Willis has urged companies to improve their cyber-readiness after a study revealed consistent overconfidence and misunderstanding of key risks among corporate boards.

The international broker says its Cyber in Focus report spotlights “clear evidence” that boards underestimate the length, cost and extent of cyber events.  

The study – examining 4650 cyber claims that racked up about $US655 million ($1 billion) of insured losses – featured responses from boards that assumed cyber outages lasted a few days; data shows the median outage is 24 days.

Vendor risk was also underestimated, despite 50% of data breaches starting with suppliers and recent regulatory changes – including in Australia – cracking down on company accountability.

While most surveyed companies had a cyber event response plan, only two-thirds had tested them.

Willis Pacific cyber and technology industry leader Ben Di Marco says boards “must grapple with a complex threat environment” as regulators and insurers continue to tighten demands.  

“Ultimately, regulators, shareholders and stakeholders will expect organisations to adopt cyber risk strategies that encompass security controls, governance frameworks, human factors and technical resilience.

“Insurers are increasingly examining these areas, scrutinising an organisation’s foundational cyber hygiene, vendor oversight practices, business continuity planning and incident response testing.

“In this environment, boards must focus on robust evidence-based strategies that will protect their organisations and avoid market hardships.”  

The report says ransomware is “the defining stress test” for companies.  

It also calls for increased awareness of AI-driven risks, including deepfake calls from CFOs, generative malware and synthetic identities, all of which can lead to significant claims.  

See the full report here.