Estimated reading time: 5 minutes
Corporate leaders continue to underestimate the real cost of cyberattacks. The incident response data tells a painful and expensive story. In Willis’ new Cyber in Focus 2025 report, costs hit staggering heights, betraying a disconnect between perceived cyber readiness and actual cyber resilience:
- One claim reached US$331 million.
- Median ransomware downtime lasted 24 days.
- Average ransomware loss totaled US $2.7 million.
Despite these figures, many executives still express confidence in their cyber readiness. The report’s findings show that such optimism is misplaced and expensive. Remember the Titanic!
Boards’ Confidence Cybersecurity Incident Reality
Willis analyzed 4,650 cyber claims and board-level data across multiple sectors. The result: boards routinely misjudge four key exposures: revenue, vendor risk, tested readiness, and regulatory compliance.
“Boards often believe cyber risk is contained, but the data proves otherwise,” said Peter Foster, Chairman of Global FINEX Cyber and Cyber Risk Solutions at Willis. “Untested plans, weak vendor contracts, and unclear wordings are exactly where firms lose money, reputation, and regulatory standing.”
Revenue Losses Stretch into the Millions
Boards tend to assume ransomware outages last days. In reality, the median interruption now lasts nearly a month.
Every moment a company is unable to do business drives up revenue loss, increases customer churn, and drains reserves. The report shows the average ransomware claim exceeds US$2.7 million, with the largest reaching hundreds of millions.
As Foster put it, “The cost of untested resilience shows up in lost revenue, shareholder disputes, and fines, and it’s rising faster than boards expect.”
Vendor Weakness Behind Half of Breaches
Roughly 50% of breaches begin with third-party vendors such as MSPs, SaaS providers, and niche suppliers. Weak liability, audit, and notification clauses amplify exposure.
Regulators now demand proof of vendor oversight. Inadequate evidence can lead to increased fines and trigger shareholder actions. The report urges boards to treat vendor management as a strategic defense, not a procurement formality.
Readiness Without Testing Is Not Readiness
Most boards report having an incident response plan, but only 68% tested it within the last year. Plans that remain untested under pressure often fail when it counts.
Insurers and regulators no longer accept policies alone as proof of resilience. Evidence of functioning controls, including simulations, drills, and scenario testing, is now essential to maintain coverage and reduce premiums.
Regulation Tightens Globally
Governments are expanding accountability frameworks. The report highlights the rising scrutiny under the EU AI Act, new US state data laws, and critical infrastructure regulations in Hong Kong.
These frameworks demand greater board-level involvement in incident response, disclosure, and AI governance. Boards must demonstrate governance, not simply declare it.
Public Companies Shoulder the Heaviest Burden
Publicly held firms accounted for 36% of total cyber losses despite experiencing fewer overall incidents. Their exposure stems from complex operations, broad attack surfaces, and investor scrutiny.
One unnamed organization suffered a US$331 million event, the report’s largest single claim. Market reaction was swift, eroding shareholder confidence and highlighting the real-world impact of cyber exposure.
Watch Our Podcast On Incident Response, Best Practices, and Costs
AI: Friend and Foe
The report finds boards excited about AI’s benefits but less prepared for its dangers. Claims now include incidents involving deepfakes, synthetic identities, and generative malware used to commit fraud.
AI tools have become both a shield and a weapon. Willis recommends building AI governance frameworks into risk and insurance strategies to prevent technology from becoming a liability.
Cyber Insurance: Protection Gaps Emerge
Cyber insurance remains a critical safeguard, but underwriters are tightening conditions. Firms without tested response plans face higher premiums or restricted coverage.
The report calls for policy optimization, aligning cyber insurance coverage with operational controls. Ransomware simulations, vendor analytics, and governance audits can improve insurability and reduce claim disputes.
Lessons from Cybersecurity Incident Claims Data
Real-world cases from the report reveal the financial shock of unpreparedness:
- Manufacturer ransomware: Backups failed to restore quickly, resulting in losses exceeding US $80 million.
- Data breach: class actions and PR costs pushed the total past US$300 million.
- Vendor outage: contract gaps left a company with US $45 million in losses.
- Deepfake fraud: A convincing “CEO” video led to a US$2.1 million payment.
These examples reinforce the central message. Cyberattacks are costly because companies assume they are ready when they are not.
Get The Cyber Insurance Upload Delivered
Subscribe to our newsletter!
A Call for Real Resilience
Willis urges organizations to make resilience measurable and provable. “Ransomware simulations, vendor analytics, AI governance, and policy optimization can help bridge the gap between perception and reality,” said Foster.
Boards must move from confidence to competence and from assumption to verification. Cyber resilience is no longer a checkbox; it is a balance-sheet necessity.
Related Posts
