Willis Survey: Cyber Attacks Drop in Director Risk Rankings
Cyber attacks continue to rise, but company directors and officers now rank incidents lower as a business risk compared to 2024, despite continued high-profile incidents across multiple sectors.
The latest Cyber Directors’ and Officers’ Survey Report by Willis, a WTW business, shows cyber attack rankings dropped by 2% between 2024 and 2025, even as organisations report improved preparedness and response capabilities.
The survey gathered responses from multiple sectors, with services companies representing 24% of respondents and finance and insurance firms accounting for 19%. More than half of the surveyed organisations operate as for-profit, private companies, providing insight into how cyber risk management has evolved across different business structures.
Regional differences in risk perception emerged from the data. Great Britain stands as the only region to identify cyber attacks, excluding cyber extortion, as the primary risk facing directors and officers. North American and Middle Eastern respondents ranked data loss as their main concern, highlighting how geographic factors influence cyber risk assessment priorities.
Willis survey shows increased board cybersecurity reporting
Board-level cybersecurity reporting has shifted considerably over the past year. The proportion of organisations that only update their boards on cyber security following an incident decreased from 20% in 2024 to 12% in 2025. Monthly cybersecurity updates to boards increased from 18% to 28% during the same period.
This change in reporting frequency coincides with broader organisational shifts in cyber risk management. Respondents indicated increased involvement from officers outside senior leadership ranks, suggesting organisations recognise the need to engage both strategic and technical stakeholders in cyber risk management processes.
- Cyber attack risk rankings dropped 2% between 2024 and 2025, despite continued high-profile incidents across multiple sectors affecting director and officer perceptions.
- Monthly cybersecurity board updates increased from 18% to 28% of organisations, whilst incident-only reporting decreased from 20% to 12% during the same period.
- Organisation preparedness levels improved from 56% to 65%, with 80% implementing incident response plans and two thirds completing response exercises within 12 months.
The survey data shows 80% of respondents have implemented cyber incident response plans. More than two thirds of these organisations completed incident response exercises within the past 12 months, the report found, indicating a proactive approach to testing and refining response capabilities.
Preparation levels have improved across the surveyed organisations. In 2025, 65% of respondents report feeling well prepared to manage cyber incidents effectively, compared with 56% in 2024. This increase in confidence aligns with the expanded incident response planning and testing activities reported by survey participants.
WTW data reveals cybersecurity budget and insurance trends
Cybersecurity budget allocations continue to increase, though at a slower pace than the previous year. In 2025, 56% of respondents indicated their cyber security budgets would increase, compared with 63% in 2024. This moderation in budget growth occurs alongside improved preparedness levels and expanded response capabilities.
Building a strong cyber security culture that engages all levels of the organisation is critical to managing today’s evolving threats.
Cyber insurance adoption remains a key component of risk management strategies. More than half of respondents, 53%, have cyber insurance policies in place. An additional 18% say they plan to purchase cyber insurance within the next two years, indicating continued recognition of insurance as a risk transfer mechanism.
Cybersecurity risks ranked as the most important aspect of directors’ and officers’ liability insurance coverage among survey participants. This ranking reflects the integration of cyber risk considerations into broader corporate governance and liability frameworks.
The survey encompasses organisations across different revenue brackets, with 33% reporting revenues between $0 and $50m, and another 33% generating revenues between $50m and $1bn. For-profit, private companies account for 56% of respondents, whilst for-profit, listed companies represent 32% of participants.
Adrian Ruiz, Head of FINEX GB Cyber & TMT at WTW, explains the importance of comprehensive cyber risk strategies. “Building a strong cyber security culture that engages all levels of the organisation is critical to managing today’s evolving threats,” he says. “From investing wisely in training and technology to regularly testing response plans, businesses must take a proactive, strategic approach to cyber risk.
“The survey highlights the importance of staying informed and adapting in an increasingly complex digital landscape,” Adrian says.
