Cybersecurity policies become increasingly important in corporate risk management plans

by Giancarlo Calzetta

1 August 2025

4' min read

Translated by AI

Versione italiana

4' min read

Translated by AI

Versione italiana

Over the last few years, thanks in part to regulatory developments, companies have begun to realise that IT security is not just a technical issue, but one that cuts across all divisions. The establishment of legal responsibilities for corporate directors and managers has led boards of directors, entrepreneurs and general managers to approach this difficult topic, with mixed results. The 'Global Cyber Directors and Officers Survey 2025', conducted by Willis Global FINEX, provides a detailed analysis of the perceptions and strategies adopted by business leaders, showing how their approach differs from that of cybersecurity experts. This study, based on responses from directors, executives and risk managers globally, provides insight into the distribution of companies surveyed by type, turnover and sector, with a strong representation of for-profit companies, both private (56%) and listed (32%). The service, transport and retail sectors, as well as finance and insurance, make up the largest share of respondents. One third of the companies involved have a turnover of up to $30m, one third have a turnover of between $30m and $1bn and the final third have a turnover of over $1bn.

Primary Concerns: Cyber at the centre of attention

One of the most significant findings of the report is the confirmation that cyber security risks continue to be a major source of anxiety for senior figures in organisations. In particular, data loss and cyber attacks were identified as two of the top three concerns, ranking alongside, and sometimes surpassing in importance, occupational health and safety. This consistent ranking at the top demonstrates the seriousness and potential impact of such events both financially and reputational-wise.

Analysing these concerns in more depth, interesting distinctions emerge on a geographical and sectoral level. From a regional perspective, cyber attacks and/or data loss consistently ranked among the top three threats in seven of the eight regions surveyed. For example, Great Britain ranked cyber attack as the number one risk, while North America and the Middle East saw data loss as their top concern. It is noteworthy that Africa was the only region where neither cyber attack nor data loss figured in the top three risks.

From an industry perspective, cyber attacks and/or data loss were ranked among the top three risks in all sectors. For the financial and insurance industry, services, transport and retail, these risks were particularly salient; in the energy and utilities sector, in contrast to the previous year, data loss now features among the top seven risks. These trends underline how the cyber threat is transversal and pervasive, adapting to the specificities of each operational context.

When it comes to specific risks related to cyber exposure, the report shows that respondents are most concerned about phishing attacks and social engineering, ransomware, and weaknesses in cybersecurity systems and controls. These three types of threats reveal how little real knowledge of cybersecurity still exists among managers. In fact, the current incident environment should mostly focus on limiting vulnerabilities in the supply chain, tightly governing the use of artificial intelligence, and drafting risks related to new technologies. All of which are, instead, very low on the list. This may indicate a distorted perception of the reality of the losses incurred and underlines the importance of having very competent cybersecurity personnel, capable of handling threats correctly despite the somewhat confusing input that may come from management.

Organisational Response: Strategies and Preparation

In the face of these threats, organisations are not sitting on their hands. The report reveals that the vast majority of respondents (80%) have implemented a cyber incident response plan. Something that ALL companies should do and that underpins business resilience, but which was extremely rare until a few years ago. Not only that, over two-thirds have conducted an incident response exercise in the last twelve months. This level of preparedness is a key factor contributing to a significant increase in organisations that feel well prepared to effectively manage a cyber incident (65% in 2025 compared to 56% in 2024). Larger companies in particular show greater confidence in their preparedness.

The role of leadership is indisputable in this context. The board of directors, CEO and senior leadership teams continue to play a central role in sponsoring and overseeing the organisation's cyber risk strategy. However, the report also notes a growing involvement of figures outside senior leadership, such as Chief Information Security Officers (CISOs), suggesting an increasing need to involve both strategic and technical stakeholders for more effective cyber risk management. Interesting regional variations emerge, with Latin America and the Middle East showing significantly higher involvement of the IT department in overseeing cyber risk strategy.

In terms of resource allocation, cybersecurity budgets are set to increase in 2025, albeit less than in the previous year (56 per cent in 2025 versus 63 per cent in 2024). Despite this, managers feel increasingly informed about their cybersecurity budgets and initiatives affecting risk levels

The Role of Cyber Insurance

Cyber insurance remains a very important piece of the cyber risk management strategy for most respondents. More than half of organisations (53%) already have cyber insurance cover in place, and a further 38% plan to purchase it in the next two years. The dominant trend is the purchase of a stand-alone cyber policy rather than as part of a combined policy. This highlights the growing importance and specificity of this cover.

Regarding the allocation of the insurance premium, 44% of respondents include it in the cybersecurity budget, while 56% manage it separately. This distinction suggests that cyber insurance is increasingly perceived as an integral, rather than separate, component of an organisation's overall cybersecurity programme.

"Insurance solutions," says Niccolò Campadello, Deputy Team Leader Placement Cyber Crime and Professional Indemnity at WTW, "are playing an increasingly important role: it is estimated that the size of the global cybersecurity insurance market will grow from USD 14 billion in 2023 to USD 29 billion in 2027. In this context, companies are progressively organising themselves to adopt tools to defend themselves against this type of threat, first and foremost thanks to still little-used solutions such as Cyber and Crime policies'.