Just 2% of companies have implemented firm-wide measures to protect themselves against cyber attacks, a global survey has found.
Based on responses from 4,042 business and tech executives across 77 countries and territories, the PwC 2025 Global Digital Trust Insights report noted that, despite the cost of the average data breach estimated at US$3.3 million, the vast majority of companies are ill prepared to deal with the very threats they say they are most concerned about.
The report pointed out that while data breaches by hackers and other cyber criminals are at the forefront of executives’ concerns, adequate resources are not being used to address them – although many companies say they are planning to increase their cyber security budgets.
“This leaves a glaring vulnerability – without enterprise-wide resilience, companies remain dangerously exposed to the increasing threats that could compromise the entire operation,” the report noted.
It stated that, despite heightened concerns about cyber risk, only 2% of executives said their company has implemented cyber-resilience actions across their organisation in all areas surveyed.
Challenges for Cayman
The report noted that in the Cayman Islands, the need to enhance cyber-security resilience within the financial services sector is more critical than ever.
“As rapidly changing regulations and emerging technologies, particularly AI, continue to reshape the landscape, organizations must embrace change and convert risks into opportunities through innovation and investment in advanced cybersecurity solutions. By promoting a culture of security awareness and reinforcing regulatory compliance, the Cayman Islands can enhance market integrity and build stronger stakeholder trust,” the report said.
In response to questions from the Cayman Compass, Yousra Cherrouk, manager of PwC Cayman Islands’ Risk Assurance Services, acknowledged that the concentration of financial services industry companies in the Cayman Islands makes the jurisdiction particularly attractive to cyber attacks.
“Cyber-attacks can disrupt operations, result in financial losses, and damage reputations, making it essential for organizations to invest heavily in cybersecurity defenses. The high level of scrutiny and regulatory requirements imposed on financial institutions may prompt organizations to prioritize cybersecurity more than other sectors.
“This focus can act as a deterrent against potential attacks if companies are well-prepared with proactive monitoring, comprehensive training, and incident response plans,” she said in an emailed response.
The Cayman Islands Monetary Authority plays a critical role in enforcing cyber-security standards for regulated entities, Cherrouk noted, adding, “By aligning with CIMA’s cybersecurity rules, regulated financial services organizations can enhance their defenses and foster a culture of security awareness, better preparing them to mitigate risks in today’s digital landscape.”
CIMA requires regulated entities to perform a gap assessment to evaluate their existing group-wide cybersecurity policies against the requirements of local cyber regulations, she said.
Regulated organisations in Cayman must also perform a local risk assessment to identify specific vulnerabilities unique to the region, meaning companies can adapt their policies to the unique challenges they face in the Cayman Islands, Cherrouk added.
Unregulated entities, while not bound by these specific requirements, can benefit from adopting similar cyber-security assessments and risk-management practices to enhance their security and protect against evolving threats.
With many global firms having financial services or legal offices based in Cayman, the implementation of cybersecurity measures can vary significantly, she said.
Cherrouk noted, “Many companies have established processes and security frameworks at their head offices, which are shared with regional offices to standardize practices. This helps ensure that all locations meet a baseline level of security.
“However, it’s also common for offices to operate in silos, especially if they have autonomy or are subject to differing regulatory environments. Local threats and resource availability also influence how these measures are tailored. This can result then in inconsistencies in applying cybersecurity measures.”
Main threats
The survey showed that the top four cyber threats that business leaders found most concerning were: cloud-related threats (42%), hack-and-leak operations (38%), third-party breaches (35%) and attacks on connected products (33%). The report pointed out that these were the same concerns security executives feel least prepared to address.
Cherrouk said in the release that there are significant gaps that companies must bridge before they become more resilient against cyber attacks.
“These include developing a comprehensive incident response plan and a robust cyber governance framework, implementing continuous monitoring for threats, ensuring proper data backup and recovery mechanisms and enhancing employee awareness and training programmes,” she said, adding that this points to the need for senior management collaboration and strategic investment to strengthen cyber resilience.
Cherrouk noted, “Measuring cyber risk is critical for prioritising cyber risk investments but few organisations are actually quantifying the impact. By addressing these gaps and making cybersecurity a business priority, leaders can bridge to a more secure future.”
Many companies are turning to generative artificial intelligence (GenAI) to contend with cyber-security concerns, with 78% of survey respondents saying they had ramped up their investment in GenAI over the past year.
However, two-thirds of the leaders in the security field who responded noted that GenAI has expanded the cyber attack surface – the number of all possible points where an unauthorised user can access a system and extract data – over the last 12 months, ahead of other technologies such as cloud technology (66%), connected products (58%), operational technology (54%) and quantum computing (42%).
Increasing spending on cyber-security measures
Despite the threats and lack of preparedness, the survey findings show that organisations are taking action. More than three-quarters (77%) said they expected their cyber budget to increase over the coming year, with nearly half (48%) of business leaders prioritising data protection and data trust as the top cyber investment in the next 12 months. Tech leaders, on the other hand, note cloud security (34%) remains their top-priority.
According to the survey, 30% of organisations expect cyber budgets to increase by 6-10% next year, while 20% expect budgets to rise by at least 11%.
The report noted that many organisations are not fully involving their chief information security officers in key initiatives. Fewer than half of executives said these officers are largely involved in strategic planning for cyber investments, board reporting and overseeing tech deployments.
“This gap leaves organisations vulnerable to misaligned strategies and weaker security postures,” the report stated.
Related Videos
