Cyber resilience – increasingly important for Boards

swissVR Monitor II/2023 – a survey of board members in Switzerland

Are you a board director and would like to take part in our board survey?

Summary

Cyber-attacks are affecting the Swiss economy more than ever. One in two large companies have already fallen victim to them, and in many cases such incidents result in a business interruption. The 14th edition of swissVR Monitor shows that, although awareness of the risks is increasing, many companies lack a clearly formulated cyber strategy. They practise for emergencies only rarely, and reporting to the board of directors by the management team also needs to improve.

About the survey

swissVR Monitor is based on a survey carried out jointly by swissVR in collaboration with Deloitte and the Lucerne University of Applied Sciences and Arts. The aim of this bi-yearly survey is to gauge Board members’ attitudes to the outlook for the economy and business as well as corporate governance issues. swissVR Monitor also aims to share with the wider public the ways in which Board members perceive their role and the current economic situation. Each edition also explores a special focus topic and conducts interviews with experts. A total of 400 Board members took part in the current edition of swissVR Monitor, providing a good overview of the views and challenges facing board members in Switzerland.

Key findings

Economic outlook slightly brighter than in the beginning of 2023

Board members in Swiss companies are a little more upbeat than in the beginning of 2023 in their rating of the country’s economic, sector and business outlook over the next 12 months. Across all three indicators, more Board members rate the prospects as positive than rate them as negative. Factors still causing economic uncertainty include geopolitical risks, the energy situation in winter 2023–24, and persistent – and above average – inflation.

Cyber attacks can have very serious consequences for companies

Board members whose company has already been the victim of at least one cyber attack report a (serious) impact on the company’s processes. Most frequently, cyber attacks disrupt operations. They can also result in data leaks, product malfunctions or service disruption. Less frequently, they result in the company becoming a gateway for cyber attacks on customers or in loss of assets.

Cyber resilience now markedly more important to companies

Almost all Swiss Board members surveyed agree that the importance to their company of cyber resilience has increased in the last three years. A majority think this increase has been marked, especially those on the Boards of small companies. Only a small minority of Board members report that there has been no change in the importance of cyber resilience, and none think the topic has become less important.

Mixed picture in relation to cyber risk insurance

Although cyber resilience has grown in importance and cyber attacks can have serious consequences, only just under half of all companies are insured against cyber risks. Companies in the financial, the manufacturing/chemicals and the construction sectors are more likely than average to be insured against such risks. Company size is much less likely to play a part in whether companies have cyber risk insurance.

Regular cyber reporting to the Board could be improved

More than half of all Swiss Boards receive regular reports from management on cyber-related incidents in the company or on the need for action and/or investment in cyber resilience. Just under half receive reports focusing on the general threat level or on cyber resilience measures. Only around one Board in three is regularly briefed by management on the main cyber risks facing the company or on its cyber strategy.

Large companies and financial services firms most likely to have committees

Just under half of all Boards set up committees to tackle specific issues. The figure is higher in large companies (where three-quarters of Boards have committees) than in small companies (one in five Boards). Boards in the financial services sector are most likely to have committees: three-quarters of Boards have at least one committee. In most other sectors, fewer than half of Boards have one or more committees. However, many Boards assign special responsibilities or areas to individual members.

Economic outlook slightly brighter than in the beginning of 2023

Board members in Swiss companies are a little more upbeat than in the beginning of 2023 in their rating of the country’s economic, sector and business outlook over the next 12 months. Across all three indicators, more Board members rate the prospects as positive than rate them as negative. Factors still causing economic uncertainty include geopolitical risks, the energy situation in winter 2023–24, and persistent – and above average – inflation.

Cyber attacks can have very serious consequences for companies

Board members whose company has already been the victim of at least one cyber attack report a (serious) impact on the company’s processes. Most frequently, cyber attacks disrupt operations. They can also result in data leaks, product malfunctions or service disruption. Less frequently, they result in the company becoming a gateway for cyber attacks on customers or in loss of assets.

Cyber resilience now markedly more important to companies

Almost all Swiss Board members surveyed agree that the importance to their company of cyber resilience has increased in the last three years. A majority think this increase has been marked, especially those on the Boards of small companies. Only a small minority of Board members report that there has been no change in the importance of cyber resilience, and none think the topic has become less important.

Mixed picture in relation to cyber risk insurance

Although cyber resilience has grown in importance and cyber attacks can have serious consequences, only just under half of all companies are insured against cyber risks. Companies in the financial, the manufacturing/chemicals and the construction sectors are more likely than average to be insured against such risks. Company size is much less likely to play a part in whether companies have cyber risk insurance.

Regular cyber reporting to the Board could be improved

More than half of all Swiss Boards receive regular reports from management on cyber-related incidents in the company or on the need for action and/or investment in cyber resilience. Just under half receive reports focusing on the general threat level or on cyber resilience measures. Only around one Board in three is regularly briefed by management on the main cyber risks facing the company or on its cyber strategy.

Large companies and financial services firms most likely to have committees

Just under half of all Boards set up committees to tackle specific issues. The figure is higher in large companies (where three-quarters of Boards have committees) than in small companies (one in five Boards). Boards in the financial services sector are most likely to have committees: three-quarters of Boards have at least one committee. In most other sectors, fewer than half of Boards have one or more committees. However, many Boards assign special responsibilities or areas to individual members.

Interviews

Chair of the Nomination and Remuneration Committee of Valiant Bank and member of the Board of Bâloise and APG|SGA

Maya Bundt

“It’s important that managing cyber risk or digital risk isn’t seen as just an IT problem but is recognised as a company-wide issue to be tackled as part of the company’s corporate strategy. Major strategic decisions almost always have an impact on the company’s cyber footprint.”

Federal Cyber Security Delegate, head of the Swiss National Cyber Security Centre (NCSC) and, from 1 January 2024, Director of Switzerland’s new Federal Office for Cybersecurity

Florian Schütz

“All companies are at risk, regardless of size and sector. However, many SMEs lack the financial and human resources to take effective cyber security measures, so their expertise and infrastructure is limited or even non-existent.”

Chair of the Audit Committee of Glarner Kantonalbank, Member of the Board of Directors of Apiax, Board member EXPERTsuisse and CEO of Structuul AG

Sonja Stirnimann

“We’ve been living with ‘cyber’ for at least 40 years, yet for many Boards, it is uncharted territory compared to other operational risks. What I find, though, is that the fear factor and taboo tend to die away if the problems are discussed in a safe space with like-minded people at Board and/or management level.”

Reto Savoia

CEO
Boardroom Programme Co-Chair

rsavoia@deloitte.ch +41 58 279 6357 View profile

Michael Grampp

Research Director & Chief Economist

mgrampp@deloitte.ch +41 58 279 6817 View profile

Daniel Laude

Assistant Manager

dlaude@deloitte.ch +41 58 279 6435 View profile

Submit request for proposal

Contact us