What Directors & Officers Need to Know About Cyber Risks in 2025

Why cyber risks should be on every board’s radar 

1. Cyber crime is at an all-time high  

The global cyber crime economy is now the third-largest economy in the world, with damages projected to reach $10.5 trillion annually in 2025.  

 Globally, cyber attacks surged by 30% in Q2 2024, with organizations each facing 1,636 attacks per week.  

 This staggering growth underscores why cyber risk is no longer just a technology concern but a critical governance issue for corporate leadership. 

2. Cyber incidents are more expensive, take longer to recover from 

In 2025, the average cost of a data breach is expected to surpass $5 million.  

It takes security teams an average 277 days to identify and contain a data breach – even longer if it involves stolen credentials. 

Sadly, 60% of small companies go out of business within six months of suffering a data breach or cyber attack. 

Despite this, the World Economic Forum’s Global Cyber Security Outlook 2024 reports only 25% of small-to-medium businesses (SMEs) have cyber insurance, and 75% of large organizations have a cyber policy. 

3. AI and human error make cyber attacks more successful 

Cyber criminals are increasingly leveraging Artificial Intelligence (AI) to launch hyper-realistic, personalised cyber attacks that are more convincing – and successful – than ever, says Jardine. Deepfake technology is also increasingly being leveraged in cyber extortion scams against executives and their employees. 

 And, since 90% of all cyber incidents are the result of human error – like using weak passwords or becoming a victim of phishing attacks – D&Os have to think about the threat from within as well, adds Jardine. 

The rise of Shadow AI – in which employees use Generative AI like ChatGPT without permission, is leading to increased data breach, leaks and compliance violations risks. Recent research shows over 60% of employees are using GenAI without their security team’s knowledge.  

4. Growing shortage of cyber security professionals 

“Prevention is far better than recovery,” says Jardine. “The faster a business can detect, contain and recover from a cyber incident, the lower the damage.” 

 But the growing cyber security skills gap is making this harder than ever. 

 Globally, there’s a shortage of more than 4 million cyber professionals, with 67% of organizations reporting a skills gap in cyber security, according to The World Economic Forum’s Global Cyber Security Outlook 2025.  

“The shortage doesn’t just impact recovery – it also makes it harder to implement proactive security measures that could predict, prevent and insure against breaches in the first place,” says Tifft, emphasising the need for businesses to partner with an insurance provider that offers expert pre- and post-breach services and support, such as BOXX’s Hackbusters and vCISO team. 

Rising Claims: How a cyber breach can lead to D&O Liability 

Lawsuits over data breaches are becoming a permanent fixture in the legal landscape. 

Cyber attacks – often enabled by weak cyber security, cover-ups or preventable errors – have cost companies like Uber, Home Depot, Meta, T-Mobile and others a total of $4.4 billion in data breach fines, penalties settlements so far. 

In 2024 alone, some of the largest class action settlements by directors & officers in history were recorded, totalling $560 million across major breach cases. 

It’s no wonder 63% of D&Os surveyed by WTW in 2025 included civil litigation and third party claims among their top significant concerns.

A cyber attack can have serious legal and financial consequences for a company’s leadership. Baker outlines key scenarios where directors and officers could face lawsuits: 

• Failure to secure cyber insurance – If a company suffers a major cyber incident and doesn’t have cyber coverage, shareholders may sue the board for failing to take reasonable steps to protect the business. “Directors and officers who ignore cyber risk are putting themselves and their companies in jeopardy,” Baker adds.
• Share price drops after a breach – Publicly traded companies that experience a breach often see a sharp decline in stock value. Shareholders may file lawsuits alleging that leadership failed to implement adequate cyber security measures. 
• Regulatory penalties and compliance failures – In Canada, provincial securities regulators, such as the Ontario Securities Commission (OSC), oversee cyber security disclosure requirements for publicly traded companies. While there is no single federal securities regulator, businesses must comply with provincial regulations that increasingly emphasize the need for strong cyber risk management. As cyber security threats escalate, Canadian regulators may further tighten disclosure rules, making it even more critical for organizations to demonstrate proactive cyber risk governance.
• Lawsuits from customers and employees – If a cyber incident leads to the exposure of sensitive customer or employee data, leadership could face direct legal action. Additionally, failing to secure customer data could lead to regulatory fines that cyber insurance helps cover. Forrester predicts that breach-related class action costs will exceed regulatory fines by 50% in 2025, marking a major shift in how businesses experience the financial fallout of cyber incidents – no longer limited to compliance penalties, but now including potentially massive settlements paid directly to affected individuals.
• Derivative lawsuits from within the company – In cases of severe negligence, a company itself may sue its own executives in what’s known as a derivative lawsuit, seeking damages for losses caused by a cyber breach. 

