Facebook X-twitter Linkedin
Call Us: 301.541.3237
blacksmith infosec compliance service caas

When 3,322 Breaches Is “Normal”: Why Boards Are Failing Cyber Governance

Share Article:

Table of Contents:

In 2025, the United States set a new record: 3,322 reported data compromises in a single year. That is not a typo, and it is not an outlier — it is the third year in a row with more than 3,000 incidents and a 79% increase in breaches over the past five years.

For all the investment poured into “best‑practice” controls, cyber‑insurance, and compliance programs, the curve is not bending. At this point, we should stop treating the breach statistics as a technology problem and start reading them as a governance scorecard — and a failing one.

The Denominator Problem: Risk Is Outpacing Control

Boards tend to measure success by looking at what has been added: new tools, new hires, new frameworks. The 2025 breach numbers are a blunt reminder that what matters is what has been accumulated.

According to the Identity Theft Resource Center’s latest Annual Data Breach Report, data compromises in 2025 rose to 3,322 — up roughly 4–5% from 2024 and almost 80% higher than five years ago. At the same time, the number of individual victims dropped sharply to around 279 million, down from roughly 1.3–1.4 billion the year before due to fewer mega‑breaches.

The story behind those numbers is simple: we are no longer being felled by single catastrophic incidents, but by thousands of “small enough to tolerate” compromises across an ever‑expanding estate of SaaS platforms, vendors, APIs, and AI‑driven systems. In the mid‑market especially, the denominator — the number of systems, integrations, and data flows exposed to the internet — is growing much faster than control maturity.

You cannot out‑spend or out‑tool that kind of growth with incremental improvements. Governing the numerator (controls) while ignoring the denominator (exposure) is how you arrive, quite predictably, at 3,322 breaches.

Transparency Has Collapsed — and Boards Have Let It Happen

If the record count of breaches is bad, the collapse in transparency is worse.

Independent analysis of the 2025 ITRC data shows that only about 30% of organizations that reported a compromise disclosed what actually happened — down from near‑universal root‑cause disclosure just a few years ago. Roughly 70% of breached entities provided so little detail that neither customers nor peers can learn anything actionable about the causes or the controls that failed.

This opacity coincides with a critical qualitative shift: attackers are moving away from easily replaceable data (such as payment card numbers) toward “static identifiers” like Social Security numbers, driver’s license details, and bank account information that victims cannot simply cancel and reissue.

Boards that tolerate this combination — record‑high breach volume, more durable harm to victims, and less transparency about root causes — are not exercising effective oversight. They are, at best, treating cybersecurity as a compliance exercise and, at worst, allowing management to optimize for reputational damage control rather than systemic learning.

2026: Cyber Risk Is Now Explicitly a Board Issue

The broader governance ecosystem has moved. Boards have not.

Analysts and regulators now frame cybersecurity plainly as a core business risk, not an IT problem. IDC’s 2026 guidance on board engagement calls for quantifying cyber risk in financial terms and aligning security investment with explicit risk appetite and resilience objectives. NACD’s recent resilience guidance tells directors to set expectations for tested recovery, scenario planning, and independent assurance instead of relying on prevention‑only narratives.

At the same time, macro‑trends are making board inaction more dangerous. Data sovereignty rules, cloud concentration, and AI adoption are increasing system interdependence and regulatory exposure. The enforcement of frameworks like CMMC in the federal ecosystem shows how quickly “optional best practices” can become binding obligations with real financial consequences.

In short: the external environment already treats cyber risk as board‑level. The 3,322 breaches of 2025 tell us that many boards still do not.

What Boards Must Change: From Vague Comfort to Concrete Control

The remedy is not another dashboard full of red‑amber‑green charts. It is a shift in the questions boards ask and the way they define success.

1. Risk Appetite That Actually Constrains Behavior

Most organizations have boilerplate statements like “we have low tolerance for cyber risk.” These are meaningless. Risk appetite must be expressed in terms that bind decisions. For example:

  • “We will not process regulated personal data in SaaS services that do not contractually commit to incident reporting within X hours and full root‑cause transparency.”

  • “We will accept at most N critical third‑party dependencies with direct access to core customer systems, and each must pass independent security due diligence annually.”

Setting appetite this way forces management to confront the denominator problem: every new platform, vendor, or AI service consumes part of a finite risk budget.

2. Scenario‑Based Oversight, Not Static Heatmaps

The breach statistics tell us which scenarios actually happen; governance should mirror that. The ITRC and related 2026 trackers show recurring patterns: ransomware and data theft in healthcare and education, SaaS and CRM breaches, and third‑party system failures.

Boards should agree on three to five named scenarios that are most plausible for their organization based on sector and architecture (e.g., “SaaS CRM breach exposing customer PII,” “ransomware on core production system,” “third‑party file transfer compromise of regulated data”). For each scenario, directors should insist on answers to questions like:

  • What controls are in place today, and which ones do we know work because we have tested them?

  • How would we detect, contain, and communicate this incident over the first 72 hours, and who owns each decision?

  • What is the estimated financial impact (loss of revenue, regulatory fines, remediation costs) and how does that compare to the cost of reducing the likelihood or impact?

This aligns directly with the kind of resilience‑focused expectations NACD and others are now urging boards to adopt.

3. Budget Tied to Attack‑Surface Metrics, Not Tool Count

If the denominator problem is real, then the primary job of investment is to shrink or harden the attack surface — not simply to add more defensive layers.

Boards should require that major cybersecurity investments be linked to specific, measurable changes in exposure, such as:

  • Reducing the number of unknown internet‑facing assets by a defined percentage within 12 months.

  • Cutting the number of SaaS applications with access to sensitive data by consolidating and decommissioning redundant tools.

  • Lowering the number of high‑risk vendors (as defined by access to critical systems or regulated data) through contract renegotiation and off‑boarding.

This kind of discipline is increasingly echoed in board‑governance commentary, which emphasizes scrutiny of third‑ and fourth‑party exposure, cloud migration risk, and AI‑related vendor risk. It turns cybersecurity spending from a sunk cost into a lever for reducing structural fragility.

A Governance Test for the Next Five Years

The trajectory is clear. The Identity Theft Resource Center’s data shows three consecutive years above 3,000 U.S. breaches and a near‑80% increase in compromises over five years. At the same time, transparency is collapsing, and attackers are focusing on harder‑to‑change personal data.

If we see the same percentage increase between now and 2030 that we saw between 2020 and 2025, would any director be comfortable saying, “Our current governance model did everything reasonably expected of it”?

This is the real question the 3,322‑breach statistic poses to boards in 2026. Not “Are we compliant?” Not “Do we have the right tools?” But: Have we accepted a governance model that makes record‑high breaches the rational, predictable outcome?

Changing that answer will require directors to move beyond comfort‑seeking dashboards and into the harder work of constraining exposure, demanding transparency, and tying money to measurable surface‑area reductions. The numbers will not start to fall until boards do.

Additional Sources:

From cyber risk to business risk: How CISOs should engage the board in 2026

CNBC: Data breaches climbed to a record high in 2025. How to protect your personal information

Additional Articles

Check Out Our Compliance Podcast on Spotify!

Get NIST-y!