What Rocked Risk Management in the First Half of 2025?
Quick Summary
In this blog post, we recap the most impactful risk management events from the first half of 2025. From record-breaking data breaches and enforcement actions to major regulatory shifts like DORA and the EU AI Act, we highlight incidents across finance, healthcare, tech, and beyond. This mid-year review is packed with insights risk professionals can apply to strengthen cybersecurity, compliance, and third-party oversight.
Jump directly to your favourite topic:
Major Risk Management Incidents and Updates in H1 2025
The first half of 2025 has been packed with risk management lessons. From massive data breaches affecting millions of people to sweeping new regulations and costly compliance failures, these past six months offered plenty of reminders of why robust risk practices are critical. In this mid-year recap, we’ll walk through major incidents and updates from January to June 2025 across industries and around the world and highlight key takeaways for professionals in risk management, cybersecurity, procurement, governance, and compliance.
Surging Cyber Threats Across Industries in Early 2025
Cybersecurity incidents dominated headlines in 2025’s first half, hitting sectors from healthcare to retail. Data breaches reached alarming scales, compromising personal information of consumers, patients, and employees worldwide. For example, UK telecom provider TalkTalk launched an investigation after a hacker claimed to be selling data from 18.8 million customers (names, emails, IP addresses, phone numbers) stolen via a third-party billing platform. In the United States, a breach at health insurer UnitedHealth’s subsidiary exposed records of up to 190 million people one of the largest healthcare breaches on record leading to an estimated $3.09 billion in financial losses due to disrupted claims processing. These staggering figures underscore how a single cyber incident can impact tens of millions and cost organizations dearly.
Healthcare organizations were especially under siege. In April, Yale New Haven Health disclosed a ransomware attack that exposed 5.5 million patient records including sensitive identifiers like Social Security numbers – making it one of the largest breaches of the year. Around the same time, Blue Shield of California revealed that a website analytics misconfiguration had inadvertently leaked 4.7 million individuals’ health plan data to ad tracking servers. And in Australia, leading fertility provider Genea suffered a ransomware leak of 940 GB of patient data ranging from medical histories to test results. These incidents highlight healthcare’s ongoing vulnerability to cyberattacks, with attackers exploiting both technical weaknesses and human errors. The fallout identity theft, potential fraud, and privacy violations reinforces the need for stronger data protection in health systems.
Other industries learned the hard way about third-party and supply chain cyber risks. A wave of attacks by the Clop ransomware gang targeted widely used file-transfer software, hitting multiple companies in late 2024 and coming to light in early 2025. In April, Hertz Corporation confirmed a breach of over 1 million customer records (including driver’s license and credit card details) via a zero-day exploit in Cleo’s file transfer platform, which Clop had abused to steal data. The same Clop campaign impacted the WK Kellogg Company thieves accessed HR files via the compromised Cleo platform and other firms reliant on that vendor. These cases underscore how a weakness in one supplier’s system can cascade into breaches of numerous client organizations. Robust vendor due diligence and third-party security controls are therefore more crucial than ever.
Even critical infrastructure and government-related targets were not spared. In January, U.S. officials exposed a cyber-espionage campaign dubbed “Salt Typhoon” linked to China’s state security, which had breached nine telecom companies and even the U.S. Treasury’s network, stealing thousands of files. The fallout prompted U.S. sanctions against the hackers and a Chinese tech firm that allegedly facilitated the intrusions. And in the energy sector, grid operator PJM Interconnection (vital to the U.S. power market) saw a hacker claim access to its databases, raising alarms about threats to critical services. These incidents highlight rising geopolitical cyber risks, with nation-backed attackers targeting telecom, finance, and energy systems. For risk managers, the lesson is clear: even highly regulated or “hardened” sectors can be penetrated, so constant vigilance and incident response readiness are paramount.
Traditional companies faced disruptive attacks too. A notable example came in April when British retail giant Marks & Spencer (M&S) suffered a major cyber-attack that halted online payments, gift card usage, and Click-and-Collect services. Deliveries were postponed and e-commerce operations frozen, directly impacting customers. Meanwhile, a mass phishing campaign compromised email marketing platforms (like Mailchimp, SendGrid, and others), demonstrating how attackers can abuse trusted SaaS tools to spread further attacks. The M&S incident shows that cyber events can quickly turn into operational and supply-chain disruptions not just data leaks affecting sales and customer service. Organizations must ensure their business continuity and incident response plans are up to date and “battle-tested” for such scenarios. In short, the first half of 2025 has proven that no industry is immune to cyber threats. The companies that weathered these storms best were those prepared with strong security practices, proactive monitoring, and practiced response plans.
