The year 2025 can already be considered a watershed moment regarding the escalation of cyber attacks. The combination of AI, automation, and interconnected global networks has transformed the risk into something almost inevitable. This new threat landscape gained strength as criminal groups began targeting high-impact sectors—retail, service providers, critical infrastructure, healthcare, and logistics—expanding not only the scope of the assaults but also their potential for destruction.
According to data from Check Point Research Technologies, in the second quarter of 2025, the global average of cyber attacks per organization reached 1,984 attacks per week. In Latin America, the increase was pronounced: 2,803 weekly attacks, a 51% rise compared to the previous year, with Brazil accounting for a large portion of the incidents.
In the country, the most emblematic incident was the attack on C&M Software, an intermediary for Pix, considered the largest ever recorded against the Brazilian financial system. Cybercriminals managed to purchase the credentials of a third-party employee, gaining access to the company's systems and leaking 392 GB of data. The estimated loss exceeded R$ 1 billion, demonstrating how human errors and supply chain vulnerabilities can transform an incident into a financial crisis.
The attack on C&M Software was not an isolated event. In 2025, other offensives also exposed the global scale of the problem. In the UK, Marks & Spencer had its payment and logistics systems compromised, resulting in shutdowns, delays, and million-dollar losses; Salesforce, one of the world's largest SaaS providers, was the target of an incident that exposed sensitive data and disrupted operations for various small and medium-sized businesses in multiple countries. In Europe, hospitals suffered coordinated attacks, showing that critical infrastructures remain vulnerable despite continuous warnings.
The attacks extended beyond large companies and digital services: the theft at the Louvre Museum, facilitated by the use of weak passwords, became a symbol of human fragility as an attack vector. In a year marked by increasingly sophisticated intrusions, it was precisely a banal password that exposed one of the world's most visited institutions.
In the transportation sector, attacks on IT service providers for airlines caused chaos at European airports, with massive delays and cancellations. The episode exposed the vulnerability of the global mobility chain when a single link fails.
These events do not only share scale or technical level. What unites them is the exploitation of structural weaknesses: excessive reliance on third parties, complex supply chains, management failures, legacy systems, and insufficient security controls. No matter how robust a company's core is, vulnerability can come from the outside. The entire digital chain must be considered, with third-party governance as a priority.
A clear qualitative evolution in the tactics used is evident: RaaS, infostealers, deepfakes, and AI-driven spear phishing have made attacks more dynamic and harder to detect. In this scenario, the fundamentals of cybersecurity—updated antivirus, configured firewalls, backups, and multi-factor authentication—remain essential but are no longer sufficient. The strategic response requires supply chain mapping, continuous risk assessment, supplier due diligence, audits, and risk transfer instruments, such as cyber insurance.
The response can no longer be reactive. It is time for Brazilian companies to treat cybersecurity as a strategic priority. For CIOs and CISOs, the moment demands concrete action.
The year also showed that prevention is not enough. It is essential to be prepared to respond not only with good action plans involving IT suppliers and service providers—which include legal support and communication—but also with the financial preparedness the issue requires.
Cyber risk is no longer an IT issue but a strategic business issue. This has become a discussion point at the board level. Organizations that ignored this priority faced shutdowns, deep reputational damage, and considerable financial losses.
The role of cyber insurance is evolving from a financial safety net to a strategic risk management partner. The most successful companies see insurance not as a mere item to be checked on a requirements list, but as an integral component of a resilience ecosystem.
The legacy of 2025 is simple: cybersecurity is not a cost, it is competitiveness. Organizations that treat protection as an investment and recognize the shared responsibility between the company and its suppliers will be the ones to navigate 2026 with greater resilience.
* Marta Helena Schuh, is Director of Cyber and Technology Insurance at Howden Brazil
