Summary
Cyber-attacks are affecting the Swiss economy more than ever. One in two large companies have already fallen victim to them, and in many cases such incidents result in a business interruption. The 14th edition of swissVR Monitor shows that, although awareness of the risks is increasing, many companies lack a clearly formulated cyber strategy. They practise for emergencies only rarely, and reporting to the board of directors by the management team also needs to improve.
About the survey
swissVR Monitor is based on a survey carried out jointly by swissVR in collaboration with Deloitte and the Lucerne University of Applied Sciences and Arts. The aim of this bi-yearly survey is to gauge Board members’ attitudes to the outlook for the economy and business as well as corporate governance issues. swissVR Monitor also aims to share with the wider public the ways in which Board members perceive their role and the current economic situation. Each edition also explores a special focus topic and conducts interviews with experts. A total of 400 Board members took part in the current edition of swissVR Monitor, providing a good overview of the views and challenges facing board members in Switzerland.
Key findings
Outlook
Economic outlook slightly brighter than in the beginning of 2023
Board members in Swiss companies are a little more upbeat than in the beginning of 2023 in their rating of the country’s economic, sector and business outlook over the next 12 months. Across all three indicators, more Board members rate the prospects as positive than rate them as negative. Factors still causing economic uncertainty include geopolitical risks, the energy situation in winter 2023–24, and persistent – and above average – inflation.
Cyber attacks
Cyber attacks can have very serious consequences for companies
Board members whose company has already been the victim of at least one cyber attack report a (serious) impact on the company’s processes. Most frequently, cyber attacks disrupt operations. They can also result in data leaks, product malfunctions or service disruption. Less frequently, they result in the company becoming a gateway for cyber attacks on customers or in loss of assets.
Cyber resilience
Cyber resilience now markedly more important to companies
Almost all Swiss Board members surveyed agree that the importance to their company of cyber resilience has increased in the last three years. A majority think this increase has been marked, especially those on the Boards of small companies. Only a small minority of Board members report that there has been no change in the importance of cyber resilience, and none think the topic has become less important.
Cyber insurance
Mixed picture in relation to cyber risk insurance
Although cyber resilience has grown in importance and cyber attacks can have serious consequences, only just under half of all companies are insured against cyber risks. Companies in the financial, the manufacturing/chemicals and the construction sectors are more likely than average to be insured against such risks. Company size is much less likely to play a part in whether companies have cyber risk insurance.
Cyber reporting
Regular cyber reporting to the Board could be improved
More than half of all Swiss Boards receive regular reports from management on cyber-related incidents in the company or on the need for action and/or investment in cyber resilience. Just under half receive reports focusing on the general threat level or on cyber resilience measures. Only around one Board in three is regularly briefed by management on the main cyber risks facing the company or on its cyber strategy.
Committees
Large companies and financial services firms most likely to have committees
Just under half of all Boards set up committees to tackle specific issues. The figure is higher in large companies (where three-quarters of Boards have committees) than in small companies (one in five Boards). Boards in the financial services sector are most likely to have committees: three-quarters of Boards have at least one committee. In most other sectors, fewer than half of Boards have one or more committees. However, many Boards assign special responsibilities or areas to individual members.
Interviews
Chair of the Nomination and Remuneration Committee of Valiant Bank and member of the Board of Bâloise and APG|SGA
Maya Bundt
“It’s important that managing cyber risk or digital risk isn’t seen as just an IT problem but is recognised as a company-wide issue to be tackled as part of the company’s corporate strategy. Major strategic decisions almost always have an impact on the company’s cyber footprint.”
Federal Cyber Security Delegate, head of the Swiss National Cyber Security Centre (NCSC) and, from 1 January 2024, Director of Switzerland’s new Federal Office for Cybersecurity
Florian Schütz
“All companies are at risk, regardless of size and sector. However, many SMEs lack the financial and human resources to take effective cyber security measures, so their expertise and infrastructure is limited or even non-existent.”
Chair of the Audit Committee of Glarner Kantonalbank, Member of the Board of Directors of Apiax, Board member EXPERTsuisse and CEO of Structuul AG
Sonja Stirnimann
“We’ve been living with ‘cyber’ for at least 40 years, yet for many Boards, it is uncharted territory compared to other operational risks. What I find, though, is that the fear factor and taboo tend to die away if the problems are discussed in a safe space with like-minded people at Board and/or management level.”
Previous board survey editions
swissVR Monitor II/2020
The Boards of Directors' perspective on COVID-19: Learning the lessons for the next crisis
swissVR Monitor II/2019
More agile but more complex: the impact of digitalisation on boards and companies
