Willis Survey Shows Cyber Risk Perception Drops in Boardroom
Directors and officers across financial services and other sectors have reduced their assessment of cyber attack risks by 2% between 2024 and 2025, according to new research from Willis, a WTW business.
The Cyber Directors' and Officers' Survey Report reveals this decline in risk perception occurs alongside rising cyber attack volumes and continued high-profile incidents across multiple sectors.
The survey captured responses from organisations across various industries, with finance and insurance firms accounting for 19% of participants. Services companies represented 24% of respondents. More than half of surveyed organisations operate as for-profit, private companies.
Regional variations emerged in risk assessment priorities. Great Britain identifies cyber attacks, excluding cyber extortion, as the primary risk facing directors and officers. North American and Middle Eastern respondents ranked data loss as their main concern.
Board reporting frequency increases
Board-level cybersecurity reporting patterns have shifted over the past year. Organisations that only update boards on cyber security following incidents decreased from 20% in 2024 to 12% in 2025.
Monthly cybersecurity updates to boards increased from 18% to 28% during the same period. This change coincides with broader organisational shifts in cyber risk management approaches.
Survey respondents indicated increased involvement from officers outside senior leadership ranks. This suggests organisations recognise the need to engage both strategic and technical stakeholders in cyber risk management processes.
- Cyber attack risk rankings dropped 2% between 2024 and 2025, despite continued high-profile incidents across multiple sectors affecting director and officer perceptions.
- Monthly cybersecurity board updates increased from 18% to 28% of organisations, whilst incident-only reporting decreased from 20% to 12% during the same period.
- Organisation preparedness levels improved from 56% to 65%, with 80% implementing incident response plans and two thirds completing response exercises within 12 months.
Incident response planning shows widespread adoption across surveyed organisations. The data reveals 80% of respondents have implemented cyber incident response plans. More than two thirds of these organisations completed incident response exercises within the past 12 months.
Preparation levels have improved across surveyed organisations. In 2025, 65% of respondents report feeling well prepared to manage cyber incidents effectively, compared with 56% in 2024. This increase in confidence aligns with expanded incident response planning and testing activities.
Budget growth moderates as insurance adoption continues
Cybersecurity budget allocations continue to increase, though at a slower pace than the previous year. In 2025, 56% of respondents indicated their cyber security budgets would increase, compared with 63% in 2024.
This moderation in budget growth occurs alongside improved preparedness levels and expanded response capabilities across surveyed organisations.
Building a strong cyber security culture that engages all levels of the organisation is critical to managing today’s evolving threats.
Cyber insurance adoption remains a component of risk management strategies. More than half of respondents, 53%, have cyber insurance policies in place. An additional 18% plan to purchase cyber insurance within the next two years.
Cybersecurity risks ranked as the most important aspect of directors' and officers' liability insurance coverage among survey participants. This ranking reflects the integration of cyber risk considerations into broader corporate governance and liability frameworks.
Financial sector representation
The survey encompasses organisations across different revenue brackets. Companies with revenues between £0 and £50m account for 33% of participants, whilst another 33% generate revenues between £50m and £1bn.
For-profit, private companies account for 56% of respondents. For-profit, listed companies represent 32% of participants, providing insight into how cyber risk management approaches vary across different business structures.
The financial services sector's representation in the survey reflects the industry's focus on cyber risk management as regulatory requirements continue to evolve. Finance and insurance firms face particular scrutiny regarding data protection and operational resilience.
Investment in training and technology remains a priority for organisations seeking to strengthen their cybersecurity posture. Regular testing of response plans has become standard practice among surveyed companies.
The integration of cyber risk considerations into broader corporate governance frameworks demonstrates the evolution of risk management approaches across sectors. Directors and officers increasingly view cyber security as a strategic business consideration rather than a purely technical concern.
Organisations continue to adapt their approaches to cyber risk management as threats evolve and regulatory requirements develop. The survey data suggests confidence in preparedness has grown even as attack volumes continue to rise.
"Building a strong cybersecurity culture that engages all levels of the organisation is critical to managing today's evolving threats," says Adrian Ruiz, Head of FINEX GB Cyber & TMT at WTW.
"From investing wisely in training and technology to regularly testing response plans, businesses must take a proactive, strategic approach to cyber risk. The survey highlights the importance of staying informed and adapting in an increasingly complex digital landscape."
