In a rapidly changing business landscape, management’s priorities for 2025 and 2026 focus on several key areas to ensure companies’ resilience and growth in an uncertain market environment. These include improving corporate governance, risk management, implementation of new technologies, relations with all stakeholders, and sustainability. In the face of these complex challenges, it is crucial to understand that cyber security is not a separate, technical problem, but is a fundamental element that underpins each of these strategic priorities. Unfortunately, dangerous thinking still prevails in many organizations, viewing cyber security as an operating expense rather than a strategic investment in the future of the company.
Digital challenge at the top of the board
There is often a certain sense of overconfidence on the part of boards of directors about their ability to manage a crisis. PwC’s research shows that almost all executives surveyed are confident that their board can successfully guide the company through a crisis situation. However, this optimism contrasts with a lack of preparedness. Many companies, despite their stated confidence in their abilities, still do not have formal risk escalation plans. This fundamental contradiction raises a fundamental question: what is the board’s certainty based on when it lacks the basic tools and procedures to act? This suggests that this certainty is misguided and based on an underestimation of the true scale and complexity of modern cyber threats. As a result, these risks are erroneously viewed as a problem to be addressed when they occur, rather than as a permanent part of business strategy requiring ongoing oversight.
This report aims to reframe this thinking and present the thesis that in today’s interconnected world, a mature cyber security posture is a key intangible asset. It is a resource that not only protects the value of the company, but also provides the foundation for building trust with customers, partners and the market, and ultimately provides a measurable competitive advantage. Digital resilience is becoming a new criterion for stability and reliability, and responsibility for it lies at the highest level of management.
Financial and reputational dimensions: Cost of inaction, strength of resilience
Confronting an abstract threat like a cyberattack requires translating it into concrete, measurable financial and operational consequences. Available data and real-world case studies show that the cost of a data breach goes far beyond the direct expense of fixing systems or paying ransoms.
One of the most striking examples of the cascade of risk that results from human error is the 2023 incident that affected MGM. Hackers gained access to the company’s private data using a social engineering attack sparked by an employee’s public profile on LinkedIn. This seemingly minor error in digital hygiene allowed sophisticated defenses to be bypassed, and resulted in Las Vegas systems being cut off, preventing reservations and casinos from operating. The direct cost of the incident was an estimated $100 million in lost revenue. This was not the end of the losses, however, as the company also faced a $45 million class action lawsuit for data breaches that occurred in 2019 and 2023. This case study illustrates how an error in a single human or process element triggers a catastrophic cascade of financial, operational, legal and reputational losses.
Another example is the ransomware attack on UnitedHealth Group in early 2024, which cost the company $22 million in ransom alone. This attack has jeopardized the private data of more than 100 million people, inevitably leading to long-term legal consequences, loss of trust, and the need to incur costs to monitor the data of those affected. The data confirms that the human element is the weakest link in the security chain. Verizon’s 2025 report indicates that as many as 60% of all data breaches are directly related to human error, such as phishing or using weak passwords. This underscores that cyber security management is not just an investment in advanced technology, but more importantly in education and processes to neutralize the most common attack vectors.
Averaged data appeals to boards with no less force. The global average cost of a data breach increased by 10% in 2024 compared to the previous year, reaching $4.88 million. The problem is equally acute in the Polish context. The survey found that 70% of companies in Poland have experienced a situation that threatened the security of their data and IT systems. The average estimated cost per incident is more than one million zlotys. The data underscore that the threat is not a distant, abstract issue, but a real and present problem that affects every company, regardless of its scale.
However, the true cost of a violation goes far beyond direct expenses. Damage to reputation and loss of trust are intangible losses, the value of which can be many times greater than the direct financial costs. According to the survey, as many as 36% of consumers will limit their relationship with a company after a data breach, and 22% will end it altogether. Loss of customer trust leads to reduced loyalty and discourages potential business partners. This shows that the company’s image of caring about cyber security has become a key brand attribute, determining its long-term success.
