity risks, particularly for suppliers and companies operating in these regions.

• Global Nature: 54% of organizations report third-party risk management as a major concern, with 15% of incidents originating from third parties (Source: WEF-Global Cybersecurity Outlook 2025)

• Sophistication of Cybercrime: Cybercrimes are becoming increasingly sophisticated and frequent, including identity theft and account takeover fraud.

• AI and Emerging Tech: AI is making it easier for cybercriminals to conduct activities such as reconnaissance and initial compromise.

• Emerging Regulations: Boards are striving to establish regulatory baselines, not only in the U.S. but internationally, though the implementation of these regulations can be challenging.

Geopolitical Tensions and Cybersecurity Risks at the Corporate Level

• Geopolitical and Cyber Risks Interlinked: While cyberattacks used to be primarily from criminals, state-sponsored actors, and economic warfare now pose significant threats, including IP theft.

• Board Engagement: Cybersecurity is no longer just an Audit Committee issue. Leading boards address it in risk committees, board strategy sessions, and full board meetings, making it central to business resilience and reputation strategy.

• Commercial Espionage and IP Theft: Silicon Valley faces a growing threat of commercial espionage, with military expertise becoming increasingly important for companies considering their talent pool.

Regulatory Developments Regarding Cybersecurity and Business Resilience

• Regulatory Changes Under New Administration: An exodus of cyber experts from the U.S. federal government could reduce the sophistication of cyber threat responses moving forward.

• Deregulation: The SEC’s 2023 cybersecurity rule, which requires public companies to report material incidents within four days, may be revised or revoked in the future.

• More Scrutiny Required: Boards should scrutinize public-facing data in security and cyber statements (e.g., in marketing, financial statements), avoid overstating security claims, and ensure communication between the CISO and relevant business stakeholders (including the board). Training for security teams to communicate effectively is essential.

• China and Data Regulation: Increased regulation on U.S.-China interactions and risks related to data transfers, especially for companies with employees or operations in China.

• Leading Industry Practices: Companies should leverage established practices and frameworks such as the EU AI Act, ISO 42001, NIST AI Risk Framework, and MITRE ATLAS Framework (provides AI threat library) to meet core requirements and demonstrate compliance to regulators.

Emerging Technologies for Cyber Threat Mitigation

• AI as Both a Solution and a Threat: While AI helps defend against cyber threats, it is also used by cybercriminals to conduct more sophisticated attacks (e.g., realistic phishing, identifying vulnerabilities, deepfakes).

• Data Anomalies: AI can analyze vast amounts of data to flag anomalies far better than human teams, improving threat detection. The panel agreed that it should be “AI-driven, human-led.”

• Inertia in Tech Adoption: Companies are often slower than cybercriminals to adopt new technologies, giving the upper hand to attackers. Boards need to ensure their management teams stay on top of emerging technologies affecting their cyber risk.

Cyberattacks Since the Rise of AI

• Securing AI and AI for Security: It’s crucial to start with the basics. Boards should challenge management on their posture regarding critical internet-facing software and identity fraud prevention. Implement well-challenged risk playbooks, KPIs around cybersecurity, and testing across departments and geographies to ensure consistent coverage across all business areas.

• Zero-Trust Architecture: Boards should consider moving towards a zero-trust architecture and assess where their network touches the internet. It’s also important to create an environment where employees can innovate and thrive within a controlled and secure environment, without bypassing organizational security.

• AI Regulation: Over 800 bills related to AI regulation are being proposed across the U.S., with potential consolidation of regulations in the future.

Board Cyber Risk Strategy and Tactics

• Active Threat Intelligence: Focus on real-world attack simulations and learning from experts in the ecosystem.

• Third-Party Security: Adopt a zero-trust mindset, as third-party vulnerabilities often cause security issues and don’t usually show up in audits.

• AI as a Force Multiplier: Use AI for real-time anomaly detection and automated threat responses, but ensure human oversight.

• Active Resilience Planning: Boards should be proactive in assessing threats regularly, improving cybersecurity maturity, and strengthening third-party security. Ensure third parties follow your security protocols, rather than relying on their own.

• Resilience Planning: Understand the organization’s threat profile and evaluate risks, including national disasters, defective software updates, and other non-cyber-related outages.

• Simulations and Practice: An NACD survey from 2023 showed that 50% of directors haven’t completed a cyber-focused scenario in the past year. Regular practice and building lessons into playbooks are essential.

The Role of the CISO

• CISO Success: For CISOs to succeed, they must have a direct line to the CEO and board, with clear communication about challenges and resource needs. The CISO should work closely with product and engineering teams to integrate security into product development.

• Board Collaboration: The board should regularly engage with the CISO and ask key questions to ensure cybersecurity is integrated into the company’s strategy.

Key Questions for Boards to Consider:

1. If a breach happens, do you have a communication plan? Ensure that regulators, customers, and investors are informed and prepared for reputational fallout.

2. Is cybersecurity part of the product design process? Embedding security from the start helps mitigate future risks.

3. Do you have enough coverage on your board to troubleshoot a cyber event? Conduct regular simulations to assess your readiness.

4. How secure is the company? Ensure management provides specific, data-driven responses to questions regarding the company’s security posture.

5. Is my AI (model, Infra, and app) secure? Management should demonstrate how AI implementation is working in the organization and how it is being secured.

Useful Resources:

1. KPMG’s Board Leadership Center - by KPMG
2. 2025 Cyber Security Considerations 2025 - by KPMG
3. Regulatory Alert (COE) - by KPMG (useful for seeing the latest Executive Orders)
4. Cybersecurity: Seven Steps for Board of Directors - by Zscaler 

Thank you to our sponsors for hosting this event: