The cyber-attack surface is expanding
In an era of rapid technological disruption and advancement, organisations face increasingly volatile and unpredictable cyber threats. Cyber risk is the number one concern for most organisations, surpassing even digital risk and inflation. Despite this heightened awareness, many organisations are lagging in implementing robust cyber resilience measures and remain unprepared for the challenges ahead.
The expanding attack surface – driven by advances in artificial intelligence, connected devices, cloud technologies, and increased reliance on third parties – requires an agile, enterprise-wide approach to resilience. An ever-changing regulatory landscape adds another layer of complexity, making it imperative for organisations to build resilience at every level.
Yet significant gaps remain. Many organisations do not integrate cybersecurity into every strategic decision, nor do they ensure active collaboration at the executive level. This disconnection leaves them vulnerable to the very threats they are most concerned about.
Our findings from the 2025 Global Digital Trust Insights survey provide valuable insights into these critical issues and how organisations can increase their resilience and build transparency in an increasingly complex digital landscape.
Threat outlook and risk modelling improvements
Cyber risks remain the top concern for Swiss business leaders in 2025
As cybersecurity threats become more volatile and unpredictable, organisations are challenged to manage an expanding attack surface driven by cloud, AI, connected devices, and reliance on third parties.
One thing stands out: cyber risk remains the top concern for Swiss business leaders in 2025. While 65% of Swiss executives prioritise mitigating cyber risks over the next 12 months, this figure is 57% globally. In a year marked by geopolitically motivated cyber attacks on Switzerland, it is perhaps unsurprising that Swiss businesses are more concerned about cyber risks than the global average. In addition, organisations undergoing cloud transformation, with an increasing number of cloud migration projects, face added complexity as these changes can heighten cybersecurity and privacy concerns.
Cloud threats: a disconnect between concern and preparedness remains
The top three cyber risks for Swiss businesses are cloud-related threats, hack-and-leak operations, and ransomware attacks. While cloud security (49%) and hack-and-leak attacks (41%) ranked higher in Switzerland than the global average, concern about third-party data security risks (29%) was notably lower, which is surprising given the FINMA’s June 2024 report on cyber incidents in the financial sector in 2022 and 2023, which highlighted that over half of these incidents involved outsourced services. In contrast, concern about ransomware (39%) was significantly higher in Switzerland than the global average, suggesting that Swiss organisations do not yet feel fully prepared to respond to or recover from such attacks.
Globally of particular note is the gap between concern and preparedness for cyber threats: cloud threats are the number one threat for 42% of organisations worldwide, yet 34% of organisations say they are least prepared to deal with cloud-based attacks.
67% of Swiss firms increase their cyber budgets
While 54% of Swiss companies planned to increase cybersecurity spending in 2023, this number rose to 70% in 2024. Looking ahead to 2025, 67% of Swiss companies and 77% globally intend to increase their cyber budgets.
On the other hand, 22% of Swiss organisations plan to keep their cybersecurity spending unchanged, compared to just 11% globally. In comparison, Swiss companies are less polarised than their global counterparts, where fewer companies plan to keep their cyber budgets flat and a larger percentage either increases or decreases spending. This suggests that after several consecutive years of moderate growth in cyber spending, Swiss businesses feel the need to continue this trend.
“Companies that fail to prioritise cyber investment are approaching cybersecurity from the wrong perspective: it must be viewed as an ongoing process, not a one-time project.”
Johannes DohrenPartner, Head of Cyber resilience and defense, PwC SwitzerlandBusiness and tech leaders have lower engagement with cyber leaders
The allocation of cyber budgets reflects the differing priorities of business and technology leaders. For business leaders, the primary areas of investment include data protection and trust (48%) as well as addressing technical debt by modernising technology infrastructures (43%). This includes enhancing cybersecurity measures, improving security training, and optimising current technologies and investments to strengthen overall resilience.
Technology leaders focus on cloud security (34%), data protection and trust (28%), and network security and continuity (27%). They also plan to increase investment in emerging technologies such as generative AI (GenAI) and machine learning, recognising their potential to transform both security operations and organisational efficiency. As organisations race to realise the new opportunities brought about by AI technology, cyber leaders recognise that it also requires new approaches to managing data protection, integrity, and ethical concerns, which is driving the focus on this topic.
Regulatory developments
Are companies ready for the highly regulated cyber world?
Regulatory frameworks are pushing organisations to quickly comply with a growing set of requirements. Rather than being a burden, compliance can be a competitive advantage for forward-thinking companies. Most businesses are confident in their compliance, with 96% of global executives acknowledging that regulations have prompted them to enhance security measures. Additionally, 78% believe these regulations have improved their cybersecurity posture, indicating that compliance challenges are helping to strengthen cybersecurity maturity across the industry.
