^{Regional Outlooks}

Cyber risk in the UK has matured but our combined claims and D&O data shows maturity is not the same as readiness.

UK boards report high confidence in their resilience yet claims tell a different story. Vendor-triggered breaches are rising, ransomware-linked data exfiltration is becoming costlier, and executive impersonation is spreading from finance teams to payroll and HR.

Regulators are tightening expectations. The Cyber Security and Resilience Bill and proposed ransomware payment ban mark a shift from guidance to enforcement, while the ICO is increasingly judging firms on their preventive controls, not just their notifications.

Insurers are following suit. Appetite remains strong, but only for firms who can evidence tested resilience. UK boards need to close the gap between what they believe and what the claims data proves, and Willis FINEX can help them do it.

United Kingdom (GB)

Adrian Ruiz

Maturity is not the same as readiness. The data shows where confidence must now be proven.

Our combined claims and boardroom data shows a striking gap in North America: boards are confident, but losses keep climbing.

This region continues to produce the highest severity claims globally. Ransomware still dominates, driving multimillion-dollar outages, while deepfake and synthetic-ID fraud is now bypassing traditional controls.

Yet our survey shows board oversight remains inconsistent, and many still underestimate vendor concentration risk even though third-party failures are behind a growing share of losses.

Regulators are raising the stakes. SEC disclosure rules are driving faster reporting, while state attorneys general and the FTC are scrutinizing board accountability. Insurers are demanding the same, probing continuity plans, systemic vendor risk, and board testing.

Boards that align oversight with how claims actually happen will find capacity and pricing remain available but only if they can prove it.

North America

Jason Warmbir

Confidence is high but North America has the highest cyber loss severity in the world.

Across Europe, governance frameworks are robust, but our data shows they aren’t closing the gap between perception and reality.

Boards consistently rate their cyber readiness highly, yet claims reveal mounting severity, particularly from vendor failures that trigger cross-border regulatory notifications. Ransomware remains the top cause of first-party loss, while social engineering is shifting from wire fraud to HR and payroll attacks.

Regulators are tightening the net. GDPR fines are increasingly tied to preventive controls, not just breach disclosure, and the EU AI Act is ushering in mandatory oversight obligations.

Insurers are becoming selective. Boards that can demonstrate tested resilience not just declare it are securing better terms and capacity. Willis FINEX helps firms benchmark their readiness and close the gaps that boards often overlook.

EMEA (ex UK)

Brian Vosloh

Strong governance frameworks only work if they are tested and enforced.

Asia-Pacific boards are bullish on cyber readiness, but our claims data reveals fast-growing exposures, particularly where vendor breaches and ransomware intersect with rapid digital and AI adoption.

Loss frequency remains lower than in North America or Europe, but severity is rising sharply, driven by longer business interruption periods and weaker recovery planning.

Regulators are reacting. Australia’s cyber strategy and Singapore’s Cybersecurity Act amendments have raised expectations, and several other markets are introducing SEC-style incident disclosure rules.

Our survey shows many boards underestimate these shifts and overestimate their resilience. Insurers are responding with deeper scrutiny of foundational hygiene, vendor oversight, and incident testing. Boards who align their confidence with evidence will gain both resilience and market advantage.

Asia-Pacific

Jennifer Tiang

Fast adoption has fuelled fast exposure, and boards are only starting to see it.

Cyber risk in Hong Kong and Greater China is entering a new phase, with regulation set to reshape board accountability. The new Cybersecurity for Critical Infrastructure Bill, coming into force in January 2026, will require operators in key sectors such as finance, energy, telecoms, healthcare, and transport to meet mandatory standards, report incidents, and designate responsible officers for cyber risk.

Our combined claims and boardroom data shows a familiar gap: confidence remains high, yet incidents tell a different story. Vendor-triggered breaches continue to cause long recovery periods, while ransomware is driving mounting operational and financial losses. Against this backdrop, the new Bill raises the stakes, making prevention, testing, and governance matters of compliance, not just best practice.

Insurers are already signalling greater scrutiny of critical infrastructure exposures, with resilience testing and regulatory preparedness now part of renewal discussions. Boards that can evidence controls and rehearsal will secure more favourable terms and market confidence. Those that delay risk being caught short as regulation and risk converge.

Hong Kong & Greater China

Carlos Grijalva

Regulation is raising the bar. Firms that prepare now will not only withstand attacks but also demonstrate resilience when regulators and insurers put them to the test.”

Our data shows cyber risk in Latin America is scaling faster than board oversight.

Claims are rising quickly from a lower base, driven by vendor-triggered breaches and ransomware striking firms without tested response plans. Business interruption losses are high, and recovery periods are long. At the same time, regulation is tightening. Brazil’s LGPD enforcement is strengthening, and several GCC states are introducing mandatory breach reporting and critical infrastructure requirements.

Boards in these regions often express confidence, but our survey shows incident plans are rarely tested and insurers are noticing. The firms that build clear governance, vendor oversight, and response protocols now will secure cover on favorable terms before the market hardens further.

Latin America & Middle East

Rodrigo Flores

Confidence is not preparation and the window to prove it is closing fast.