The Cyber Resilience Compass 2025

Examples of front-line practices that organizations are applying: –Risk-owners across the organization develop risk profiles to provide a structured approach to managing cyber risk within their local purviews, identifying vulnerabilities and impacts and implementing proactive measures. These are combined within the enterprise risk management process to provide an organization-wide view of cyber risk. Such methodical risk assessments include identifying critical assets, evaluating their supporting digital infrastructure, assessing potential threats, analysing existing controls and reviewing past incidents within the organization, sector or broader ecosystem. –Top leadership establishes transparent ownership and accountability structures and a clear chain of command to empower decision- makers. Individual risk-owners establish roles and responsibilities for key processes, decisions and risk management and communicate these structures, with regular reviews and assessments to ensure that roles adapt to address emerging risks. –Legal, compliance and cybersecurity teams periodically evaluate legislative and regulatory developments to mitigate legal and financial risks while strengthening the cyber resilience posture. To create robust compliance strategies, they use incident notification requirements, cybersecurity standards, certification frameworks and regulatory fragmentation. –CISOs and chief revenue officers (CROs) assess cyber insurance as a strategic tool to limit financial losses, legal liabilities, business disruptions and reputational damage caused by cyber incidents. They work closely with insurers and legal teams to meet policy requirements and to maximize coverage benefits. Experts emphasized the need to ensure that relevant risk-owners across the organization fully understand their exposure to cyber risks, as well as the limitations of what the cybersecurity team can guarantee in terms of system availability, data confidentiality and data integrity. Many highlighted the challenge of embedding responsibility and accountability for managing residual risk within the organization’s governance, risk and compliance systems. A common issue raised was the tendency to treat cyber risk as “the CISO’s problem” rather than understanding that cyber risk is business risk. The lack of cyber awareness and a shortage of specialized staff were identified as key factors contributing to this challenge, making it difficult for some risk-owners to grasp the extent of their cyber risk exposures. Additionally, immature regulations and the lack of qualified external advice were cited as barriers in certain regions. It is imperative to get multiple stakeholders in the room – front-line operators, legal, compliance, marketing, risk management, security practitioners and HR – and ask each of them to identify the top three critical scenarios they believe could cause us the greatest financial harm or the most devastating impact on the business connected to other KPIs. Gregory Eskins, Head, Global Cyber Insurance Center, Marsh McLennan Trust is at the core of Schneider Electric’s business, with cybersecurity as a critical pillar. Effective cyber risk management extends beyond technology to governance, which is why the company has embedded key internal controls (KICs) within the three-lines-of-defence framework. The KICs initiative establishes clear accountability for cyber risk mitigation, ensuring that business and operational cyber risk-owners (first line of defence) formally acknowledge risks and implement controls. These efforts are guided by the group CISO (second line of defence) and independently reviewed by internal audit (third line of defence). By making control expectations explicit, KICs eliminate ambiguity and ensure that cybersecurity and product security are integral to operations.KICs are mapped to company policies and the cyber risk register, which are updated annually by the cybersecurity team. Each year, risk-owners formally sign off on control execution, providing evidence or action plans to address gaps. This structured approach strengthens compliance, enhances business resilience and enables the company to demonstrate security commitments to customers and regulators. By formalizing risk-ownership, KICs mark a significant advance in Schneider Electric’s cyber maturity programme, reinforcing the company’s proactive stance on cybersecurity and business continuity.CASE STUDY 3 Schneider Electric – Key internal controls in action The Cyber Resilience Compass: Journeys Towards Resilience 11