Confidence is high, but gaps remain
In terms of compliance confidence, 24% of Swiss organisations are ‘extremely confident’ in their ability to comply with consumer privacy regulations. However, when it comes to network and information security, cyber disclosure, and artificial intelligence regulations, only 16% are ‘extremely confident’. Between 45% and 47% – say they are ‘very confident’ in their ability to comply with network and information security, resilience, artificial intelligence, and consumer privacy regulations.
Despite these moderate to high levels of confidence, there are significant shortfalls in the percentage of Swiss respondents selecting the highest level of ‘extremely confident’ for data protection, critical infrastructure, resilience, and artificial intelligence, suggesting a confidence gap between belief and certainty in the compliance posture of several firms.
The fact that Swiss companies feel least prepared to comply with artificial intelligence regulations could be due to a lower level of awareness and familiarity with these emerging regulations, leaving many companies uncertain about how to navigate and meet AI-related compliance obligations.
The positive impact of regulation
More Swiss executives than globally report a positive view of the impact of new cybersecurity regulations. While 28% said these regulations have helped establish constructive guardrails for technological innovation and transformation, above the global average of 20%, 24% also noted an increase in resilience due to an enforced industry-wide framework, compared to 19% globally. In addition, fewer Swiss executives (18%) found the regulations challenging to the point of requiring significant enhancements to their cyber risk management programmes, versus 24% globally, suggesting a greater sense of confidence in their existing security measures and partnerships.
To address these challenges, alignment between security teams, risk functions, and executive leadership is critical. Only with such coordination can organisations maintain compliance readiness and drive strategic improvements.
Strategy and Cyber
Cyber resilience: strategy and implementation
In terms of implementing cyber resilience measures, Swiss organisations are making significant strides forward with many ahead of their global counterparts. A majority have identified critical business processes and deployed technological cyber recovery solutions.
While this progress reflects a positive trend, there is a notable dichotomy within Switzerland. Some companies are clearly leading in their cyber resilience strategies, but many others lag, leaving critical gaps.
While many Swiss organisations are adopting recovery technologies and playbooks, relatively few have conducted comprehensive tests, such as tabletop exercises, raising concerns about the true level of preparedness to manage a cyber incident. Without regular simulations or readiness tests, it’s not guaranteed that the technologies and plans will live up to expectations.
The road ahead: strategic objectives for cyber and privacy in the coming year
In the coming year, many organisations will increase their focus on cyber resilience, not only to respond more quickly to incidents, but also to improve the ability of their leaders to effectively manage cybersecurity threats. This focus is driven by the need to stay ahead of evolving threats and secure their position in the marketplace.
Swiss organisations have set specific priorities for the next 12 months, with almost half aiming for faster incident response times, compared to about a third globally. This highlights the critical need to mitigate potential disruptions in real time. In addition, improving leadership confidence in managing current and future cyber threats is a priority for 37% of Swiss companies, compared to 31% globally. In line with global trends, nearly a third of Swiss organisations are focussing on cybersecurity – and the use of managed services to enable regulatory compliance and accelerate entry into new markets are also key objectives.
However, improving cybersecurity to enhance the customer and employee experience is a 2025 priority for only 22% of Swiss organisations, below the global average of 30%. Almost a third of Swiss organisations are investing in cyber to drive their entry into new markets, highlighting that the gaps between international and cross-sector regulatory requirements that need to be bridged for growth and diversification are larger than international norms.
Cybersecurity as a competitive advantage
Cybersecurity is increasingly seen as a key competitive advantage for organisations. In Switzerland, customer trust is the top area where this advantage is realised, with 55% of companies positioning cybersecurity as a driver of trust, close to the global average of 57%.
Brand integrity and loyalty, as well as resilience to business disruption, are recognised by 33% of Swiss organisations, compared to higher global figures of 49% and 43% respectively. This indicates that Swiss companies could further leverage cybersecurity to strengthen their brand and customer loyalty. In addition, public relations, business growth, and brand loyalty are seen as areas where cybersecurity provides an advantage.
Globally, there has been a trend over the past two years for companies to use cybersecurity investments to gain a competitive advantage. Banks have launched cybersecurity investment funds to offer solutions to clients, while insurers are increasingly helping clients to quantify their cyber risk exposure and find ways to mitigate it. Recent acquisitions of cyber security companies by financial sector participants underscore how cybersecurity is now seen as a driver of growth and differentiation for an increasing number of financial services leaders.
Cyber risk quantification: a missed opportunity
Bringing a cyber strategy to life requires more than awareness – it demands measurable action. Quantifying cyber risk is critical to prioritising investments and understanding the potential financial impact of cyber threats. However, this practice isn’t yet common in Switzerland.
