Cyber-attacks and data loss top D&O risk list, says Willis survey

Data loss and cyber-attacks have been identified as two of the top three risks to directors and officers, according to the latest Cyber Directors’ and Officers’ Survey Report by Willis.

The survey gathered responses from a range of sectors, including the services sector (24%) and finance and insurance (19%), with more than half representing for-profit, private companies. Among those surveyed, Great Britain was the only region to identify cyber-attacks (excluding cyber extortion) as the top risk. In contrast, respondents from North America and the Middle East ranked data loss as their primary concern.

Despite growing awareness of cyber-attacks and recent high-profile incidents, the risk ranking for cyber-attacks reduced by 2% between 2024 and 2025. The remainder of the survey explores potential reasons behind this change.

According to Willis the key points of the report are as follows:

• Frequency of cybersecurity updates: The survey found that the frequency of updates to boards on cyber security shifted. Last year, the survey illustrated that 20% of respondents only updated their board in response to an incident, which has decreased to 12% in 2025. The number of respondents who update their board on cyber security monthly increased from 18% to 28% between 2024-2025

• Sponsorship trends: Respondents indicated an increased involvement from an officer outside of senior leadership, which suggested a need to engage both strategic and technical stakeholders to manage cyber risk most effectively

• Incident response: 80% of respondents indicated that they have put a cyber incident response in place, with more than two thirds indicating that they have completed an incident response exercise in the past 12 months

• Preparation: 65% of respondents feel they are well prepared to manage a cyber incident effectively (compared with 56% in 2024)

• Cyber risk strategy budget: Respondents indicated that cyber security budgets will continue to increase in 2025 but to a lesser extent than 2024 (56% versus 63% respectively)

• Cyber insurance: Cybersecurity risks were ranked as the most important aspect of directors’ and officers’ liability insurance coverage. More than half of respondents (53%) indicated that they have cyber insurance in place, with a further 18% planning to purchase it in the next two years.

Adrian Ruiz, head of FINEX GB Cyber & TMT, WTW, said: “Building a strong cyber security culture that engages all levels of the organisation is critical to managing today’s evolving threats. From investing wisely in training and technology to regularly testing response plans, businesses must take a proactive, strategic approach to cyber risk. The survey highlights the importance of staying informed and adapting in an increasingly complex digital landscape.”

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.