Press releases

Cyber resilience – board members are aware of the risks, but action is required with regard to crisis prevention and reporting

Zurich/Geneva, 4 September 2023

Cyber-attacks are affecting the Swiss economy more than ever. One in two large companies have already fallen victim to them, and in many cases such incidents result in a business interruption. The 14th edition of swissVR Monitor shows that, although awareness of the risks is increasing, many companies lack a clearly formulated cyber strategy. They practise for emergencies only rarely, and reporting to the board of directors by the management team also needs to improve.

The threat from cyber-attacks is growing. Large companies are affected in particular: 45 per cent of firms with more than 250 employees have fallen victim to a cyber-attack at least once. This is revealed in the latest swissVR Monitor, a survey conducted every six months by the swissVR association of board members in partnership with the audit and consulting company Deloitte Switzerland and Lucerne University of Applied Sciences and Arts. For the study, 400 board members were surveyed on the focus topic of cyber resilience.

In comparison with large companies, SMEs seem to be affected significantly less often. Only 18 per cent of firms with fewer than 50 employees reported having suffered a serious attack. The connection between company size and the frequency of attacks is obvious – large companies have greater global exposure and a larger potential target area for cyber criminals to attack. Another explanation for the supposedly lower rate of cyber-attacks on smaller companies is the fact that, in some cases, such incidents may not be reported to the board of directors.

Business interruption the most common consequence
Cyber-attacks often have serious consequences for a company’s operations. The most frequent repercussion by far is an interruption to business, which occurs in 42 per cent of firms affected by a cyber-attack (see Figure 1). The operating processes of companies in the information and communication technology sector are particularly at risk. In this industry, 69 per cent of affected firms suffered a business interruption. Data leaks and product or service malfunctions are further common consequences. In some cases, cyber-attacks even have repercussions outside the company. For example, eleven per cent of respondents complained about follow-up attacks on their customers. Although financial losses occur only rarely, the financial consequences should not be underestimated either. In addition to loss of revenue due to business interruptions, high knock-on costs – for restoring data, for example – can also be incurred.

Importance of cyber resilience increasing significantly
Given the far-reaching consequences, it is clear that every SME needs to address the issue of cyber risks. “This topic is now a crucial component of good corporate governance. Encouragingly, many companies have already recognised this. That said, there is still plenty of room for improvement. Our survey shows that the importance of cyber resilience is increasing significantly across all sectors. This must also be reflected in every company’s risk management and strategy processes,” says Mirjam Durrer, a lecturer at the Institute of Financial Services Zug (IFZ), part of the Lucerne School of Business. Ninety-five per cent of board members surveyed were of the opinion that cyber resilience had become more important for their company over the last three years. The majority actually observed a strong increase, though the assessment of this issue’s importance did depend heavily on company size. The correlation between company size and threat level is apparent here, too.

Cyber security not yet a matter for management everywhere
One positive finding was that the majority of board members reported performing their duties with regard to cyber resilience. Eighty-five per cent of respondents stated that their board of directors followed the trends and latest developments in the area of cyber resilience (see Figure 2). Furthermore, eight out of ten boards had a risk policy that addressed cyber risks. However, according to Klaus Julisch, Managing Partner for Risk Advisory at Deloitte Switzerland, action is nevertheless required: “Awareness of the risks is increasing, which is a positive development. That said, the issue hasn’t made it onto the agenda at all boards of directors yet. Furthermore, almost half of firms lack a clear cyber strategy. Swiss companies and ther boards of directors need to take even more responsibility with regard to cyber resilience.”

Only a third practise for emergencies
There is also room for improvement in terms of preparing for emergencies. Only one in three board members confirmed that their board of directors practised crisis management at least in part. The picture is somewhat better in the financial industry, where around one in two companies hold crisis training exercises on a regular basis. Furthermore, at 58 per cent, the financial industry has the highest proportion of concluded cyber insurance policies.

There is also room for improvement when it comes to reporting to the board of directors. Only about a third of respondents received regular reports from the management team on the top cyber risks or the company’s own cyber strategy. Around half of the boards of directors surveyed did at least receive reports on the general threat level, recent cyber-attacks at the company or the need for action or investment for cyber resilience purposes.

