Find a lawyerOur capabilitiesYour careerSearch
Locations
Our capabilities
News

Select language:

Locations
Our capabilities
News

Select language:

hamburger menu showcase image
  1. Our thinking
  2. 2025 Data law trends
  3. A new wave of cyber threats is here
3. A new wave of cyber threats is here
2025 Data law trends
hero-image-0

In brief

As global cybersecurity threats continue to evolve, companies are navigating an increasingly complex risk landscape. In this chapter, our cybersecurity experts dive into recent trends in ransomware attacks and the latest regulations around incident response. They also discuss new guidance on fines and damage claims while exploring the intersection of cybersecurity and AI.

Here’s what we’ll cover:

  • The rising frequency and scale of ransomware attacks.
  • New incident response obligations.
  • GDPR damage claims.
  • The role of AI in enhancing and undermining cybersecurity.
Download report
A new wave of cyber threats is here

In February 2024, several international law enforcement agencies scored a major success in the fight against cybercrime by seizing control of infrastructure used by LockBit, one of the world’s most active ransomware groups, while developing decryption keys that could enable the recovery of many LockBit-encrypted systems. However, LockBit has reportedly continued attacking companies using new servers and dark web domains, which demonstrates the persistence of cybercriminals. While law enforcement continues to pursue cybercriminals and companies continue to improve their cybersecurity measures, ransomware remains rampant and attacks are increasing in sophistication and number, not least due to:

  • the rise of widely available generative AI; and
  • the increasing commoditization of ransomware, particularly through ransomware as a service

QuoteMarks_34x25px_Blue.png

Recent developments emphasize that cybersecurity should be always higher on the agenda of the leadership of organizations.

Satya Staes Polet, Partner

In 2024, ransomware demands and payments have continued to climb, reflecting the ongoing evolution and aggressiveness of cybercriminals’ tactics. The first half of 2024 saw ransomware attacks increase in both frequency and scale, with the average ransom demand reaching over $1.5m in the second quarter of 2024 – a 102 percent increase quarter over quarter. This increase is largely driven by the continued success of multiple-extortion schemes, where attackers not only encrypt data but also exfiltrate it, threatening to release sensitive information if ransoms are not paid.

Attackers may also threaten to deploy distributed-denial-of-service attacks or threaten employees and customers of victims to apply additional pressure on companies. A group of cybercriminals has even been known to lodge a complaint with a regulatory authority to denounce the failure of the company that suffered the data breach to disclose it as required by law, thereby using the law as a means of exerting pressure. The emergence of new groups and ransomware variants of cyberattacks, including rebranded ransomware groups, has also contributed to the record-breaking number of incidents and payments. Despite ongoing law enforcement efforts, the overall threat continues to grow, with 2024 potentially becoming the worst year on record for ransomware payments.

Beyond ransomware attacks, supply chain attacks continue to be a significant issue. Companies rely on third-party vendors, which provide systems and services critical to those companies.

Cyberattacks, vulnerabilities or even faulty updates at vendors have resulted in significant losses for numerous customers of those vendors and highlighted the growing importance of integrating cybersecurity into a company’s overall risk management. These incidents underscore the cascading effects that supply chain attacks can have, leading to regulatory penalties, breach of contract claims and potential litigation.

Additionally, supply chain attacks can be more challenging to investigate as an affected customer may have limited visibility into an attack on a third party vendor and limited control over the vendor’s investigation. In fact, supply chain risk has become such a significant issue that the US’ National Institute of Standards and Technology (NIST) released its first major update of its Cybersecurity Framework, since 2014, to incorporate practices to manage cybersecurity risks within and across organizations’ supply chains. Organizations must bolster their cybersecurity measures, ensure their supply chain contracts include robust security provisions and stay compliant with evolving regulations. Legal teams should prepare for complex liability issues and the intricacies of data breach notifications that arise from such multifaceted attacks.

