Zurich/Geneva
Cyber-attacks are affecting the Swiss economy more than ever. One in two large companies have already fallen victim to them, and in many cases such incidents result in a business interruption. The 14th edition of swissVR Monitor shows that, although awareness of the risks is increasing, many companies lack a clearly formulated cyber strategy. They practise for emergencies only rarely, and reporting to the board of directors by the management team also needs to improve.
The threat from cyber-attacks is growing. Large companies are affected in particular: 45 per cent of firms with more than 250 employees have fallen victim to a cyber-attack at least once. This is revealed in the latest swissVR Monitor, a survey conducted every six months by the swissVR association of board members in partnership with the audit and consulting company Deloitte Switzerland and Lucerne University of Applied Sciences and Arts. For the study, 400 board members were surveyed on the focus topic of cyber resilience.
In comparison with large companies, SMEs seem to be affected significantly less often. Only 18 per cent of firms with fewer than 50 employees reported having suffered a serious attack. The connection between company size and the frequency of attacks is obvious – large companies have greater global exposure and a larger potential target area for cyber criminals to attack. Another explanation for the supposedly lower rate of cyber-attacks on smaller companies is the fact that, in some cases, such incidents may not be reported to the board of directors.
Business interruption the most common consequence
Cyber-attacks often have serious consequences for a company’s operations. The most frequent repercussion by far is an interruption to business, which occurs in 42 per cent of firms affected by a cyber-attack (see Figure 1). The operating processes of companies in the information and communication technology sector are particularly at risk. In this industry, 69 per cent of affected firms suffered a business interruption. Data leaks and product or service malfunctions are further common consequences. In some cases, cyber-attacks even have repercussions outside the company. For example, eleven per cent of respondents complained about follow-up attacks on their customers. Although financial losses occur only rarely, the financial consequences should not be underestimated either. In addition to loss of revenue due to business interruptions, high knock-on costs – for restoring data, for example – can also be incurred.
Importance of cyber resilience increasing significantly
Given the far-reaching consequences, it is clear that every SME needs to address the issue of cyber risks. “This topic is now a crucial component of good corporate governance. Encouragingly, many companies have already recognised this. That said, there is still plenty of room for improvement. Our survey shows that the importance of cyber resilience is increasing significantly across all sectors. This must also be reflected in every company’s risk management and strategy processes,” says Mirjam Durrer, a lecturer at the Institute of Financial Services Zug (IFZ), part of the Lucerne School of Business. Ninety-five per cent of board members surveyed were of the opinion that cyber resilience had become more important for their company over the last three years. The majority actually observed a strong increase, though the assessment of this issue’s importance did depend heavily on company size. The correlation between company size and threat level is apparent here, too.
Cyber security not yet a matter for management everywhere
One positive finding was that the majority of board members reported performing their duties with regard to cyber resilience. Eighty-five per cent of respondents stated that their board of directors followed the trends and latest developments in the area of cyber resilience (see Figure 2). Furthermore, eight out of ten boards had a risk policy that addressed cyber risks. However, according to Klaus Julisch, Managing Partner for Risk Advisory at Deloitte Switzerland, action is nevertheless required: “Awareness of the risks is increasing, which is a positive development. That said, the issue hasn’t made it onto the agenda at all boards of directors yet. Furthermore, almost half of firms lack a clear cyber strategy. Swiss companies and ther boards of directors need to take even more responsibility with regard to cyber resilience.”
Only a third practise for emergencies
There is also room for improvement in terms of preparing for emergencies. Only one in three board members confirmed that their board of directors practised crisis management at least in part. The picture is somewhat better in the financial industry, where around one in two companies hold crisis training exercises on a regular basis. Furthermore, at 58 per cent, the financial industry has the highest proportion of concluded cyber insurance policies.
There is also room for improvement when it comes to reporting to the board of directors. Only about a third of respondents received regular reports from the management team on the top cyber risks or the company’s own cyber strategy. Around half of the boards of directors surveyed did at least receive reports on the general threat level, recent cyber-attacks at the company or the need for action or investment for cyber resilience purposes.
Despite the challenges, board members have a (more) positive economic outlook
Alongside this edition’s survey on the current focus topic of cyber resilience, the swissVR Monitor also gauges the opinions of BoD members on the current outlook for the economy and their own business activities twice a year. After a downturn in expectations following the outbreak of the Ukraine war in 2022, the board members surveyed for this edition reported having a somewhat more optimistic economic outlook for the next 12 months. Just under a quarter (24%) of all board members stated that they anticipated a positive economic trend, while 10 per cent expected developments to be negative. The vast majority (66%) rated the prospects for the economy as ‘neutral’.
At 45 per cent and 57 per cent respectively, the respondents were much more upbeat about the prospects for their industry and their company’s performance than they were about the overall economic situation. However, Cornelia Ritz Bossicard, President of swissVR, admits: “There remain many uncertainties for the Swiss economy, including the ongoing geopolitical risks, an unclear energy situation for the coming winter and the consistently above-average inflationary pressure. Switzerland has proved its resilience as a business location in difficult times. This quality must now be preserved as new challenges develop, such as the cyber risks described. After all, one thing is certain: New challenges will increase, especially in the area of cyber security.”
Deloitte offers integrated services that include Audit & Assurance, Consulting, Financial Advisory, Risk Advisory and Tax & Legal. Our approach combines insight and innovation from multiple disciplines with business and industry knowledge to help our clients excel anywhere in the world. With around 3,000 employees at six locations in Basel, Berne, Geneva, Lausanne, Lugano and Zurich (headquarters), Deloitte serves companies and organisations of all legal forms and sizes in all industry sectors.
Deloitte AG is an affiliate of Deloitte North South Europe (NSE), a member firm of the global network of Deloitte Touche Tohmatsu Limited (DTTL) comprising around 460,000 employees in more than 150 countries.
You can read all press releases and contact the communications team on the Deloitte Switzerland website.
Note to editors
In this press release, Deloitte refers to the affiliates of Deloitte NSE LLP, member firms of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (‘DTTL’). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NSE LLP do not provide services to clients. Please see www.deloitte.com/ch/about to learn more about our global network of member firms. Deloitte AG is a subsidiary of Deloitte LLP, the UK member firm of DTTL. Deloitte AG is an audit firm recognised and supervised by the Federal Audit Oversight Authority (FAOA) and the Swiss Financial Market Supervisory
Press contact(s):
Michael Wiget
External Communications Lead
Tel: +41 58 279 70 50
mwiget@deloitte.ch
Kevin Capellini
External Communications Specialist
Tel: +41 58 279 59 74
kcapellini@deloitte.ch