Willis has released its Cyber in Focus 2025 report, highlighting a disconnect between boardroom confidence in cyber readiness and the realities revealed by recent cyber incidents.
The report, which analyses 4,650 cyber claims and board-level data, indicates that losses from cyber events are often longer in duration, broader in impact, and more expensive than many business leaders anticipate.
The findings identify four key areas where boards frequently misjudge their exposure. On revenue, boards tend to expect ransomware outages to last only a few days, but claims data shows a median outage of 24 days, with the average ransomware loss reaching US$2.7 million. Each additional week offline results in further lost revenue.
In terms of reputation, the report notes that nearly 50% of breaches originate with external suppliers, such as managed service providers, SaaS platforms, or niche vendors. Weaknesses in liability, audit, and notification clauses can increase costs, and regulators are placing greater emphasis on evidence of vendor oversight.
These findings align with broader industry trends. Allianz Commercial’s Cyber Security Resilience Outlook for 2025 observes that while large organisations have improved their cyber defences and incident response capabilities, the overall risk environment remains complex.
Expanding digital supply chains and increasingly sophisticated social engineering tactics are introducing new vulnerabilities, even as regulatory requirements become more stringent. The frequency of cyber insurance claims has remained steady, but organisations must remain vigilant as the risk landscape continues to evolve.
The need for improved cyber readiness is also echoed in a recent white paper from Insurance Business, which stresses that businesses must keep pace with rapidly evolving cyber threats. The white paper provides a checklist for cyber preparedness and offers guidance on identifying emerging risks and regulatory changes, reinforcing the importance of proactive risk management for both insurance professionals and their clients.
When it comes to resilience, Willis reports that while most boards report having a cyber response plan, only 68% have tested these plans in the past year. Regulators and insurers are seeking proof that controls are effective in practice, rather than relying solely on policy documentation.
The regulatory landscape is also evolving, with new frameworks such as the EU AI Act, changing US state regulations, and updated critical infrastructure legislation in Hong Kong. These developments are increasing expectations for governance, incident response, and disclosure.
Additional data from the report shows that publicly-held companies are responsible for 36% of total losses, despite experiencing fewer incidents. The largest single claim recorded was US$331 million. The report also notes that while boards see potential benefits in artificial intelligence, claims already demonstrate the use of deepfakes, synthetic identities, and generative malware in fraudulent activity.
Peter Foster, chairman, Global FINEX Cyber and Cyber Risk Solutions at Willis, commented, “Boards often believe cyber risk is contained, but the data proves otherwise. Untested plans, weak vendor contracts, and unclear wordings are exactly where firms lose money, reputation, and regulatory standing.”
Foster noted that the cost of untested resilience is reflected in lost revenue, shareholder disputes, and fines, and is increasing more rapidly than many boards expect. Foster suggested that ransomware simulations, vendor analytics, AI governance, and policy optimisation can help close the gap between perception and reality.
What are your thoughts on this story? Please feel free to share your comments below.