Key takeaway: Across all these breaches, common themes emerged: failure to patch vendor software, misconfigured systems, and inadequate monitoring were often the root causes. Many attacks exploited known vulnerabilities or third-party weak links, emphasizing the need for continuous risk assessment beyond one’s own perimeter. And with ransomware and data theft at record highs, Q1 2025 saw a 45% jump in disclosed ransomware attacks versus the prior year, organizations must treat cybersecurity as a when, not if, problem.
Regulatory Shake-Ups and New Compliance Requirements in 2025
Regulators worldwide responded to the evolving risk landscape with major new rules and updates in early 2025. These regulatory changes aim to bolster resilience in finance and technology, but they also add compliance challenges that risk and audit professionals must navigate.
In the financial sector, January 2025 marked the implementation of two landmark EU regulations. First, the EU’s Digital Operational Resilience Act (DORA) became fully applicable on January 17, 2025. DORA is a sweeping law to strengthen the IT security of banks, insurers, investment firms, and even crypto-service providers in the EU. It requires firms to implement strict cyber risk management practices, conduct regular resilience testing, and closely oversee critical ICT third-party providers. The goal is to ensure that financial entities can withstand and quickly recover from cyberattacks and IT disruptions, after years of seeing how one outage or hack at a bank can ripple into broader economic instability. For risk managers, DORA means new incident reporting mandates and oversight, financial institutions must promptly report significant cyber incidents to regulators and may face audits of their digital operational resilience. Firms spent the first half of 2025 racing to update their policies and vendor contracts to meet these requirements.
Secondly, the EU confirmed it would roll out the final batch of Basel III bank capital rules from January 2025, sticking to the timeline agreed post-financial crisis. This final phase of Basel standards introduces an “output floor” to curb big banks’ use of overly optimistic internal models for risk, ensuring they hold adequate capital in line with standardized approaches. The rule package also includes new provisions to harmonize bank licensing across EU countries and transitional capital requirements for crypto-asset exposures, as well as requirements for banks to better manage environmental, social, and governance (ESG) risks. EU officials hailed these rules as crucial to keep banks stable amid economic shocks and the green and digital transitions. While the EU moved ahead, it’s worth noting that U.S. regulators proposed similar “Basel Endgame” rules for American banks starting mid-2025, but faced heavy industry pushback and potential delays. The divergence in timelines has been a talking point in global regulatory circles, European regulators even cautioned that if the U.S. lags too much, it could justify postponing EU implementation to avoid competitive disadvantages. For risk professionals in banking, these capital rule updates mean recalibrating risk models, adjusting business strategies, and ensuring compliance with more stringent capital floors in the coming years.
Beyond finance, technology risk and sustainability also saw new rules. The EU’s much-anticipated Artificial Intelligence Act – the world’s first comprehensive AI law- was adopted in mid-2024 and began its phased implementation in 2025. Notably, as of February 2, 2025, the AI Act’s ban on “unacceptable risk” AI systems took effect across Europe. This means certain AI applications are now outright prohibited in the EU, such as social scoring of individuals or real-time biometric surveillance like facial recognition in public spaces. These bans became law even before the rest of the AI Act fully kicks in (most other obligations will apply in 2026–2027). For companies developing or using AI, this was an early wake-up call: some high-risk use cases are off-limits, and transparency requirements for AI (like disclosing AI-generated content and data used for training) are coming soon. Regulators signalled flexibility for innovation (e.g. regulatory sandboxes and phased timelines for compliance), but the direction is clear, AI governance is now a formal compliance issue. Risk and compliance teams need to start inventorying their AI systems and ensuring they don’t cross into banned practices, while also preparing for future oversight of “high-risk” AI systems under the Act.
Meanwhile, in the realm of sustainability and ESG reporting, the EU introduced a significant adjustment mid-way through 2025. Under the new Corporate Sustainability Reporting Directive (CSRD), thousands of companies (including many non-EU firms with EU operations) were supposed to begin detailed sustainability disclosures in stages, starting with fiscal year 2024 reports. However, on April 3, 2025, the European Commission voted to postpone certain CSRD compliance deadlines by two years for the later waves of companies. This “stop-the-clock” measure means that the second wave of large companies (those with >250 employees that weren’t already reporting under prior rules) will now report under CSRD in 2028 (for FY2027) instead of 2026. Small and mid-sized listed companies got an extension too, pushing their first CSRD reports out to 2029. Importantly, the largest companies already under the older NFRD requirements still must report on schedule in 2025 (covering FY2024 data).
