In 2024, regulators around the world have put forward a myriad of proposed policies and legislation focused on cybersecurity and privacy to better manage emerging risks related to emerging technologies such as generative AI (genAI), as well as those related to the management of relationships with third parties. Security and risk leaders rushed to secure genAI, even though its use cases were still evolving; almost every industry has experienced critical IT disruptions due to a lack of resilience planning; and despite minimizing third-party risks, organizations around the world have seen an increase in software supply chain breaches.

With cybercrime expected to cost $12 trillion in 2025, regulators will take a more active role in protecting consumer data while organizations move to adopt more proactive security measures to limit material impacts. This year’s Forrester Cybersecurity, Risk and Privacy Forecast for 2025 reflects how organizations must evolve to address these emerging risk areas. Here are three of those predictions:

CISOs will deprioritize the use of genAI by 10% due to lack of quantifiable value.

According to Forrester 2024 data, 35% of global CISOs and CIOs consider exploring and deploying genAI use cases to improve employee productivity a top priority. The security product market has been quick to tout the expected productivity benefits of genAI, but the lack of practical results fuels disillusionment. The idea of ​​an autonomous security operations center using genAI has generated a lot of hype, but it couldn’t be further from reality. In 2025, the trend will continue and security practitioners will fall further into disenchantment as challenges such as inadequate budgets and unrealized benefits of AI reduce the number of security-focused genAI deployments.

Class action costs related to violations will exceed regulatory fines by 50%.

Expenses related to violations are no longer limited to regulatory fines and repair costs. Historically, cybersecurity regulations have not gone far enough to protect customers and employees, leading those same people to file class action lawsuits and seek damages. Class action costs are enormous in data breach litigation. And as the percentage of companies facing class action lawsuits has reached a 13-year high, CISOs will be asked to contribute to the company’s class action defense fund in 2025, making costs class actions will far exceed the fines imposed by regulators.

A Western government would ban certain third-party or open source software.

Attacks on the software supply chain are one of the leading causes of data breaches in organizations around the world. Growing pressure from Western governments to require private companies to produce software bills of materials (SBOMs) has been a boon for software component transparency, but these SBOMs highlight the role of third-party and open source software in purchased products by governments. In 2025, a government with this information will restrict an open source component for national security reasons. To comply, software vendors will need to remove the offending component and replace the functionality.

Register here to receive Forrester’s free Forecast Guide, which covers the top technology and security predictions for the next year. Get additional free resources, including webinars, on the Forrester site. 2025 Forecast Center.

This article was written by Senior Analyst Cody Scott and was originally published here.