Willis: cyber confidence outpaces reality as losses deepen

Corporate boards often express confidence in their cyber readiness - yet recent high profile cyber events show how fragile that confidence can be when tested, according to a new report by Willis. 

Willis’s new Cyber in Focus 2025 report, based on 4,650 cyber claims and board-level data, reveals the same story: losses are longer, broader and costlier than leaders expect.

The report, launched during Cyber Security Awareness Month, focuses on four areas boards consistently misjudge:

• Revenue (downtime): Boards assume ransomware outages last days; claims data shows a median 24-day outage and an average ransomware loss of $2.7 million. Every week offline means lost revenue.

• Reputation (vendor risk): Leaders often view vendor risk as secondary, yet ~50% of breaches start with suppliers (MSPs, SaaS, niche vendors). Weak liability, audit, and notification clauses drive cost; regulators increasingly expect proof of vendor oversight.

• Resilience (tested readiness): Most boards report having a plan, but only 68% tested it in the past year. Regulators and insurers are looking for evidence that controls work in practice, not policy statements alone.

• Regulation (rising accountability): Emerging frameworks, including the EU AI Act, evolving US state rules, and new critical-infrastructure legislation in Hong Kong are raising expectations on governance, incident response, and disclosure.

Additional findings include:

• Publicly-held companies account for 36% of total losses despite fewer incidents.

• The largest single claim reached $331 million; Boards highlight AI’s upside, but claims already show deepfakes, synthetic IDs, and generative malware being used to commit fraud.

Peter Foster, chairman, Global FINEX Cyber and Cyber Risk Solutions, Willis, said: “Boards often believe cyber risk is contained, but the data proves otherwise. Untested plans, weak vendor contracts, and unclear wordings are exactly where firms lose money, reputation, and regulatory standing. The cost of untested resilience shows up in lost revenue, shareholder disputes, and fines and it’s rising faster than boards expect. Ransomware simulations, vendor analytics, AI governance, and policy optimisation can help bridge the gap between perception and reality.”

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.