This delay, expected to be formally adopted by June 2025, acknowledges the significant challenges companies faced in preparing robust ESG reporting systems. In practice, it gives thousands of organizations extra time to gather data and implement controls for reporting on climate impacts, diversity, supply chain due diligence, and more. Risk managers and auditors focused on ESG can breathe a small sigh of relief, but not for long – the push for transparency and “double materiality” in reporting remains, and regulators will expect higher-quality disclosures when those deadlines arrive. In the interim, companies are advised to continue building out their sustainability reporting processes rather than wait, as investor and stakeholder scrutiny on ESG risks is only growing.
Across the Atlantic, U.S. regulators were also active. While not a single law, a mix of regulatory moves in H1 2025 kept compliance teams busy. For instance, financial regulators (like the OCC and Federal Reserve) emphasized operational resilience and third-party risk management in their 2025 supervision priorities in line with events like the DORA rollout in Europe. U.S. authorities also continued aggressive enforcement of data privacy and security rules: by January 2025, cumulative fines under Europe’s GDPR had reached €5.88 billion since inception, reflecting global willingness to penalize data protection failures. And in the realm of cryptocurrency and fintech, regulators tightened the screws (for example, clarifying that firms facilitating crypto transactions must comply with traditional AML and sanctions rules). All told, the first half of 2025 saw a wave of regulatory change aimed at shoring up defenses against both financial and technological risks. Risk and compliance professionals have been digesting new guidelines, updating policies, and, in many cases, investing in new systems to ensure compliance, whether it’s for cyber resilience, AI oversight, or sustainability reportin
High-Profile Compliance Failures and Consequences
With regulators on high alert, the cost of poor risk management was starkly illustrated by several enforcement actions and compliance failures in H1 2025. Organizations that fell short of legal requirements, especially in financial crime prevention and data protection, faced multi-million dollar penalties and public scrutiny, proving that lapses can hit the bottom line hard.
One of the most notable cases was the action against Block, Inc., the parent company of the popular Cash App mobile payment service. In January 2025, a coalition of 48 U.S. state regulators announced a coordinated enforcement action that hit Block with an $80 million penalty for widespread anti-money laundering (AML) deficiencies. Over 50 million Cash App users rely on the service, but state examiners found that Block had failed to implement adequate Bank Secrecy Act/AML controls, for example, insufficient customer due diligence and monitoring of high-risk accounts. The multistate settlement not only levied a hefty fine but also forced Block to hire an independent consultant to audit and fix its AML program within a year. This case stands out as a record-breaking AML penalty in the fintech sector. It sent a clear message: fast-growing fintech firms will be held to the same standards as traditional banks. For compliance officers, the Block/Cash App action highlights the importance of having robust systems to verify customer identity, monitor transactions for suspicious activity, and swiftly report potential money laundering, even (or especially) when a platform scales to tens of millions of users. Neglecting those basics can result in massive fines and remediation costs.
Traditional financial institutions were not off the hook either. In March 2025, U.S. broker-dealer LPL Financial agreed to a $3 million fine to settle charges by FINRA (the brokerage industry regulator) that its AML program had critical failures. Specifically, LPL’s systems failed to detect and report suspicious penny-stock trades, indicating weak customer due diligence and oversight of higher-risk activities. The relatively moderate size of the fine (for a large firm) belies its significance, it underscores that even well-established financial companies can have blind spots in their compliance programs. FINRA’s action against LPL is a reminder that routine compliance tasks, like filing Suspicious Activity Reports (SARs) and updating customer risk profiles, cannot be treated as a checkbox exercise. Internal audit and compliance teams must continuously test their systems to ensure unusual transactions don’t slip through the cracks, or they could face similar enforcement.
Across the Atlantic, European regulators also demonstrated their willingness to penalize lapses. In February 2025, the Dutch Central Bank (DNB) fined De Volksbank €2.5 million for “serious shortcomings” in its AML compliance between 2018 and 2020. The bank, a mid-sized Dutch retail bank, had failed to properly assess customer risk or implement adequate transaction monitoring and internal controls, leaving it vulnerable to money laundering. While €2.5M is not enormous by global bank standards, the action is notable because it shows that even in a highly regulated market like the Netherlands, basic AML controls were lacking and drew regulator ire. The DNB specifically called out incomplete customer due diligence and weak management oversight. This serves as a cautionary tale for banks everywhere: regulators are increasingly intolerant of lax compliance, and they expect institutions to continuously refine and improve their risk controls. No bank can rest on its laurels; having a compliance program “on paper” is not enough if it’s not effective in practice.
