Latest News

Boards misjudge cyber risk, claims data suggests

By staff reporter

Boards may often express confidence in their cyber readiness but recent high-profile incidents show how fragile that assurance can be under pressure. According to Willis’s Cyber in Focus 2025 report, based on 4,650 cyber claims, losses tend to be longer, broader and costlier than many leaders expect.

The report identifies four areas where boards regularly misjudge risk. On revenue losses arising from downtime, while many boards assume ransomware outages last days, the claims data shows a median outage of 24 days, with an average ransomware loss of around £2.2m.

Further, boards often treat vendor exposure as secondary – yet around half of breaches originate via suppliers, and weak audit, liability or notification clauses can escalate costs.

When it comes to overall resilience, most boards claim to have cyber response plans but only 68% report having tested them in the past year.

Finally on regulation, rising accountability under evolving frameworks, including the EU AI Act, new US state rules and forthcoming critical-infrastructure laws in Hong Kong – is upping expectations on governance, incident response and disclosure.

Peter Foster, chairman, global FINEX cyber and cyber risk solutions at Willis, said: “Boards often believe cyber risk is contained, but the data proves otherwise. Untested plans, weak vendor contracts, and unclear wordings are exactly where firms lose money, reputation, and regulatory standing. The cost of untested resilience shows up in lost revenue, shareholder disputes, and fines and it’s rising faster than boards expect. Ransomware simulations, vendor analytics, AI governance, and policy optimisation can help bridge the gap between perception and reality.”

The report also cites a single largest claim reaching around £270m. Its authors argue that while boards often highlight AI’s upside, claims already show use of deepfakes, synthetic IDs and generative malware in fraud. Other findings include that publicly-held companies account for 36% of total losses, despite having fewer incidents overall.


Share Story:

YOU MIGHT ALSO LIKE

Boards turn to tech talent amid AI shift

Manchester synagogue targeted in terrorist attack

Julia Graham to hand over Airmic reins to Diane Maxwell


BANNER

The Future of Risk & Resilience with AI & Data
CLDigital's Co-Founder, Tejas Katwala, joins CIR Magazine to discuss how CLDigital is transforming enterprise risk and resilience. By integrating business processes, AI and data-centric strategies, organisations can move beyond compliance to proactive risk management – simplifying operations, strengthening resilience, and driving business performance. Listen now to explore the future of intelligent risk management.

Investec is disrupting premium finance – Podcast
Investec made waves in entering the premium finance market, where listening and evolving in response to brokers made a real difference.

© 2019 Perspective Publishing     Privacy & Cookies