None of the surveyed Swiss companies measure the potential financial impact of cyber risks to a significant extent – that is, they lack comprehensive cyber risk quantification with automation and executive reporting – compared to 15% globally. 44% of global businesses quantify or model risk to a large extent, compared to only 23% of Swiss companies. A third of the Swiss organisations assess cyber risk to a limited extent, relying on qualitative risk assessment and prioritisation. Only 3% plan to implement cyber risk quantification in the next two years (globally: 6%).
These figures suggest that Swiss companies may be less advanced than their global peers in deeply understanding and modelling their cyber risks, and therefore in grasping the financial impact of potential cyber threats.
Cyber leadership
CEO engagement drives cyber progress in Switzerland
Cybersecurity leadership is increasingly important in shaping an organisation’s resilience, and in Switzerland, there has been clear progress in executive-level involvement. Swiss CEOs are leading the way in cyber and privacy discussions compared to their global counterparts.
However, this strong CEO engagement contrasts with the inclusion of Swiss CISOs in active business operations. While Swiss CEOs appear to be highly engaged in strategic discussions, CISOs are less likely to be included in initiatives such as M&A activities, learning from industry events, and adapting to operational changes within the business. This suggests that CISOs are often confined to scheduled board updates rather than being involved in day-to-day corporate initiatives. To close this gap, executive leadership needs to include CISOs more extensively in ongoing business decision-making processes and ensure that their expertise supports strategic and operational objectives.
Stronger CISO involvement: bridging the expertise gap
Although cybersecurity is considered in strategic decisions of many Swiss organisations, the reduced involvement of CISOs in operational decisions is concerning. As a result, cybersecurity teams and CISOs are often not fully integrated into broader business discussions, reducing their potential influence on key initiatives and elevating the risk that an initiative will increase cyber threats or weaken cybersecurity or data protection.
To close these gaps, Swiss organisations need to expand the role of cyber leaders beyond scheduled updates. This means actively involving CISOs in operational decisions and business strategy to ensure that cybersecurity is embedded not just as a protective measure, but as a driver of business growth and resilience.
“Strengthening corporate risk governance and integrating technology and cyber is foundational to improving cyber considerations in broader business activities and enabling new opportunities to be realised.”
Chris GirlingPartner, Cybersecurity and Privacy, PwC SwitzerlandBehaviours and awareness
Partial implementation isn’t enough for real cyber resilience
Despite mounting concern about cyber risks, most businesses are struggling to fully implement cyber resilience across core practices. This leaves a severe vulnerability – without enterprise-wide resilience, companies remain dangerously exposed to increasing threats that could compromise their entire operations.
A limited percentage of Swiss companies report that their cybersecurity teams ‘usually’ (81-100% of the time) perform key resilience activities. Only 20% of Swiss companies (versus 26% globally) have controls in place to withstand serious cyber disruptions and respond to threats quickly.
Only one in six Swiss companies allocate cyber budgets to their top risks, highlighting a lack of confidence in cyber risk models and limited cross-business involvement of the CISO in budget allocation. This increases the likelihood that investment in cyber will be directed to less critical areas, with insufficient input from the wider organisation or a robust tieback to risk-based investment.
Translating strategy into execution
While Swiss CEOs show a leading level of interest in cybersecurity topics, engagement between cyber leaders and leaders across the wider organisation is lower than the global average. Although Swiss CISOs report having acquired and deployed various cybersecurity and resilience solutions, limited board awareness, insufficient involvement from other business areas, as well as inadequate simulation and testing could prevent these solutions from meeting expectations in a crisis.
About the survey
The 2025 Global Digital Trust Insights is a survey of 4,042 business and technology executives (CEOs, corporate directors, CFOs, CISOs, CIOs, and C-Suite officers) conducted from May to July 2024.
A quarter of the executives are from large companies with $5 billion or more in revenues. Respondents operate in a range of industries, including industrials and services (21%); tech, media, telecom (20%); financial services (19%); retail and consumer markets (17%); energy, utilities and resources (11%); health (7%), as well as government and public services (4%).
Respondents are based in 77 countries. The regional breakdown is Western Europe (30%), North America (25%), Asia Pacific (18%), Latin America (12%), Central and Eastern Europe (6%), Africa (5%), and the Middle East (3%). 51 respondents are based in Switzerland.
The Global Digital Trust Insights Survey was before known as the Global State of Information Security Survey (GSISS). Now in its 27th year, it’s the longest-running annual survey on cybersecurity trends. It’s also the largest survey in the cybersecurity industry and the only one that draws participation from senior business executives, not just security and technology executives.
PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.
Download the survey
https://pages.pwc.ch/core-asset-page?asset_id=701Vl00000Q8LTMIA3&embed=true
Contact us
Partner, Leader Digital Assurance and Cybersecurity & Privacy, PwC Switzerland
+41 58 792 84 59