Looking ahead

Cybersecurity regulations are tightening, and penalties for non-compliance are on the rise. As cybercriminals become more sophisticated in their use of AI, the need for companies to continually update and bolster their cybersecurity strategies has never been more urgent.

Staying ahead in this rapidly changing environment requires vigilance and adaptability. A strong, proactive cybersecurity strategy can make all the difference, helping you stay ahead of threats and minimize damage if a cyberattack occurs.

Our team

Our team

Hong Kong
Richard BirdPartner
Paris
Laéna BouafySenior Associate
Washington, DC
Madeline CiminoAssociate
Silicon Valley, Washington, DC
Brock DahlPartner
London
Tony GregoryCounsel
Düsseldorf
Hanna HoffmannAssociate
San Francisco, Silicon Valley
Megan M. KayoPartner
Paris, Brussels
Jérôme PhilippePartner
Paris
Thomas RetièreAssociate
Brussels
Satya Staes PoletPartner
London
Rhodri ThomasPartner
Düsseldorf
Christoph WerkmeisterPartner
2025 Data law trends

2025 Data law trends

Reports
Nov 29 2024
1. AI governance takes center stage

With regulatory pressures, changing expectations from shareholders and customers, and the increasing risk of litigation, it’s clear that addressing AI governance is more important than ever.

Reports
Nov 29 2024
2. International data transfers are under the spotlight

In 2025, questions around data transfers and localization requirements will still be front and center for businesses. Regulators across different jurisdictions – each with varying requirements – aren’t holding back either; they’ve shown they’re ready to impose hefty fines for non-compliance.

Reports
Nov 29 2024
3. A new wave of cyber threats is here

As global cybersecurity threats continue to evolve, companies are navigating an increasingly complex risk landscape.

Reports
Nov 29 2024
4. New global regulations are changing our digital operations

Over the past year, a global push to regulate the safety, accountability, and transparency of online services have begun to crystalize. In late 2023, the EU Digital Services Act came into force alongside the passage of the UK Online Safety Act, signaling a significant shift in how digital intermediaries are regulated.

Reports
Nov 29 2024
5. Tougher enforcement is reshaping data and privacy compliance

The spotlight on AI risks is intensifying, and with it comes a surge in data-related regulatory enforcement worldwide. Regulators are not only using existing laws but are also advocating for greater powers to oversee AI development and deployment.

Reports
Nov 29 2024
6. US State consumer privacy laws are expanding

Consumer privacy legislation in the US has reached a critical turning point. With no comprehensive nationwide privacy law in place, individual states have begun enacting their own laws to safeguard consumer privacy. Currently, over 40 percent of US states have implemented consumer privacy laws, and momentum continues to grow as additional states propose and consider their own legislation.

Reports
Nov 29 2024
7. Asia’s privacy laws are maturing

In recent years, many countries across Asia have either rolled out new comprehensive privacy laws or made significant amendments to existing regulations. Notable examples include China, India, Indonesia, Japan, Malaysia, South Korea, Sri Lanka, Thailand, and Vietnam. Currently, Indonesia, India, and Malaysia are working toward the full implementation of their newly amended laws.

Reports
Nov 29 2024
8. New EU data access regulations are shaping the future

The European Commission’s Data Strategy 2020 has paved the way for new data access regulations that will significantly impact businesses across Europe. In this chapter, we dive into the data access rights established by the EU’s Data Act, along with two pivotal Common European Data Spaces: the European Health Data Space (EHDS) and the Financial Data Access (FIDA) framework.

FIND US IN
All locations
NAVIGATE TO
About usYour careerOur thinkingOur capabilitiesNews
CONNECT
Find a lawyerAlumniContact us
NEED HELP
Fraud and scamsComplaintsTerms and conditions
LEGAL
AccessibilityCookiesLegal noticesTransparency in supply chains statementResponsible procurementPrivacy

© 2025 Freshfields. Attorney Advertising: prior results do not guarantee a similar outcome

Select language: