Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Cybersecurity & Information Protection

  1. Harmonization & Reciprocity
  2. Meeting Minimum Standards
  3. Reporting Threats and Incidents
  4. Actions
Download PDF
Share

As cybersecurity risks remain a key concern across industries, and particularly relative to critical infrastructure and security, regulatory scrutiny of data security, data risk management, operational resilience, and incident response/ reporting will continue in 2025. Anticipate that federal regulatory activity will remain elevated driven by the complexities and interconnectedness of transactions, including the use of third-party AI/technology products and services and data protection/ privacy concerns. Similarly, anticipate a continuation of state adoption of cybersecurity laws and regulations.

1. Harmonization & Reciprocity

Alongside benefits of the expanding digital environment, looming threats and vulnerabilities spur calls for a unified approach to cybersecurity risk management. Under the National Cybersecurity Strategy, released in 2023 and updated in 2024, a whole-of-government effort has been underway to create a “unified cybersecurity framework” at the federal level, harmonize and streamline regulations, and establish reciprocal recognition amongst regulators and across industries. 

A Cross-Sector Approach

Focusing initially on critical infrastructure sectors, initiatives in 2025 will consider:

  • Setting baseline or minimum regulatory requirements across all sectors, including minimum accountability mechanisms for security and operational resilience.
  • Harmonizing incident and ransom payment reporting requirements with other federal reporting regimes.
  • Testing regulatory reciprocity frameworks through pilot programs.
  • Supporting calls for legislation to set national cybersecurity and data privacy standards. 

These efforts are separate from ongoing state-level legislative and regulatory activities related to cybersecurity and data privacy.

Supervision and Enforcement

With rising adoption of digital tools and services (e.g., cloud, e-communication technologies and platforms, fintech service providers), the volume and complexity of cyber threats (e.g., adversarial attacks, data poisoning, insider threats, and model reverse engineering) to critical infrastructure entities is increasing. In response, regulatory scrutiny is intensifying in areas of:

  • Risk Management, across security-related risks (e.g., cyber/technology, operational, physical, third party) and in areas related to risk assessment, systems access, threat detection and vulnerabilities, reporting, recovery, and recordkeeping.
  • Data Management, where regulators expect heightened standards related to data governance, tiering, lineage, and data quality to support enhanced reporting and risk management, as well as to cyber risk management (more targeted vulnerability and patch management) and privacy risk management (privacy rights management, privacy impact assessments).
  • Cyber Resiliency, with a focus on demonstrable mechanisms to secure and fortify critical cyber infrastructure (e.g., protections against cyber incidents, technical vulnerabilities, and physical events and related business continuity planning).

2. Meeting Minimum Standards

At a minimum, regulators will continue to focus on companies’ efforts to strengthen governance and risk management around the security of systems and data both internally and through affiliates and third/nth parties.

Regulatory areas in the spotlight may include:

Compliance

With existing security-related rules and requirements, such as the SEC Cybersecurity Final Rule for Public Companies, Interagency Guidance on Third-Party Risk Management, and the FTC Safeguards Rule as well as the potential for new rulemakings and frameworks/guidance specific to cybersecurity, data privacy, or AI.

Privacy Practices

As part of an ongoing focus on data minimization, usage, deletion/disposal, controls, and consent.

Data Classification/Tiering

Given the heightened focus on data governance and management practices over risk management data, regulators will increasingly assess data classification and tiering based on data sensitivity, integrity, availability, and criticality, with due consideration for data sovereignty and localization requirements under data privacy laws.

Parties & Providers

Including companies’ abilities to demonstrate effective risk-based oversight for all types of relationships/ arrangements, giving consideration to market concentration, the interconnectedness of providers, and supply chain risks as well as assessing the provider’s ability to meet compliance obligations (e.g., incident reporting requirements) and to protect data privacy/ security.

Staffing/Resources

To ensure that cyber/data personnel possess the specialized knowledge and skills necessary to identify, analyze, and remediate emerging threats, and also that the relevant workforce is adequately staffed and resourced.

3. Reporting Threats and Incidents

Increasing cybersecurity risks and expanding expectations around threat detection and monitoring are focusing regulatory attention to reporting timeliness and adequacy both internally and externally.

Anticipate regulators will continue to review:

Board/Management Reporting

The effectiveness of board and management engagement in cybersecurity risk management and governance including:

  • Roles, responsibilities, and experience.
  • Oversight of processes for assessing, identifying, and managing potential cybersecurity threats and threat actors.
  • Frequency, timeliness, and accuracy of reporting as well as the reporting scope (e.g., line of business, enterprise-wide, regional).
  • Speed of incident remediation.

