What Directors and Officers Are Prioritizing in Cyber Risk for 2025

Willis has released its 2025 Global Cyber, Directors and Officers Survey, providing insight into how organizations worldwide—especially in the United States and Europe—are approaching cyber risk oversight and insurance.

According to Willis, phishing attacks and social engineering were cited as the top cyber threats, followed by ransomware and weak cybersecurity systems. These risks were consistent across regions, with Great Britain prioritizing cyber attacks and North America focused more heavily on data loss.

The report found that health and safety, data loss, and cyber attacks were the leading risks concerning directors and officers in 2025. Regulatory breaches and system failures also ranked high across industries.

Willis noted that the board or CEO is the primary sponsor of cyber risk strategy in 36 percent of organizations. Senior leadership and information technology departments also play key roles, with broader involvement seen in larger firms. In North America and Europe, cyber oversight was most often led by the board, while technical roles were more involved in other regions.

More than half of respondents expect cybersecurity budgets to grow in 2025. Per Willis, 56 percent of organizations allocate cyberinsurance premiums separately from the cybersecurity budget, while 44 percent integrate them. Most boards receive cybersecurity updates quarterly or monthly.

Preparedness has improved year over year. According to Willis, 80 percent of organizations now have a cyber incident response plan, and 68 percent conducted tabletop exercises in the last year. Sixty-five percent of respondents said their organization is well-prepared to manage a cyber incident, up from 56 percent in 2024.

Standalone cyber policies remain the preferred option, held by 71 percent of insured respondents. The survey also showed continued interest in expanding coverage, with 38 percent of uninsured respondents planning to purchase cyber insurance within 2 years.

When it comes to directors and officers coverage, cybersecurity risks, and claim handling topped the list of board priorities, according to Willis. Other leading concerns included jurisdictional claim exposure and coverage for fines and penalties.

Willis concluded the report with recommendations for improving cyber resilience, including cultivating a cybersecurity culture, maintaining and testing response plans, managing insurance programs proactively, and staying informed about evolving risks.