Cyber attack, data loss and cyber extortion have been ranked as the top three risks for directors and officers in Australasia by a significant margin, with regulatory risk coming in at number four, according to the latest Directors’ Liability Survey from Willis Towers Watson and law firm Clyde & Co.

Cyber attacks and data loss have topped the list for three years in a row – with more than half of executives in Australia listing cyber attack as their top worry as ransomware incidents grow – while cyber extortion was a new entry.

Taken together, the survey insights are a “clarion call” to all business in the region to uplift their cybersecurity and privacy compliance activities, Sydney-based Clyde & Co Partners Alec Christie, Reece Corbett-Wilkins and Richard Berkahn say.

They urge businesses to focus on preparing adequately for a cyber event to occur (recognising geo-political factors currently at play in Europe), simulate board-level cyber exercises to “cut through decision paralysis”, reduce supply chain dependency, and take out appropriate cyber insurance cover.

The past year saw attacks evolve from just encryption of data to “double extortion” – encryption and exfiltration – and then to “triple extortion”, where the attackers extract money from third parties such as customers.

“This is a worrying development and adds a further level of pressure on directors and officers to implement adequate cybersecurity controls and to react efficiently and effectively in the face of an attack,” the report says.

“Cyber risk is a multi-varied and ever-evolving risk, with a variety of significant consequences should an attack occur and data is lost, making cyber risks of primary concern.”

Regulatory risk, including the threat of fines and penalties, also remained high on the list of concerns, as watchdogs focus on systems and controls, operational resilience and protection of consumers – particularly after covid identified gaps in many organisations when the pandemic hit.

Of Australasian respondents surveyed, 57% listed cyber attack as their number one concern, while 46% named data loss, 46% cyber extortion and 41% the risk of a health & safety/environmental prosecution.

Next came regulatory risk (32%), climate change (31%), economic crime (26%), becoming the focus of a social media campaign (22%), and return to work/covid safety and vaccination status (20%) – a higher ranking than in other regions which was attributed to Australian government responses to covid, including vaccine mandates and prolonged lockdowns.

“The results speak to a market that appears comfortable managing traditional risks, such as employment claims, insolvency and regulatory risk, and more concerned with emerging, less well-understood risks such as cyber attacks, data loss and cyber extortion,” Clyde & Co Partner Lucinda Lyons said.

See Analysis.