.jpg)
.svg)
Data breaches across the United States continued at scale throughout 2025, but volume is no longer the most telling metric.
Cybersecurity has firmly moved beyond the IT function, it’s now a board-level business risk shaped by regulatory scrutiny, litigation exposure, supply-chain complexity and reputational impact. The organizations that experience the greatest long-term damage are not always those that suffer the largest technical compromise – they are often those unable to demonstrate structured governance when it matters most.
According to IBM, the global average cost of a data breach reached $4.45 million in 2025. In the U.S., that figure rose to approximately $10.22 million per incident, making it the most expensive region globally.
At the same time, breach volumes remain persistently high. The Identity Theft Resource Center recorded 3,322 data breaches across the US in 2025; a 4% increase year on year and a 79% rise compared with 2020.
Breaches are no longer isolated events
One of the defining characteristics of 2025 was systemic risk. Third-party and supply-chain vulnerabilities enabled attackers to compromise thousands of organizations through a single point of failure. A breach affecting technology provider SitusAMC exposed systems connected to multiple US financial institutions, demonstrating how interconnected digital ecosystems amplify impact across regulated sectors.
Healthcare organizations continued to face ransomware and data-exfiltration attacks, with millions of patient records exposed. A confirmed breach involving TriZetto Provider Solutions impacted more than 700,000 individuals and triggered federal reporting obligations.
Insider and contractor-related risk also remained elevated. In 2025, Coinbase disclosed unauthorized access involving a contractor, resulting in the exposure of customer identity verification data. The incident highlighted a growing challenge: enforcing access control and governance across extended and outsourced workforces. Modern breaches rarely stop at one organization. They cascade across supply chains, partner networks, and governance gaps.
Regulatory expectations continue to rise
Enhanced cybersecurity disclosure requirements from the US Securities and Exchange Commission have reshaped how public companies assess and report material incidents. Enforcement activity from the Federal Trade Commission remains active where organizations cannot demonstrate reasonable security controls. State-level privacy frameworks, particularly in California, further expand exposure for businesses handling consumer data.
In this environment, the absence of documented governance is increasingly costly. Financial penalties, shareholder scrutiny and reputational damage frequently compound the direct operational impact of a breach. Incident response capability alone is no longer enough. Organizations are expected to evidence structured, ongoing oversight of risk and control effectiveness.
Compliance maturity defines resilience
For US organizations, breach impact is increasingly shaped by compliance readiness rather than technical containment alone.
As Mark Edgeworth, CEO of Hicomply, explains: “Data breach risk isn’t only about the initial technical exploit. Organizations that can demonstrate robust security frameworks like ISO 27001 or SOC 2 are far better positioned to respond, report and recover with confidence. These frameworks turn compliance from a box-checking exercise into a defensible approach that reduces regulatory exposure and builds trust with customers and partners.”
Compliance must now operate as a continuous discipline, embedded into operations, measurable over time and visible at leadership level. When governance is structured and evidence is accessible, organizations respond faster, communicate with greater confidence and reduce regulatory exposure. When it is not, cost escalates, financially and reputationally.
From reactive response to continuous control
The reality for US businesses is straightforward. Breaches are not exceptional events, they are operational risks. Organizations that embed recognized frameworks such as ISO 27001 and SOC 2 into day-to-day operations are better positioned to withstand scrutiny, protect stakeholder trust and contain financial impact. Those that treat compliance as static or reactive often discover too late that recovery is only part of the equation.
At Hicomply, we help organizations move from reactive reporting to structured, continuous control. Our ISMS platform enables businesses to achieve and maintain critical certifications, automate evidence collection and maintain visibility across regulatory obligations.
If your organization is reassessing its approach to governance and compliance maturity, now is the time to ensure resilience is measurable, defensible, and embedded long before an incident occurs.
