Boards risk costly cyber exposure as confidence outpaces preparedness, according to Willis report

HONG KONG, October 15, 2025 — According to Willis, a WTW business (NASDAQ:WTW), corporate boards often express confidence in their cyber readiness. Yet recent high profile cyber events show how fragile that confidence can be when tested. Willis’s new Cyber in Focus 2025 report, based on 4,650 cyber claims and board-level data, reveals the same story: losses are longer, broader and costlier than leaders expect.

The report, launched during Cyber Security Awareness Month, focuses on four areas boards consistently misjudge:

• Revenue (downtime): Boards assume ransomware outages last days; claims data shows a median 24-day outage and an average ransomware loss of US$2.7M. Every week offline means lost revenue.
• Reputation (vendor risk): Leaders often view vendor risk as secondary, yet 50% of data breaches start with suppliers (MSPs, SaaS, niche vendors). Weak liability, audit, and notification clauses drive cost; regulators increasingly expect proof of vendor oversight.
• Resilience (tested readiness): Most boards report having a plan, but only 68% tested it in the past year. Regulators and insurers are looking for evidence that controls work in practice, not policy statements alone.
• Regulation (rising accountability): In Asia Pacific (APAC), the Australian Cyber Security Act and Singapore’s Cybersecurity Act amendments have expanded oversights on regulatory measures to address evolving cyber threats. Emerging frameworks, including new critical-infrastructure legislation in Hong Kong are also raising expectations on governance, incident response, and disclosure.

Insurers are signalling greater scrutiny of critical infrastructure exposures, with resilience testing and regulatory preparedness being part of insurance renewal discussions. Board that can evidence controls and rehearsal will secure more favourable terms and market confidence. Those that delay risk being caught short as regulation and risk converge.

Additional findings include:

• Public companies account for 36% of total losses globally despite fewer incidents.
• The largest single claim reached US$331M; Boards highlight AI’s upside, but claims already show deepfakes, synthetic IDs, and generative malware being used to commit fraud.

“

The new Cybersecurity and Infrastructure Bill, coming into force in January 2026, will require operations in key sectors such as finance, energy, telecoms, healthcare and transport to meet mandatory standards, report incidents and designate responsible officers for cyber risk.”

Carlos Grijalva | Cyber Leader, Hong Kong and Greater China, Willis

Carlos Grijalva, Cyber Leader, Hong Kong and Greater China,  said: “Cyber risk in Hong Kong and Greater China is entering a new phase, with regulation set to reshape board accountability. The new Cybersecurity and Infrastructure Bill, coming into force in January 2026, will require operations in key sectors such as finance, energy, telecoms, healthcare and transport to meet mandatory standards, report incidents and designate responsible officers for cyber risk.

“Although Boardroom confidence remains high, our combined claims and data tell a different story. Vendor-triggered breaches continue to cause long recovery periods, while ransomware is driving mounting operational and financial losses. Against this backdrop, the new Bill raises the stakes, making prevention, testing and governance matters of compliance and not just best practice.”

Peter Foster, Chairman, Global FINEX Cyber and Cyber Risk Solutions, Willis, said: “Boards often believe cyber risk is contained, but the data proves otherwise. Untested plans, weak vendor contracts, and unclear wordings are exactly where firms lose money, reputation, and regulatory standing. The cost of untested resilience shows up in lost revenue, shareholder disputes, and fines and it’s rising faster than boards expect. Ransomware simulations, vendor analytics, AI governance, and policy optimisation can help bridge the gap between confidence and reality.”

About WTW

At WTW (NASDAQ: WTW), we provide data-driven, insight-led solutions in the areas of people, risk and capital. Leveraging the global view and local expertise of our colleagues serving 140 countries and markets, we help organizations sharpen their strategy, enhance organizational resilience, motivate their workforce and maximize performance.

Working shoulder to shoulder with our clients, we uncover opportunities for sustainable success—and provide perspective that moves you.