Cyber security as a lever for competitive advantage
In the face of growing threats and strict regulation, it’s time to change attitudes and view cyber security not just as a cost, but as a strategic lever that can provide a sustainable competitive advantage. In the age of the digital economy, operational resilience, customer trust and intellectual property protection are key determinants of success. A mature cybersecurity strategy allows not only to effectively neutralize threats, but also to actively exploit market opportunities, as evidenced by companies that can turn experience into unique value.
One of the most powerful ways to use cyber security as an advantage is in the B2B market. Security audits, certifications (such as SOC-2) and high transparency in data management are becoming key elements in the sales process. Business customers expect proof from their partners that their sensitive data is secure, and companies that cannot provide this risk losing contracts and reputations. As many as 87% of consumers say they would not do business with a company about which they have concerns about its security practices. This attitude shows that concern for cybersecurity translates directly into purchasing decisions and brand value.
In this context, supply chain risk management becomes a critically important element. Weaknesses in one partner can jeopardize the entire network, which is why Vendor Due Diligence (VDD) is a key external risk management process. VDD goes beyond one-time questionnaires. True resilience requires continuous monitoring, verification of the security posture, and assessment of the financial stability and reputation of suppliers to minimize risks coming from outside.
Cyber security, seen as a cost, is merely a requirement to be met. However, when it is treated as a resource, in the sense of strategic resource theory, it becomes a unique element that is difficult to imitate and creates a long-term advantage. Traditional business strategy focuses on neutralizing threats. The new approach, seen in the research, demonstrates that companies with a mature cybersecurity posture can leverage their accreditations and reputation to win new contracts. This transforms cybersecurity into a resource with qualities that are valuable (valuable), rare (rare), difficult to imitate (inimitable) and irreplaceable (non-substitutable). In this way, management should view security programs not as a compliance audit, but as a key investment in the capital of trust that forms the basis for scaling the business and opening up to new markets.
Regulatory headwinds from Europe: NIS2, DORA and the new role of the board of directors
The European regulatory landscape is undergoing a transformation that has fundamental implications for boards. New regulations, such as the NIS2 directive and the DORA regulation, introduce an unprecedented level of accountability that changes the rules of the game in risk management.
The NIS2 directive, which went into effect on October 17, 2024, significantly expands its scope to include new sectors of the economy, including manufacturing, digital services and transportation. It introduces severe financial penalties of up to €10 million or 2% of global annual turnover, whichever is higher, for entities deemed “key.” The key and most revolutionary change for the board, however, is the introduction of personal liability for top management for gross negligence in cyber-risk management. It’s a fundamental shift that shifts responsibility from the IT department to the board of directors, making cybersecurity a topic for active oversight rather than just delegation.
In parallel, the financial sector is facing the DORA regulation, which went into effect in 2023, with full application from 2025. DORA requires financial entities to implement a comprehensive ICT risk management framework, incident reporting, and regular digital resilience testing, including threat-based penetration testing (TLPT). Penalties for failing to comply with DORA are equally severe, reaching up to 2% of total annual global turnover, and in some respects are even harsher than the penalties under RODO.
An analysis of the status of NIS2 transposition in Poland shows that the country has not managed to implement the directive by October 17, 2024, prompting the European Commission to initiate proceedings against 23 member states. Delay, while at first glance it may seem like a temporary relief from implementation costs, is actually a risky game. The phenomenon of “regulatory arbitrage” – deliberately avoiding implementation costs by doing business in jurisdictions that delay the transposition of regulations – makes companies more vulnerable to attacks. What’s more, they are losing their competitive edge in the international market, where partners have already adapted to rigorous standards.
The legal transfer of responsibility to the board of directors is forcing a cultural shift in the approach to cyber security. In the past, this was a technical problem, delegated to the IT department. The new regulations directly link the lack of due diligence in risk management to the personal financial and reputational liability of board members. This radically changes the dynamics of discussion in the boardroom, and “security” suddenly becomes “my personal risk.” Regulation is the strongest catalyst for a mature cyber security posture. It is these, and not just the fear of lost revenue, that will ultimately compel boards to actively oversee, recruit cyber security experts to the board and invest in ongoing training.