The Hidden Cyber Risks in D&O Insurance 

While some D&O policies include limited cyber-related coverages via endorsements or small cyber sublimits, it’s rarely enough to provide comprehensive protection, explains Baker. “A small cyber endorsement is often added just to prevent a larger claim from being argued under the D&O policy – even when the cyber incident leads to a governance related lawsuit. This is not sufficient for real cyber exposure today.” 

In fact, some D&O insurers will exclude cyber-related claims if the company doesn’t also have a separate cyber insurance policy – especially for companies that handle a lot of personal data.  

 Unlike a dedicated cyber policy, D&O insurance does not typically cover: 

• The cost of breach response services (including IT forensics, legal counsel, credit monitoring) 
• Forensic investigations to determine the cause of an attack 
• Regulatory fines and penalties (particularly those tied to data protection regulations)
• Ransomware payments or extortion losses 
• Crisis communications and PR support to protect the company’s reputation 

“Cyber liability insurance plays a crucial role in covering regulatory fines and penalties that may arise from a cyber incident, offering third-party protection that is often excluded or insufficient in a standard D&O policy,” adds Jardine. “Lawsuits stemming from a cyber breach can be incredibly costly and drag on for years, making cyber liability coverage essential for handling legal defense costs. For small businesses, the PR coverage included in cyber insurance can be particularly valuable, helping to mitigate reputational damage and rebuild customer trust after an attack.”

How Directors & Officers can strengthen their cyber defenses 

To mitigate risk, corporate leaders need to take a proactive and comprehensive approach to cyber security.  

• Ensure the company has a dedicated cyber insurance policy – “A standalone cyber policy is critical,” explains Tifft. “Relying on D&O coverage alone is a mistake, as it won’t fully protect and mitigate against cyber-related lawsuits.” BOXX’s all-in-one cyber security and insurance solution offers not just financial protection but also expert-guided security measures, risk assessments, cyber awareness training, and breach response – giving leadership teams the confidence that their cyber strategy is robust and regulatory-compliant.  
• Implement robust cyber security controls – Strong multi-factor authentication (MFA), endpoint detection and response (EDR), and continuous monitoring can significantly reduce risk. 
• Conduct board-level cyber security training – “Cyber awareness shouldn’t just be an employee concern,” says Tifft. “Directors need to understand the latest threats and know what questions to ask their IT and risk teams.” 
• Tabletop exercises for cyber incident response – Running breach simulation exercises helps boards and executives prepare for real-world cyber crises. 
• Verify vendor and third-party security – Many breaches occur due to vulnerabilities in third-party systems. Regularly reviewing vendor security policies can prevent supply chain attacks. 
• Integrate cyber risk into board strategy – Boards should ensure that cyber risk is treated as a financial, operational, and governance priority, not just an IT concern. 

A Comprehensive Cyber Strategy  

As cyber threats continue to escalate, D&Os need to recognize that cyber security is part of their fiduciary duty. With regulatory scrutiny increasing and lawsuits on the rise, now is the time for corporate leadership to take action and protect themselves and their companies from cyber exposures. 

Taking a proactive approach to cyber risk management means securing a standalone cyber insurance policy that complements D&O insurance.  

Beyond providing financial protection, a comprehensive cyber insurance policy with built-in cyber security services and support can help leadership teams not only meet regulatory requirements, but also strengthen their defenses against evolving threats.  

“It’s not just about having coverage – it’s about improving your security posture,” explains Baker. “It’s critical for leadership to prove they are taking the necessary steps to prevent a cyber related D&O claim.” 

By working with a cyber insurance provider that integrates pre-breach risk management services, 24/7 breach response, and expert cyber security support, D&Os can demonstrate due diligence, reduce personal liability, and ensure their company is prepared for cyber threats in 2025 and beyond.