The Director's Cut: Firewall Vulnerability Demands Urgent Action

The Director's Cut: Firewall Vulnerability Demands Urgent Action

Nation-state actors are actively scanning for and exploiting security vulnerabilities in widely deployed Cisco ASA devices, affecting businesses and governments alike,  according to cybersecurity news website, The Record. The devices integrate multiple security capabilities into a single device, including firewall protection, intrusion prevention, and VPNs, making them an attractive target for attackers seeking to manipulate or bypass corporate defenses.

Firewall compromises bypass perimeter defenses entirely, exposing sensitive data, disrupting operations, and eroding trust with stakeholders. One nation-state group, ‘Storm-1849’, was observed exploiting the devices and is known to regularly target financial services, defense contractors, and government entities.

Firewalls and VPNs remain core components of many network architectures, but their inherent vulnerabilities make them attractive targets for attackers. This issue is not unique to any specific vendor, but is a broader challenge of traditional perimeter technology. In contrast, a modern zero trust approach eliminates reliance on static perimeter tools by continuously validating access, and represents a more resilient alternative to traditional defenses.

For directors, the stakes are clear: Unpatched firewalls or ineffective perimeter defenses significantly increase the risk of ransomware, data theft, or long-term espionage. With firewall products so widely deployed, every director should challenge their organizations to assess their exposure and mitigate these specific vulnerabilities while evaluating strategies to transition toward architectures that better align with today’s dynamic risks.

Questions Directors Should Ask Management

• Has management conducted a thorough audit of Cisco ASA firewalls and have those identified been patched to mitigate these vulnerabilities?
• What key learnings have we applied from recent cyber incidents involving firewalls or VPN infrastructure either within our peer network or externally, and how are these lessons informing our next steps?
• Is there a roadmap to future-proof our security architecture by transitioning away from VPNs and perimeter-based defenses toward systems like zero trust, and what measurable milestones have been set?

On The Radar

NYDFS Ups Vendor Oversight to Counter Supply-Chain Attacks

The New York State Department of Financial Services (NYDFS) has issued updated guidance on third-party risk management to strengthen oversight of vendors across banks and insurers. This move responds to a surge in supply-chain attacks targeting service providers that handle nonpublic information and critical operations. Indirect vendor risks can cripple businesses despite robust internal defenses.

The updated guidance highlights vendor risk management requirements already outlined in Part 500 Cybersecurity Rules, placing renewed emphasis on due diligence, contractual controls, and continuous oversight. Covered entities are now required to classify vendors based on risk profile, enforce contract terms guaranteeing breach notification, audit rights, and data encryption, and continuously monitor vendor security. Vendor security must be continuously monitored rather than relying on static reviews.

For directors of businesses regulated by NYDFS:

• What specific enhancements have been made to our vendor risk management program to align with NYDFS guidance, and how are we verifying third-party compliance with security obligations?

For all directors:

• How are we incorporating insights from regulatory guidance like NYDFS into our third-party risk management strategy, and what actions are we taking to enhance supply chain security across key vendor relationships?

Microsoft Ends Support for Windows 10: Urgent Migration Needed

Microsoft has officially ended support for Windows 10, a widely used operating system employed by millions globally, including in business and government environments. As of October 14, 2025, no further security updates, bug fixes, or technical support will be provided.

The implications are significant: unpatched systems present a tempting target for cybercriminals and nation-state actors, who are likely to exploit new weaknesses that remain indefinitely unaddressed. Outdated systems also open organizations to compliance violations under frameworks like HIPAA and PCI DSS.

Question Directors Should Ask Management:

• What is our timeline for fully migrating systems off Windows 10, and how are we identifying and mitigating risks in shadow IT or OT environments using unsupported OS?

AI Risk Disclosures Rise in the S&P 500: Governance and Oversight Challenges

AI is now a material enterprise risk, cited by 72% of S&P 500 companies in recent SEC filings, up dramatically from just 12% in 2023. A recent report by The Conference Board highlights concerns around reputation, cybersecurity, regulatory compliance, and emerging vulnerabilities as AI adoption accelerates.

Boards must adopt robust oversight practices for AI-specific risks, including bias testing, exposure monitoring, and regulatory compliance under evolving frameworks such as the EU AI Act. To demonstrate proactive governance, directors must integrate AI oversight into risk frameworks, anticipate regulatory divergence, and establish KPIs for mitigation. Failure to address these risks could lead to reputational damage, operational disruption, or penalties from non-compliance.

Question Directors Should Ask Management:

• How are we embedding AI-specific risks, including bias, cybersecurity, and regulatory exposure, into our enterprise risk frameworks, and how are we disclosing those risks to investors?

***

Zscaler is a proud partner of NACD’s Northern California and Research Triangle chapters. We are here as a resource for directors to answer questions about cybersecurity or AI risks, and are happy to arrange dedicated board briefings. Please email Rob Sloan (rsloan[@]zscaler.com), VP Cybersecurity Advocacy at Zscaler, to learn more.