New research reveals cybersecurity breaches cause measurable stock price declines, as well as alarming disconnects across the C-suite on what is actually working to secure enterprises
NEW YORK, April 15, 2025 /PRNewswire/ — New research from Ernst & Young LLP (EY US) highlights significant financial risks posed by today’s evolving cybersecurity threat landscape, with alarming disconnects across the C-suite on exposure levels, threat sources and more. In addition to the latest EY US C-suite cybersecurity study, which found a majority of C-suite leaders (84%) report that their organization experienced a cybersecurity incident in the past three years, a separate EY US analysis of Russell 3000 companies found those experiencing a cyber incident typically see their stock price decrease by 1.5% over the following 90 days, demonstrating the tangible and enduring effects of cyber incidents on market capitalization for firms which experience them.
The EY 2025 Cybersecurity Study: Bridging the C-suite Disconnect surveyed 800 US C-level executives, including 300 chief information security officers (CISOs) and 500 other C-suite leaders, to uncover cybersecurity investment levels, emerging threats, and sentiment about risks and preparedness. The study found that CISOs are more on edge than other C-suite executives: two-thirds (66%) of CISOs say they are worried that the cybersecurity threats their organization is facing are more advanced than their defenses, which is significantly more than their C-suite counterparts (56%).
“Companies need to move beyond a ‘check the box’ mentality and recognize cybersecurity as a strategic investment, not simply a cost center,” said Jim Guinn, II, EY Americas Cybersecurity Leader. “It’s time to take the bull by the horns and push for not just the resources but the authority for cyber leaders to build truly resilient organizations. The cost of inaction is simply too high.”
C-suite disconnects on cybersecurity may leave organizations exposed
Comparing the responses of CISOs to their C-suite counterparts reveals worrying divides. For example, CISOs are more likely than the rest of the C-suite to express concern about senior leaders at their organization underestimating the dangers of cybersecurity threats (68% vs. 57%), highlighting a lingering vulnerability due to a lack of understanding by C-suites of the downside risks.
The survey also found a divide between CISOs and the rest of the C-suite on the origin of cybersecurity incidents and the threat actors responsible. CISOs (57%) are more likely than the rest of the C-suite (47%) to say their organization has experienced a cybersecurity incident due to cybercriminals in the past three years. Conversely, more CISOs (47%) say their organization has experienced a cybersecurity incident due to inside threats (i.e., employees intentionally stealing or leaking private information) in the past three years, compared to the rest of the C-suite (31%). This gap in understanding about the historic source of incidents is problematic for building defenses against future threats.
Another concerning disconnect is that CISOs are the most likely to attribute decreased cyber incidents to investment in artificial intelligence (AI). In fact, 75% of CISOs say their organization experienced a decrease in cybersecurity incidents following increased investment in AI, compared to the rest of the C-suite (68%). By contrast, the rest of the C-suite (77%) is more likely than CISOs (69%) to attribute success in decreased cybersecurity incidents to increased investments in employee cybersecurity training.
A call to action to bridge the gaps in C-suite cybersecurity perception
“CISOs see escalating threats and vulnerabilities, while the C-suite appears to often believe cybersecurity is handled,” said Guinn. “Cybersecurity incidents carry significant and far-reaching financial repercussions beyond immediate recovery costs. Our research reinforces the urgent need for leaders to come together and develop a comprehensive cybersecurity strategy that addresses the evolving threat landscape and includes clear communication, a shared understanding of the risks and opportunities, and priority areas for investment.”
Despite the risks posed by key disconnects, there is a silver lining as investments are on the rise. While 21% of C-suite leaders say their organization currently invests more than 10% of their IT budget (which cybersecurity falls under) in cybersecurity, this number is expected to roughly double to 38% next year.
To better maximize this additional capital amid heightened cyber risks and turbulent economic conditions, Guinn and the EY US Cybersecurity team recommend the following:
- Elevate the CISO role: Establish the CISO as a position of ownership over the organization’s security posture, with the mandate to drive strategic security initiatives and influence critical business decisions.
- Invest strategically: Align cybersecurity investments with the organization’s overall business objectives and risk tolerance, ensuring that resources are allocated effectively to address the most critical threats.
- Embrace innovation: Continue reviewing and adopting new technologies and approaches to cybersecurity, including AI and machine learning, to enhance threat detection and response capabilities.
- Develop a culture of cyber confidence: Promote a culture of cybersecurity awareness and responsibility at every level across the entire organization, empowering employees to identify and report potential threats.
Methodology
Methodology
In December 2024 and January 2025, Ernst & Young LLP (EY US) commissioned a third party to conduct an online survey of 800 US C-level leaders (including 500 C-suite leaders and 300 Chief Information Security Officers). “C-suite leaders” refers to the total sample, “C-suite executives” or “rest of C-suite/C-suite counterparts” refers to full-time employed executives (n=105 Chief Operating Officer, n=106 Chief Finance Officer and n=289 other non-CISO C-suite executives) who are decision makers for their organization’s information security, including data and systems, and CISOs refers to full-time employed executives who are responsible for their organization’s information security, including data and systems, across ten industry sectors. The margin of error (MOE) for the total sample is +/- 3 percentage points; the MOE for CISOs is +/- 6 percentage points and the MOE for their C-suite counterparts is +/- 4 percentage points.
Industries surveyed include the health, life sciences, energy, technology media and telecommunications, government and public sector, consumer products and retail, advanced manufacturing and mobility, financial services, private equity and real estate, hospitality and construction industries. There is a minimum of n=50 per industry for C-suite leaders and n=30 per industry for CISOs.
EY QUEST Methodology
A staggered difference-in-differences model was used to evaluate the impact of cyber incidents on the stock prices of publicly traded companies. The analysis focused on companies in the Russell 3000 with a market cap of at least $1 billion in 2024 that experienced a cyber incident between 2021 and 2024, with the following inclusion criteria:
- Russell 3000 companies were selected because they represent more than 95% of the total US tradable market, ensuring broad market representation.
- Cyber incidents from 2021-2024 were included to assess the impact following the introduction of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in 2021, which increased disclosure requirements.
- Companies that had previously experienced a cyber incident (2010-2020) were excluded to avoid potential confounding effects from prior incidents that may have already influenced stock price trends.
- The S&P 500 index (SPY) was also included in the control group to represent the stock price movement of large publicly traded US companies.
Following the above inclusion criteria, the analysis included 96 companies that experienced a cyber incident.
About EY
EY is building a better working world by creating new value for clients, people, society and the planet, while building trust in capital markets.
Enabled by data, AI and advanced technology, EY teams help clients shape the future with confidence and develop answers for the most pressing issues of today and tomorrow.
EY teams work across a full spectrum of services in assurance, consulting, tax, strategy and transactions. Fueled by sector insights, a globally connected, multidisciplinary network and diverse ecosystem partners, EY teams can provide services in more than 150 countries and territories.
All in to shape the future with confidence.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. Information about how EY collects and uses personal data and a description of the rights individuals have under data protection legislation are available via ey.com/privacy. EY member firms do not practice law where prohibited by local laws. For more information about our organization, please visit ey.com.
Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US.
SOURCE EY