Data privacy enforcement also continued. For instance, authorities in Spain fined a major telecom operator €1.2 million in early 2025 for GDPR violations, and other European data protection agencies issued penalties for issues like unlawful marketing or data breaches. While these individual fines were smaller, the broader trend is that privacy regulators are actively enforcing compliance, and the cumulative penalties are substantial. By early 2025, the largest GDPR fine on record remained the €1.2 billion hit against Meta (Facebook) in 2023 for data transfers, but dozens of smaller fines in different EU countries have added up to billions of euros in total. Companies globally have taken note that mismanaging customer data or suffering preventable breaches can result in material financial penalties in addition to reputational damage.
Beyond fines, the first half of 2025 revealed operational and reputational consequences for risk management failures. A case in point: UnitedHealth Group’s massive data breach (mentioned earlier) not only compromised 190 million health records, but it also disrupted the company’s operations and led to billions in costs. Such direct losses capture executives’ attention in a way that policy papers cannot. Similarly, Marks & Spencer’s cyber outage in April likely resulted in lost sales and unhappy customers in the short term, and it highlighted the importance of resilience planning even for retail companies not typically thought of as tech-heavy. And in the supply chain risk arena, there was the ongoing fallout from the late-2024 shutdown of a major U.S. freight railroad (a hypothetical example for illustration) or the persistent semiconductor supply issues while not single “incidents,” these trends have forced procurement and operational risk teams in early 2025 to reevaluate their contingency plans and supplier diversification strategies. (For example, product recall reports showed a 25% spike in the number of recalled consumer products in Q1 2025, which can create downstream risks for retailers and insurers.) All of these underscore that risk management isn’t just about avoiding fines, it’s about preventing disruptions that can cost even more in lost business and recovery efforts.
Key takeaway: The enforcement actions in H1 2025 illustrate that regulators are serious about holding organizations accountable for risk failures. Whether it’s anti-money laundering, data protection, or operational resilience, companies that neglect compliance basics do so at their peril. The cost of non-compliance in dollars, legal headaches, and trust far outweighs the investment in strong risk controls. Internal auditors and risk officers should use these high-profile cases as leverage to advocate for more resources and attention to compliance programs. After all, it’s much cheaper to fix a gap proactively than to pay for it after a scandal.
Conclusion: Lessons for Risk Professionals
The events of the first half of 2025 offer rich lessons for risk management, cybersecurity, and compliance professionals. A few themes clearly emerge. First, interconnectivity of risk is higher than ever. A vulnerability in a third-party software tool can lead to dozens of companies being breached, just as a disruption in one part of a supply chain can idle factories continents away. This means organizations must broaden their risk assessments to include vendors, partners, and even geopolitical factors. Second, investing in resilience pays off. Companies that had robust cyber defenses, up-to-date incident response plans, and regular drills were able to contain attacks like ransomware more effectively, suffering less downtime and data loss. In contrast, those caught unprepared whether a hospital facing a massive data leak or a fintech with weak AML checks paid a steep price.
Third, the regulatory environment is intensifying. New rules (from DORA to AI Act to CSRD) are raising the bar for what regulators and stakeholders expect in terms of risk oversight and transparency. Compliance can no longer be siloed; it’s a cross-functional effort spanning IT, finance, legal, and operations. Risk managers should stay closely tuned to regulatory developments and engage early on implementation for example, if you operate in the EU financial market, ensure your team is meeting DORA’s ICT incident reporting and testing requirements; if you use AI in services, start documenting those systems and managing their risks; if you’ll be subject to sustainability reporting, begin collecting data now.
Finally, culture and governance are key. Many of the incidents we discussed were ultimately enabled by lapses in basic controls or human error an admin misconfiguring a server, an employee falling for a phishing email, a compliance team not following through on an alert. Fostering a culture of risk awareness, where employees understand their role in safeguarding the organization, is perhaps the best defense of all. That includes support from the top: boards and executives in 2025 are asking more pointed questions about cyber preparedness, business continuity, and ESG risks. Risk leaders should seize this moment to strengthen their programs, backed by the clear evidence that effective risk management is not a cost center but a value protector.
As we head into the second half of 2025, the only certainty is that risks will continue to evolve whether it’s a new strain of malware, a sudden regulatory change, or an unforeseen crisis. The good news is that the first half of the year has armed us with fresh experience and insights. By learning from these major incidents and trends, we can adapt and improve. For those of us in risk, compliance, and audit, the mandate is clear: stay proactive, stay informed, and never let complacency take hold. The stakes from financial losses to public safety are simply too high. Here’s to navigating the rest of 2025 with the vigilance and agility that these times demand.