Despite the challenges, board members have a (more) positive economic outlook
Alongside this edition’s survey on the current focus topic of cyber resilience, the swissVR Monitor also gauges the opinions of BoD members on the current outlook for the economy and their own business activities twice a year. After a downturn in expectations following the outbreak of the Ukraine war in 2022, the board members surveyed for this edition reported having a somewhat more optimistic economic outlook for the next 12 months. Just under a quarter (24%) of all board members stated that they anticipated a positive economic trend, while 10 per cent expected developments to be negative. The vast majority (66%) rated the prospects for the economy as ‘neutral’.

At 45 per cent and 57 per cent respectively, the respondents were much more upbeat about the prospects for their industry and their company’s performance than they were about the overall economic situation. However, Cornelia Ritz Bossicard, President of swissVR, admits: “There remain many uncertainties for the Swiss economy, including the ongoing geopolitical risks, an unclear energy situation for the coming winter and the consistently above-average inflationary pressure. Switzerland has proved its resilience as a business location in difficult times. This quality must now be preserved as new challenges develop, such as the cyber risks described. After all, one thing is certain: New challenges will increase, especially in the area of cyber security.”

About the swissVR Monitor
The six-monthly swissVR Monitor survey aims to gauge the views of board members on business prospects, strategies and structural issues, plus – in this edition – their views on the focus topic of ‘people as a key to success – talent management of the future’. swissVR conducted the 14th survey between 22 May and 8 July 2023 in partnership with Deloitte and Lucerne University of Applied Sciences and Arts. The 400 participants sit on the boards of listed companies and small and medium-sized enterprises (SMEs) and represent all relevant industries and sectors.

swissVR serves the interests of board members in Switzerland and is committed to helping them become more professional and share experiences with other members. As an independent association, swissVR is run by board members for board members. With its services, it helps to professionalise boards of directors, promotes networking between board members from companies in all sectors, and gives its 1,200+ members access to relevant information and tailored training, including in cooperation with training partners. swissVR is aimed exclusively at people who actively serve on boards of directors.

Lucerne University of Applied Sciences and Arts – representing central Switzerland
The Lucerne University of Applied Sciences and Arts is the university of applied sciences and arts of the six cantons of central Switzerland. With some 8,300 students on Bachelor’s and Master’s degree programmes, 5,200 students on continuing and executive education programmes, almost 400 ongoing research projects and around 2,000 employees, it is the largest educational institution in the heart of Switzerland. The Institute of Financial Services Zug (IFZ) at the Lucerne University of Applied Sciences and Arts puts a strong focus on the topic of governance, risk and compliance by also offering executive education courses for board members.

Deloitte Switzerland
Deloitte offers integrated services that include Audit & Assurance, Consulting, Financial Advisory, Risk Advisory and Tax & Legal. Our approach combines insight and innovation from multiple disciplines with business and industry knowledge to help our clients excel anywhere in the world. With around 2,700 employees at six locations in Basel, Berne, Geneva, Lausanne, Lugano and Zurich (headquarters), Deloitte serves companies and organisations of all legal forms and sizes in all industry sectors.
Deloitte AG is an affiliate of Deloitte North South Europe (NSE), a member firm of the global network of Deloitte Touche Tohmatsu Limited (DTTL) comprising around 415,000 employees in more than 150 countries.
You can read all press releases and contact the communications team on the Deloitte Switzerland website.

Note to editors
In this press release, Deloitte refers to the affiliates of Deloitte NSE LLP, member firms of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (‘DTTL’). DTTL and each of its member firms are legally separate and independent entities. DTTL and Deloitte NSE LLP do not provide services to clients. Please see to learn more about our global network of member firms.
Deloitte AG is a subsidiary of Deloitte LLP, the UK member firm of DTTL. Deloitte AG is an audit firm recognised and supervised by the Federal Audit Oversight Authority (FAOA) and the Swiss Financial Market Supervisory Authority (FINMA).
The information in this press release was correct at the time it was released.

Did you find this useful?