Skip to main content

Cyber resilience – board members are aware of the risks, but action is required with regard to crisis prevention and reporting

Zurich/Geneva

Cyber-attacks are affecting the Swiss economy more than ever. One in two large companies have already fallen victim to them, and in many cases such incidents result in a business interruption. The 14th edition of swissVR Monitor shows that, although awareness of the risks is increasing, many companies lack a clearly formulated cyber strategy. They practise for emergencies only rarely, and reporting to the board of directors by the management team also needs to improve.

The threat from cyber-attacks is growing. Large companies are affected in particular: 45 per cent of firms with more than 250 employees have fallen victim to a cyber-attack at least once. This is revealed in the latest swissVR Monitor, a survey conducted every six months by the swissVR association of board members in partnership with the audit and consulting company Deloitte Switzerland and Lucerne University of Applied Sciences and Arts. For the study, 400 board members were surveyed on the focus topic of cyber resilience.

In comparison with large companies, SMEs seem to be affected significantly less often. Only 18 per cent of firms with fewer than 50 employees reported having suffered a serious attack. The connection between company size and the frequency of attacks is obvious – large companies have greater global exposure and a larger potential target area for cyber criminals to attack. Another explanation for the supposedly lower rate of cyber-attacks on smaller companies is the fact that, in some cases, such incidents may not be reported to the board of directors.

 

Business interruption the most common consequence

Cyber-attacks often have serious consequences for a company’s operations. The most frequent repercussion by far is an interruption to business, which occurs in 42 per cent of firms affected by a cyber-attack (see Figure 1). The operating processes of companies in the information and communication technology sector are particularly at risk. In this industry, 69 per cent of affected firms suffered a business interruption. Data leaks and product or service malfunctions are further common consequences. In some cases, cyber-attacks even have repercussions outside the company. For example, eleven per cent of respondents complained about follow-up attacks on their customers. Although financial losses occur only rarely, the financial consequences should not be underestimated either. In addition to loss of revenue due to business interruptions, high knock-on costs – for restoring data, for example – can also be incurred.

Importance of cyber resilience increasing significantly

Given the far-reaching consequences, it is clear that every SME needs to address the issue of cyber risks. “This topic is now a crucial component of good corporate governance. Encouragingly, many companies have already recognised this. That said, there is still plenty of room for improvement. Our survey shows that the importance of cyber resilience is increasing significantly across all sectors. This must also be reflected in every company’s risk management and strategy processes,” says Mirjam Durrer, a lecturer at the Institute of Financial Services Zug (IFZ), part of the Lucerne School of Business. Ninety-five per cent of board members surveyed were of the opinion that cyber resilience had become more important for their company over the last three years. The majority actually observed a strong increase, though the assessment of this issue’s importance did depend heavily on company size. The correlation between company size and threat level is apparent here, too.

 

Cyber security not yet a matter for management everywhere

One positive finding was that the majority of board members reported performing their duties with regard to cyber resilience. Eighty-five per cent of respondents stated that their board of directors followed the trends and latest developments in the area of cyber resilience (see Figure 2). Furthermore, eight out of ten boards had a risk policy that addressed cyber risks. However, according to Klaus Julisch, Managing Partner for Risk Advisory at Deloitte Switzerland, action is nevertheless required: “Awareness of the risks is increasing, which is a positive development. That said, the issue hasn’t made it onto the agenda at all boards of directors yet. Furthermore, almost half of firms lack a clear cyber strategy. Swiss companies and ther boards of directors need to take even more responsibility with regard to cyber resilience.”

Only a third practise for emergencies

There is also room for improvement in terms of preparing for emergencies. Only one in three board members confirmed that their board of directors practised crisis management at least in part. The picture is somewhat better in the financial industry, where around one in two companies hold crisis training exercises on a regular basis. Furthermore, at 58 per cent, the financial industry has the highest proportion of concluded cyber insurance policies.

There is also room for improvement when it comes to reporting to the board of directors. Only about a third of respondents received regular reports from the management team on the top cyber risks or the company’s own cyber strategy. Around half of the boards of directors surveyed did at least receive reports on the general threat level, recent cyber-attacks at the company or the need for action or investment for cyber resilience purposes.

Despite the challenges, board members have a (more) positive economic outlook

Alongside this edition’s survey on the current focus topic of cyber resilience, the swissVR Monitor also gauges the opinions of BoD members on the current outlook for the economy and their own business activities twice a year. After a downturn in expectations following the outbreak of the Ukraine war in 2022, the board members surveyed for this edition reported having a somewhat more optimistic economic outlook for the next 12 months. Just under a quarter (24%) of all board members stated that they anticipated a positive economic trend, while 10 per cent expected developments to be negative. The vast majority (66%) rated the prospects for the economy as ‘neutral’.

At 45 per cent and 57 per cent respectively, the respondents were much more upbeat about the prospects for their industry and their company’s performance than they were about the overall economic situation. However, Cornelia Ritz Bossicard, President of swissVR, admits: “There remain many uncertainties for the Swiss economy, including the ongoing geopolitical risks, an unclear energy situation for the coming winter and the consistently above-average inflationary pressure. Switzerland has proved its resilience as a business location in difficult times. This quality must now be preserved as new challenges develop, such as the cyber risks described. After all, one thing is certain: New challenges will increase, especially in the area of cyber security.”

Our thinking