Cyber attacks: Boards of directors see risks, but crisis preparedness is lacking

The threat of cyber attacks is growing. Large companies are particularly affected: 45 percent of companies with over 250 employees have already been attacked at least once.espite being a victim of a cyber attack at least once. This is shown by the latest swissVR Monitor.

In contrast to large companies, SMEs seem to be significantly less affected: Only 18 percent of companies with under 50 employees report a serious attack, according to the media release. The connection between the size of the company and the frequency of attacks is obvious: large companies are more exposed globally and offer cyber criminals greater attack surfaces. Another explanation for the allegedly lower level of concern among smaller companies is the partial lack of reporting of such incidents to the board of directors.

Business interruption is the most common consequence

Cyber attacks often have serious consequences for operational business. By far the most common consequence, according to the Audit and consulting firm Deloitte Switzerland a business interruption. This was the case for 42 percent of the companies affected by a cyber attack. (see graph 1). The operational processes of companies in the information and communications technology sector were particularly at risk. In this sector, 69 percent of those affected would experience a business interruption.

Data leaks and malfunctions of products or services are also frequent consequences. In some cases, cyber attacks even have consequences outside the company itself: For example, 11 percent of respondents complained of follow-up attacks on customers. Although the outflow of assets is rare, the financial consequences should not be underestimated. In addition to lost sales due to business interruptions, there is a threat of high follow-up costs, for example for the restoration of data.

Resilience is gaining strongly in importance

The far-reaching consequences would make it clear: Every SME needs to address cyber risks, he said. "The topic is now an integral part of good corporate governance. Fortunately, many companies have already recognized this. But there is definitely still potential. Our survey shows that cyber resilience is gaining strongly in importance across all industries. This must also be reflected in every company's risk management and strategy process," says Mirjam Durrer, a lecturer at Lucerne University of Applied Sciences and Arts at the Institute of Financial Services Zug IFZ. Ninety-five percent of the board members surveyed believe that the importance of cyber resilience for their company has increased over the past three years, she said. The majority even observed a strong increase, with the assessment depending significantly on the size of the company. Here, too, the correlation between size and threat situation is reflected.

Not yet a matter for the boss everywhere

According to the auditing and consulting firm, one positive aspect is that board members say they are largely fulfilling their duties with regard to cyber resilience. 85 percent of respondents affirm that their board follows trends and current developments in the area of cyber resilience. (see graph 2). Eight out of ten boards also have a risk policy that addresses cyber threats. Nevertheless, there is a need for action, emphasizes Klaus Julisch, Head of Risk Advisory at Deloitte Switzerland: "Awareness of the risks is increasing, which is positive. Apart from that, the topic has not yet reached the boards of directors everywhere. Also, almost half of the companies lack a clear cyber strategy. Swiss companies and their boards of directors must therefore take even more responsibility with regard to cyber resilience."

Only one third rehearse the emergency

According to Deloitte Switzerland, there is also room for improvement when it comes to preparing for emergencies. Only every third member of the board of directors confirms that the board is at least partially rehearsing crisis management. The picture is somewhat better in the financial industry: around one in two companies in this sector conducts regular crisis training. In addition, the financial industry has the highest proportion of cyber insurance policies, at 58 percent.

There is also room for improvement in reporting to the board of directors: only about one-third of respondents are regularly informed by management about the top cyber risks or their own cyber strategy. A good half of the board members receive reports on the general threat situation, current cyber attacks in the company or the need for action and investment to strengthen cyber resilience.

swissVR Monitor

The swissVR Monitor is a survey conducted by the swissVR Board of Directors Association in cooperation with the auditing and consulting firm Deloitte Switzerland and the Lucerne University of Applied Sciences and Arts.

The semi-annual survey swissVR Monitor aims to capture board members' assessments of business prospects, strategies and structural topics - as well as, in this edition, the focus topic "cyber resilience". The 14th survey was conducted by swissVR in collaboration with Deloitte and the Lucerne University of Applied Sciences and Arts between May 22 and July 8, 2023. The 400 participants represent boards of directors of listed companies as well as SMEs and come from all relevant industries.