Cybersecurity policies are becoming increasingly important in corporate risk management plans.

Over the past few years, thanks in part to regulatory developments, companies have begun to realize that cybersecurity is not just a technical issue, but one that cuts across all divisions. The establishment of legal responsibilities for company directors and officers has led boards of directors, entrepreneurs, and CEOs to approach this challenging topic, with mixed results. The "Global Cyber Directors and Officers Survey 2025," conducted by Willis Global FINEX, provides a detailed analysis of the perceptions and strategies adopted by business leaders, demonstrating how their approach differs from that of cybersecurity experts. This study, based on responses from directors, executives, and risk managers globally, offers an overview of the distribution of companies surveyed by type, revenue, and sector, with a strong representation of for-profit companies, both privately held (56%) and publicly traded (32%). The services, transportation, and retail sectors, as well as finance and insurance, constitute the largest share of respondents. A third of the companies affected have a turnover of up to $30 million, a third have a turnover between $30 million and $1 billion, and the final third have a turnover of over $1 billion.

One of the report's most significant findings confirms that cybersecurity risks continue to be a source of significant anxiety for organizational leaders. Specifically, data loss and cyberattacks were identified as two of the top three concerns, ranking alongside, and sometimes surpassing, occupational health and safety. This consistent ranking at the top demonstrates the severity and potential impact of such events, both financially and on organizational reputation.

Digging deeper into these concerns, interesting distinctions emerge at the geographic and sector levels. From a regional perspective, cyberattacks and/or data loss consistently ranked among the top three threats in seven of the eight regions surveyed. For example, Great Britain ranked cyberattacks as the number one risk, while North America and the Middle East ranked data loss as their top concern. Notably, Africa was the only region where neither cyberattacks nor data loss ranked among the top three risks.

From an industry perspective, cyber attacks and/or data loss ranked among the top three risks across all sectors. These risks were particularly prominent in the financial and insurance, services, transportation, and retail industries; in the energy and utilities sector, unlike the previous year, data loss now ranks among the top seven risks. These trends underscore how the cyber threat is transversal and pervasive, adapting to the specificities of each operational context.

When it comes to specific risks related to cyber exposure, the report highlights that respondents are most concerned about phishing attacks and social engineering, ransomware, and weaknesses in cybersecurity systems and controls. These three types of threats reveal how little real cybersecurity knowledge remains among managers. Indeed, the current incident landscape should primarily focus on limiting vulnerabilities in the supply chain, tightly governing the use of artificial intelligence, and identifying risks associated with new technologies. These are all operations that, however, rank far lower in the ranking. This may indicate a distorted perception of the reality of losses incurred and highlights the importance of having highly skilled cybersecurity personnel capable of properly managing threats despite the somewhat confusing input that may come from management.