Recent research reveals that security breaches cause significant stock price declines and disturbing disconnects among the C-suite regarding what is really working for businesses.
NEW YORK, April 15, 2025 /PRNewswire/– New research from Ernst &, Fresh LLP ( ) highlights considerable financial risks posed by the rapidly changing security risk landscape, which shows alarming gaps in C-suite exposure levels, danger sources, and more. A separate analysis of Russell 3000 companies found that those experiencing a cyber incident typically see their stock price decrease by 1.5 % over the following 90 days, demonstrating the tangible and enduring effects of cyber incidents on market capitalization for firms that experience them. The most recent C-suite cybersecurity study found that a majority of C-suite leaders ( 84 % ) report having their organization experienced a cybersecurity incident in the past three years.
To learn about security investment levels, emerging threats, and attitudes about risks and planning, the EY 2025 Cybersecurity Study: Bridging the C-suite Delete polled 800 US C-level executives, including 300 CIOs and 500 different C-suite leaders. Two-thirds ( 66 % ) of CISOs claim to be concerned that the cybersecurity threats their organization is facing are more advanced than their defenses, which is significantly higher than their C-suite counterparts ( 56 % ), according to the study.
Companies must shift away from the” check the box” mindset and view cybersecurity as a strategic investment, not just a cost center, according to . It’s time to “take the bull by the horns” and demand that cyber leaders have the authority to create truly resilient organizations. Simply put, the cost of inaction is too high.
Organizations could become exposed to C-suite disconnects in cybersecurity.
Concerningly disconcerting differences can be seen in CISO responses to their C-suite counterparts. For instance, CISOs are more likely than the rest of the C-suite to express concern that senior leaders at their organization underestimate the risks of cybersecurity threats ( 68 % vs. 57 % ), highlighting a lingering vulnerability brought on by a lack of understanding by C-suites of the downside risks.
Additionally, the survey revealed a disconnect between the roles of the CISOs and the rest of the C-suite regarding the causes of cybersecurity incidents and the source of the threat actors. CIOs ( 57 % ) are more likely than the rest of the C-suite ( 47 % ) to claim that their organization has been victim of a cybersecurity incident as a result of cybercriminals in the last three years. In contrast, more CISOs ( 47 % ) claim that their organization has been the victim of a cybersecurity incident as a result of inside threats ( i .e., employees intentionally stealing or leaking confidential information ) in the last three years, compared to the rest of the C-suite ( 31 % ). This discrepancy in understanding the historical context of incidents makes it challenging to build defenses against threats in the future.
Another alarming disconnect is that CISOs are the most likely to attribute investment in artificial intelligence ( AI ) to a decrease in cyber incidents. In contrast to the rest of the C-suite ( 68 % ), 75 % of CISOs claim that their organization experienced a decrease in cybersecurity incidents as a result of increased AI investment. In contrast, the rest of the C-suite is more likely than CISOs ( 69 % ) to attribute greater investments in employee cybersecurity training to the success of decreased cybersecurity incidents.
A call to action to address the disparities in the perceptions of C-suite cybersecurity
C-suite appears to believe cybersecurity is handled frequently, according to Guinn, while CIOs see escalating threats and vulnerabilities. Beyond just recovering from a breach, cybersecurity incidents have significant and far-reaching financial repercussions. Our findings demonstrate the urgent need for leaders to work together to create a comprehensive cybersecurity strategy that includes clear communication, a shared understanding of the risks and opportunities, and priority investment priorities.
Despite the dangers posed by significant disconnects, there is a positive side to investing is increasing. While 21 % of C-suite leaders claim that their organization invests more than 10 % of their IT budget ( under which cybersecurity falls ), this figure is expected to increase by about 30 % to 38 % in the coming year.
Guinn and the EY US Cybersecurity team advise the following to maximize this additional capital in the face of increased cyber risks and turbulent economic conditions:
- Establish a CISO role with the authority to steer strategic security initiatives and make important business decisions: Establish a CISO role as a part of the organization’s security posture.
- Ensure that resources are properly distributed to address the most pressing threats by aligning cybersecurity investments with the organization’s overall business objectives and risk tolerance.
- Encourage innovation: Keep examining and adopting new cybersecurity tools and techniques, including AI and machine learning, to enhance threat detection and response capabilities.
- Create a culture of cyber confidence: Encourage employees to identify and report potential threats at every level throughout the entire organization.
Methodology
Methodology
In December 2024 and January 2025, Ernst & Young LLP (EY US) commissioned a third party to conduct an online survey of 800 US C-level leaders (including 500 C-suite leaders and 300 Chief Information Security Officers). “C-suite leaders” refers to the total sample, “C-suite executives” or “rest of C-suite/C-suite counterparts” refers to full-time employed executives (n=105 Chief Operating Officer, n=106 Chief Finance Officer and n=289 other non-CISO C-suite executives) who are decision makers for their organization’s information security, including data and systems, and CISOs refers to full-time employed executives who are responsible for their organization’s information security, including data and systems, across ten industry sectors. The margin of error (MOE) for the total sample is +/- 3 percentage points; the MOE for CISOs is +/- 6 percentage points and the MOE for their C-suite counterparts is +/- 4 percentage points.
The government and the public sector, consumer products and retail, advanced manufacturing and mobility, financial services, private equity and real estate, hospitality and construction, and other industries are among the industries surveyed. There is a minimum of n=50 per industry for C-suite leaders and n=30 per industry for CISOs.
EY QUEST Methodology
A staggered difference-in-differences model was used to evaluate the impact of cyber incidents on the stock prices of publicly traded companies. The analysis focused on companies in the Russell 3000 with a market cap of at least $1 billion in 2024 that experienced a cyber incident between 2021 and 2024, with the following inclusion criteria:
- Russell 3000 businesses were chosen because they represent more than 95 % of the total US tradable market, ensuring broad market representation.
- Following the introduction of the Cyber Incident Reporting for Critical Infrastructure Act ( CIRCIA ) in 2021, which increased disclosure requirements, a study of cyber incidents from 2021 to 2024 was included to assess the impact.
- Companies that had previously gone through a cyber incident ( 2010-2020 ) were excluded to avoid the potential confounding effects of previous events that may have already had an impact on stock price trends.
- The control group’s S&, P 500 index, which tracks the stock price movements of significant, publicly traded US companies, was also included.
Following the inclusion criteria set forth above, the analysis included 96 businesses that had been affected by a cyber incident.
About EY
EY is promoting a better working environment by instilling new value in the lives of its clients, people, society, and planet, as well as fostering trust in the capital markets.
EY teams, powered by data, AI, and cutting-edge technology, help clients create solutions for the most pressing issues facing today and tomorrow.
EY teams provide a full range of services in the fields of assurance, consulting, tax, strategy, and transactions. EY teams, which are supported by sector insights, a multidisciplinary, global network, and a range of ecosystem partners, can offer services in more than 150 nations and territories.
All in to confidently shape the future.
EY refers to the global organization of Ernst &, Young Global Limited, each of which is a distinct legal entity, and may also refer to one or more of its member firms. Clients are not served by Ernst & Young Global Limited, a UK limited by guarantee company. EY.com/privacy contains details on how and how personal data is collected and used, as well as a description of the protections individuals have under data protection laws. Member EY firms do not practice law where local laws obstruct it. Visit ey .com for more information about our organization.
Ernst &, Young LLP is a member firm of Ernst &, Young Global Limited that serves clients in the US.
SOURCE EY
