Concerns over regulatory risk have moved up the ranking to third place

Cyber attack and data loss remain the top two most concerning risks for directors and officers (D&O) for the second year running, according to the latest D&O Liability Survey 2022, published by Willis Towers Watson (WTW) in partnership with Clyde and Co. 

Exactly 47% of respondents reported that a cyber attack was of very significant or extremely significant risk to their organisation, whether financially or reputationally. Data loss sat at 43%.

Cyber attack ranked as the number 2 risk for the business and the number 1 risk for directors and officers. Globally, cyber extortion ranked as the third top risk (59%), behind cyber attack (65%) and data loss (63%).

Two common types of cyber extortion are ransomware and distributed denial of service attacks (DDoS).

Regulatory risk, including threat of fines, penalties and risk of health and safety/environmental prosecutions, meanwhile, replaced cyber extortion (36%) in third place at 40%.

COP26 combined with increasing governmental and regulatory measures has driven up concerns around climate change risk in some regions. While it still doesn’t appear in the top 5 for any region, it is the number six risk in the UK, Asia and Australasia.

There is some divergence between the risks perceived for businesses and the risks perceived for D&Os. The top risk for the business was the economic climate while the risk of insolvency or bankruptcy is ranked very low for directors and officers, despite the two being linked.

Interconnected risks

Jeremy Wall, head of global financial, executive and professional risks (Finex) at WTW, said that “this year marks a sea-change in the global scope of our survey, with responses from more countries than ever before”.

James Cooper, head of the financial institutions and D&O team at Clyde and Co, added: “What emerges in this report is a complex network of globally interconnected and evolving risks that leaders should not consider in isolation.

“While it is no surprise that cyber attacks and data loss lead the risk ranking once again, the emergence of cyber extortion as a perceived threat adds a further level of pressure on leaders to implement adequate cybersecurity controls and to react efficiently and effectively in the face of an attack.”

Rankings were determined by the proportion of survey respondents who branded a risk category either very significant or extremely significant.

The survey identifies the key risks for directors across the globe (covering the UK, Europe, Asia, Australasia, LatAm and the US) with responses from over 40 countries around the world.