Corporate boards express confidence in their cyber readiness, yet board-level data tells a different story, showing that losses are longer, broader, and costlier than leaders expect, according to a recent report by Willis, a WTW business.
The report emphasised that although boards are confident about their cyber resilience, data reveals a different reality, with recent high-profile cyber events showing that preparedness often lags.
Boards tend to assume ransomware outages last only a few days, whereas claims data shows a median outage of 24 days, with average losses of $2.7 million. Three weeks offline can cripple cash flow and reputation, with each additional week resulting in lost revenue and increased regulatory scrutiny.
Leaders also often view supplier risk as secondary, yet the report found that roughly 50% of breaches start with suppliers or contractors. Willis noted that a weak supplier can shut down operations, emphasising that strengthening vendor due diligence now is far cheaper than paying for a breach later.
While most boards report having incident plans, only 68% have tested them in the past year. Untested controls increase the risk of penalties, lawsuits, and loss of insurance coverage. Rehearsing controls now is far less costly than failing under inspection.
In terms of regulation, boards often believe that meeting disclosure rules is enough. However, regulators and insurers increasingly demand proof that controls work in practice, not just policy statements, leading regulators to fine firms that cannot demonstrate their controls work.
Boards also tend to assume that only CFOs and finance teams are targets, yet attacks are increasingly hitting HR, payroll, and tax teams as well, with deepfakes and synthetic IDs bypassing traditional controls.
The report also revealed that AI-enabled scams and deepfakes are already causing multimillion-dollar losses, highlighting the need for organisations to assess AI-related exposures and integrate controls into fraud-prevention programs.
Other findings include publicly held companies accounting for 36% of total losses despite fewer incidents, and the largest single claim reaching $331 million.
Peter Foster, Chairman, Global FINEX Cyber and Cyber Risk Solutions at Willis, said, “Boards often believe cyber risk is contained, but the data proves otherwise. Untested plans, weak vendor contracts, and unclear wordings are exactly where firms lose money, reputation, and regulatory standing. The cost of untested resilience shows up in lost revenue, shareholder disputes, and fines and it’s rising faster than boards expect. Ransomware simulations, vendor analytics, AI governance, and policy optimization can help bridge the gap between perception and reality.”
About the Author