Incident Reporting/Disclosure

The timeliness and transparency of reporting disclosure for identified significant, substantial, or material cybersecurity and/or data breach incidents and ransom payments. This includes notifications, as appropriate, to:

  • The primary regulator.
  • Other regulatory authorities (e.g., SEC, CISA, state authorities).
  • Public disclosures (e.g., Form 8K, website).
  • Impacted customers.

4. Actions

  • Enhance board and executive oversight: Strengthen the oversight of security risk management, strategy, and governance at the board and executive level. Conduct regular communication and reporting between executives, management, and the board to foster a proactive approach to identifying, monitoring, and mitigating potential security threats as well as timely incident response.
  • Third party risk assessments: Maintain a broad inventory and perform a risk assessment of third parties involved in the delivery of business software and services to assess their operational viability, financial health, security practices, compliance history, and previous incidents. Assess potential for over dependence or over-concentration on a small number of parties/providers.
  • Resiliency: Cultivate a culture of resilience, embedding robust contingency plans that encompass not just IT infrastructure but also key business operations. Conduct regular impact assessments using a variety of scenarios.
  • Data Security: Build a comprehensive inventory of data (at rest and in transit) across the organization. Identify and label “crown jewel” data assets, and categorize and classify structured and unstructured data, and assess threats, vulnerabilities and risks. Align proactive monitoring and preventative data protection controls to identified data assets based on risk exposure such as Data Loss Prevention (DLP), encryption, data masking, and use of synthetic data to mitigate risk exposure to a level aligned with organizational risk tolerance and regulatory posture.
  • Recovery Planning: Evaluate the ability to handle recovery at scale and under pressure; develop/ modify the backup and recovery plan as appropriate.
  • Maintain transparent and timely reporting: Implement a system for transparent and timely reporting of security threat incidents, as required by regulatory authorities. All incident- related information should be accurate, up to date, and communicated to the appropriate stakeholders, including regulatory agencies and customers, as appropriate.
  • Enhance Vulnerability Management Practices: Deploy advanced tools and processes for continuous vulnerability detection. Prioritize remediation efforts based on risk assessments and promptly address vulnerabilities to mitigate potential threats.

Dive into our thinking:

Ten Key Regulatory Challenges of 2025

Rolling through the Shift

Download PDF

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.

Subscribe

Explore more

Points of View
Insight
Webcast Replay Webcast Upcoming Listen Now

Points of View

Insights and analyses of emerging regulatory issues and their impact.

Read more
Insight
Webcast Replay Webcast Upcoming Listen Now

Regulatory Alerts

Quick hitting summaries of specific regulatory developments and their impact.

Read more
Regulatory Insights View
Insight
Webcast Replay Webcast Upcoming Listen Now

Regulatory Insights View

Series covering regulatory trends and emerging topics

Read more

Meet our team

Image of Amy S. Matsuo
Amy S. Matsuo
Principal, U.S. Regulatory Insights & Compliance Transformation Lead, KPMG LLP
Read bio
Image of Mihai Liptak
Mihai Liptak
U.S. Service Co-Lead, Risk Quantification , KPMG LLP
Read bio
Image of Mick McGarry
Mick McGarry
Principal, Advisory, GRC Technology, KPMG US
Read bio
Image of Matthew P. Miller
Matthew P. Miller
Principal, Advisory, Cyber Security Services, KPMG US
Read bio
Image of Amy S. Matsuo
Amy S. Matsuo
Principal, U.S. Regulatory Insights & Compliance Transformation Lead, KPMG LLP
Read bio
Image of Mihai Liptak
Mihai Liptak
U.S. Service Co-Lead, Risk Quantification , KPMG LLP
Read bio
Image of Mick McGarry
Mick McGarry
Principal, Advisory, GRC Technology, KPMG US
Read bio
Image of Matthew P. Miller
Matthew P. Miller
Principal, Advisory, Cyber Security Services, KPMG US
Read bio

Thank you

Thank you for signing up to receive Regulatory Insights thought leadership content. You will receive our next issue when we publish.

Get the latest from KPMG Regulatory Insights

KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments. Get the latest perspectives on evolving supervisory, regulatory, and enforcement trends. 

To receive ongoing KPMG Regulatory Insights, please submit your information below:
(*required field)

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2024 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline