Boards underestimate cyber incident impacts, risking USD $2.7m losses

A recent report by Willis, part of WTW, has found that corporate boards are underestimating the duration and impact of cyber incidents, with losses that are longer, broader and costlier than many business leaders expect.

The company's Cyber in Focus 2025 report, which analysed 4,650 cyber claims and board-level data, has identified several areas where organisations are consistently misjudging their level of preparedness and risk.

Ransomware downtime underestimated

The report identifies revenue loss from downtime as a major risk that boards misjudge. While corporate leaders expect ransomware outages to last only a few days, claims data reveals that the median downtime for these attacks is 24 days. The average ransomware loss is reported at USD $2.7 million per incident. Extended periods offline significantly impact revenue, contrary to many boards' initial assumptions.

Vendor risk and reputation

Another finding highlights that while leaders often regard vendor risk as secondary, half of all data breaches begin with third-party suppliers, including managed service providers, SaaS providers, and niche vendors. Weaknesses in liability, audit, and notification clauses with these suppliers are driving up the costs of incidents. Regulators are increasingly demanding documented proof of vendor oversight as part of compliance.

Resilience and readiness

Planned responses to cyber incidents are common, but the report shows only 68% of boards tested their plans within the past year. Insurers and regulators are now requiring organisations to demonstrate that their cyber controls are effective in practice, rather than just existing as statements of policy.

Changing regulations

Regulatory expectations are rising rapidly, particularly in the Asia Pacific region. In Australia and Singapore, recent legal amendments have expanded requirements for cyber security oversight. New frameworks, such as Hong Kong's critical-infrastructure legislation and updates to Australia's Security of Critical Infrastructure laws, are placing greater demand on organisations in terms of governance, incident response, and disclosure. Several other jurisdictions are introducing rules that require prompt disclosure of cyber incidents, similar to those mandated by the United States SEC.

Findings on public companies and new threats

The report also notes that public companies, despite experiencing fewer overall incidents, account for 36% of total global cyber losses. The largest single claim recorded was USD $331 million. The findings additionally reveal that while boards recognise the potential benefits of artificial intelligence, claims data indicates that cyber attackers are already using deepfakes, synthetic identities, and generative malware to commit fraud.

"Boards and senior management must grapple with a complex threat environment as well as expanding regulatory demands, increasing cyber incident losses and heightened cybercrime exposures. These factors require business leaders to develop more joined-up and holistic strategies. Ultimately, regulators, shareholders and stakeholders will expect organisations to adopt cyber risk strategies that encompass security controls, governance frameworks, human factors and technical resilience. Our study indicated that some boards are underestimating these challenges. Insurers are increasingly examining these areas, scrutinising an organisation's foundational cyber hygiene, vendor oversight practices, business continuity planning and incident response testing. In this environment, boards must focus on robust evidence-based strategies that will protect their organisations and avoid market hardships."

This was the perspective shared by Ben DiMarco, Cyber & Technology Industry Leader, Pacific at Willis. DiMarco highlights the increasing scrutiny from insurers, particularly with regard to basic cyber hygiene, oversight of vendors, planning for business continuity, and the testing of incident response strategies.

"Boards often believe cyber risk is contained, but the data proves otherwise. Untested plans, weak vendor contracts, and unclear wordings are exactly where firms lose money, reputation, and regulatory standing. The cost of untested resilience shows up in lost revenue, shareholder disputes, and fines and it's rising faster than boards expect. Ransomware simulations, vendor analytics, AI governance, and policy optimisation can help bridge the gap between confidence and reality."

Peter Foster, Chairman, Global FINEX Cyber and Cyber Risk Solutions at Willis, made these remarks, pointing to the mismatch between board assurances and the actual outcomes of untested cyber defences. Foster stresses the importance of practical measures such as conducting simulations and adopting analytics tools to address the growing threat.

The Cyber in Focus 2025 report details the need for a more realistic assessment of risks among corporate boards, recommending stronger evidence-based cyber risk strategies to avoid operational and financial consequences from evolving cyber threats.