The following table shows the key changes in liability and penalties that the new European regulations introduce.
| Directive | Financial Penalties (Maximum) | Key Implications for Management | Status w Polsce |
|---|---|---|---|
| NIS2 | €10 million or 2% of global annual turnover (whichever is higher) | Personal liability for gross negligence in cyber risk management; need to oversee implementation of safeguards | Transposition delay. The European Commission has opened proceedings against Poland |
| DORA | 2% of the total annual global turnover | Obligation to implement a comprehensive ICT risk management framework, incident reporting and regular resilience testing (TLPT) | It went into effect in 2023, with full application from 2025. |
Investing in resilience: how to measure the return on cyber security
Boards are numbers-oriented, so every argument must be presented in business language. Measuring return on investment (ROI) in cyber security is rarely positive in traditional terms. The real value lies in the concept of cost avoidance. Investing in cyber security is analogous to buying an insurance policy for a company’s strategic assets. Companies regularly invest in property or liability insurance to protect themselves against risks that, while unlikely, would have catastrophic consequences. A cyber attack is one of the biggest catastrophic threats today, threatening the existence of a company. The cost of implementing robust security measures is a fraction of the potential losses.
Penetration testing, which involves simulating a hacking attack to find vulnerabilities , should be viewed not as a one-time audit, but as a key component of ongoing risk management. The tangible benefits of doing so include: reducing the likelihood and severity of violations , meeting regulatory requirements (e.g., DORA) , and improving the company’s reputation.
Modern solutions, such as Penetration Testing as a Service (PTaaS), offer continuous testing and predictable costs, strengthening the business case for investing in cybersecurity. Rather than relying on costly, one-time testing, the PTaaS model provides continuous testing and real-time vulnerability detection, allowing for proactive risk mitigation and increased team efficiency.
A robust cyber security program can also result in tangible savings, such as reduced insurance premiums. Additionally, investments in automation and more streamlined processes lead to reduced operational downtime and more productive teams that can focus on strategic goals rather than manual compliance management.
The following table shows a simplified calculation of the return on investment of penetration testing, illustrating how the value is measured by cost avoidance.
| No penetration tests | With penetration testing (PTaaS) | |
|---|---|---|
| Estimated Cost of the Incident | PLN 1,000,000 | PLN 1,000,000 |
| Probability of Attack | 50% | 10% (reduced by 90%) |
| Expected Value of Losses | PLN 500,000 | PLN 100,000 |
| Cost of Testing & Security | PLN 0 | PLN 50,000 |
| Avoided Losses (Savings). | – | PLN 400,000 |
| ROI | – | (400 000 – 100 000) ÷ 100 000 × 100% = 300% |
This simplified approach allows the discussion of cybersecurity to be conducted in business language, transforming the qualitative argument (“we are protecting the company”) into a quantitative one (“our investment will pay for itself many times over in avoided cost”).
Conclusions and Recommendations for the Board: Build Resilience for the Future
The conclusions of this analysis are clear: cyber security has ceased to be merely a technical problem and has become a real and measurable financial, strategic and legal risk. The cost of violations goes far beyond direct expenses, hitting reputation and trust, which are the most valuable assets of any company. Investing in cybersecurity can become a key competitive advantage, especially in the B2B market, where customers are increasingly verifying the security posture of their partners. EU regulations, including NIS2 and DORA, are raising the bar and introducing personal liability for the board of directors, making cyber risk oversight an absolute priority.
Based on this analysis, the following are key recommendations for management.
A company’s resilience to the challenges of the future will no longer be defined only by its balance sheet, innovation or market position, but also by its ability to protect itself and its stakeholders in the digital space. Decisions made today in the boardroom, not in the server room, will determine a company’s resilience, reputation and competitiveness in the years to come.
Read more
LET’S START WITH FREE CONSULTATION
Ensure your business is Protected against Cyber Threats
When you schedule a free consultation with Elementrica, our expert will reach out to discuss your security needs and concerns.
Next, we’ll create a scoping document outlining the specific tests and assessments we recommend. This customized approach ensures you receive targeted solutions to enhance your cybersecurity.