At New York Tech Week 2025, cybersecurity took the spotlight. Fenwick partner Jon Lenzner sat down with Bryan Vorndran—former assistant director of the FBI’s Cyber Division—to unpack what early-stage companies, investors, and even regulators need to know about the rapidly evolving cyber landscape. From AI-generated deepfakes to third-party vulnerabilities, here’s what stood out.
1. Start Your FBI Relationship Before You Need It
Vorndran’s biggest piece of advice for startups? Don’t wait until you're under attack. Reach out to your local FBI field office now. Establishing trust before a crisis opens the door to faster response times—and a better understanding of threats targeting your IP.
This isn’t just about protection. It’s a two-way street: the FBI gains visibility into emerging tech, and companies gain access to government intelligence that could be critical to safeguarding core assets.
2. The Cyber Threat Landscape: Four Countries, Four Agendas
Vorndran broke down the distinct motives and tactics of the “Big Four” nation-state actors:
Each country requires a tailored defense strategy—and early awareness is key.
3. Forget the Flash—Focus on Fundamentals
In a crowded cybersecurity market full of vendors promising silver bullets, Vorndran urged startups to stick with the basics: encrypted backups, solid password management, employee training, and vulnerability prioritization.
Expensive tools are meaningless without operational security hygiene. Startups often overspend on products and overlook the foundational practices that actually keep systems safe.
4. AI: A Double-Edged Sword
AI is transforming both cyber offense and defense. On the plus side, it can help identify synthetic content like deepfakes. But it’s also fueling a surge in social engineering—empowering unsophisticated actors to launch highly convincing attacks.
Vorndran predicted that by next year, “90% of all new code will be written by AI,” making it even easier to generate phishing emails, fake CFO voice notes, and AI-generated videos instructing fraudulent wire transfers.
5. Third-Party Risk Is a Time Bomb
Third-party vendors—especially smaller ones with looser security—are now one of the biggest exposure points in any system. A weak link in your supply chain can be all it takes for attackers to access the crown jewels.
This is especially dangerous in interconnected business environments where static credentials are reused across systems. Add foreign ownership of U.S. infrastructure into the mix, and the risks compound quickly.
6. Government Contracts? Know the Playbook
For startups hoping to work with federal agencies, Vorndran emphasized the importance of understanding FedRAMP compliance and differentiating your product in a crowded field.
Also on the horizon: new rules under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which will require companies to report material cyber incidents to DHS within 72 hours starting in September 2025. Founders and investors should start preparing now.
7. Rethinking Public-Private Partnerships
Government-private collaboration remains essential—but Vorndran believes the current model needs to evolve. Private companies often have better visibility into real-time threats than public agencies. The future of cybersecurity depends on building smarter, more efficient channels of collaboration that combine both defensive and offensive strategies.