Cyber-risk is no longer just a technology issue, but also a boardroom issue, according to new research from Aon, the global professional services firm.

According to the company’s Cyber Risk Report for the year, cyber events that cause reputation risks can result in an average of 27 per cent drop in shareholder value.

It built on Aon’s 2023 research, which showed that major cyber incidents led to an average 9 per cent decline in shareholder value.

Aon global cyber leader Brent Rieth said: “Our latest research underscores the importance of proactive risk mitigation. Organisations that invest in preparedness and resilience are far better positioned to avoid the reputational and financial fallout that can follow a cyber event.”

Of the 1,414 cyber events analysed by Aon researchers, 56 developed into reputation risk events, defined as cyber incidents that attract significant media attention and lead to a measurable decline in share price.

Malware and ransomware attacks were the most likely to trigger reputational damage, accounting for 60 per cent of all reputation risk events, despite making up only 45 per cent of total cyber incidents.

Five drivers of value recovery — preparedness, leadership, swift action, communication and change — were identified as critical levers for mitigating reputational fallout.

The report also highlights the growing challenge of managing uninsurable risks. While cyber insurance can help transfer some financial exposure, reputation risk remains largely non-transferable, making proactive risk management and crisis response essential.

“As cyberthreats grow more complex and interconnected, companies need a clearer view of their exposure, stronger alignment between cybersecurity and insurance strategies, and the tools to make better, data-driven decisions,” Mr Rieth said.

In the report’s executive welcome, Mr Rieth explained that competition had heightened globally across the cyber insurance marketplace and, after realising ten straight quarters of pricing decreases for United States-based risks, cyber insurance pricing continued its softening trend, ending with a 7 per cent decline in Q1 2025.

“The time is ideal for businesses of all sizes to enter the cyber insurance market, and this is of utmost importance for increasingly vulnerable middle market companies,” Mr Rieth said.

These organisations filed more cyber claims than any other group last year and, from a preparedness standpoint, 55 per cent have not carried out a cybersecurity tabletop exercise.

Meanwhile, 45 per cent have vulnerability scans that cover less than 100 per cent of the enterprise, significantly increasing the potential risk for business interruption loss owing to a cyber event.

Mr Rieth said better education and awareness around cyber-risk is needed.