PwC 2025 Digital Trust Insights: Why Only 2% of Organizations Achieve Full Cyber Resilience

The State of Digital Trust and Cyber Resilience in 2025

PwC’s 2025 Global Digital Trust Insights report arrives at a critical inflection point for enterprise cybersecurity. As organizations grapple with an expanding threat landscape driven by generative AI, cloud proliferation, and increasingly sophisticated state-sponsored attacks, the report reveals a sobering disconnect between cybersecurity awareness and actual resilience implementation. The comprehensive survey draws on insights from thousands of global executives across industries, offering the most detailed picture yet of where organizations stand in their cybersecurity maturity journey.

The headline finding is striking: only 2% of organizations have implemented cyber resilience actions across all areas surveyed by PwC. This statistic alone signals an industry-wide challenge that extends far beyond technology — it encompasses governance, leadership alignment, budget allocation, and organizational culture. The report positions digital trust not merely as a defensive necessity but as a competitive differentiator, with 57% of executives citing customer trust and 49% citing brand integrity as primary motivations for cybersecurity investment. For organizations seeking to understand how such complex cybersecurity reports translate into actionable strategy, Libertify’s interactive library transforms dense data into engaging visual experiences.

PwC Digital Trust Insights: The 2% Resilience Gap Explained

The core finding of PwC’s digital trust insights study is the massive gap between cybersecurity aspiration and implementation. While executives universally acknowledge the importance of resilience, the numbers tell a different story. For individual resilience measures, adoption rates remain alarmingly low: only 34% of organizations have broadly established a dedicated resilience team, 35% have created a cyber recovery playbook for IT-loss scenarios, and just 31% have mapped their technology dependencies.

Perhaps most telling is that 42% or fewer organizations have fully implemented any single one of the 12 resilience actions evaluated in the survey. The preparedness mismatch is equally concerning — the threats executives find most worrying, including cloud risks, hack-and-leak operations, third-party breaches, and connected product attacks, are precisely the areas where organizations feel least prepared to respond. This creates a dangerous vulnerability window that sophisticated threat actors are increasingly exploiting.

The financial impact of this resilience gap is substantial. The average data breach cost stands at $3.32 million according to the report, with over 25% of organizations reporting that their most damaging breach in the last three years cost at least $1 million. These figures underscore the tangible business consequences of failing to close the implementation gap, making cyber resilience not just a security priority but a fundamental business imperative that directly impacts the bottom line.

GenAI and the Expanding Cybersecurity Attack Surface

Generative AI emerges as the most disruptive force in the 2025 cybersecurity landscape. PwC’s findings reveal a stark duality: 67% of security executives acknowledge that GenAI has increased their attack surface over the past year, while simultaneously 78% have increased their investment in GenAI — recognizing its defensive potential for threat detection, intelligence gathering, and phishing identification. This bifurcated relationship between GenAI and security defines the current era of digital trust.

The challenges of integrating GenAI into security operations are significant and multifaceted. According to the survey, 39% of organizations struggle with incorporating GenAI into existing systems and processes, 39% face a lack of trust from internal stakeholders, 38% cite inadequate internal controls and risk management, and 37% report a lack of standardized internal policies governing AI use. These barriers suggest that the technology challenge is secondary to the governance and organizational readiness challenge, as explored in our analysis of enterprise AI governance frameworks.

The GenAI arms race is accelerating on both sides. Threat actors leverage AI to craft more convincing phishing campaigns, automate vulnerability discovery, and scale social engineering attacks. Meanwhile, defenders deploy GenAI for real-time threat intelligence, automated incident response, and predictive risk modeling. PwC’s research indicates that organizations investing in both offensive awareness and defensive GenAI capabilities gain a measurable advantage in detection speed and incident response effectiveness.

Cloud Security Threats and Data Protection Priorities

Cloud-related threats rank as the most concerning cybersecurity challenge in PwC’s 2025 survey, with 42% of executives identifying cloud security as their top worry. This concern is well-founded: 66% of security executives report that cloud technologies have expanded their attack surface, creating new vectors through misconfigurations, identity management gaps, and multi-cloud complexity. The rapid migration to hybrid and multi-cloud environments has outpaced many organizations’ security capabilities, creating a structural vulnerability that demands urgent attention.

Data protection and data trust emerge as the leading investment priority for business executives, with 48% ranking it as their top cybersecurity investment for the coming year. Technology executives, meanwhile, prioritize cloud security specifically, with 34% naming it their primary investment focus. This split between business and technology leadership priorities reflects different perspectives on risk — business leaders focus on the data assets themselves while technology leaders concentrate on the infrastructure that houses those assets.

The convergence of cloud security and data protection creates both challenges and opportunities. Organizations must simultaneously address cloud misconfiguration prevention, implement robust identity and access controls, establish data governance frameworks that span multiple cloud providers, and ensure compliance with an expanding web of regulatory requirements including the EU’s NIS2 Directive and other data protection mandates. The organizations that succeed in integrating these efforts — rather than treating them as separate workstreams — will be best positioned to build genuine digital trust with their customers and partners.

The CISO Leadership Gap and C-Suite Alignment Challenge

One of the most consequential findings in PwC’s digital trust insights report is the persistent gap in CISO involvement in strategic decision-making. Fewer than 50% of respondents say CISOs are substantially involved in strategic planning, board reporting, and overseeing technology deployments. This limited engagement creates a dangerous blind spot where critical security considerations are absent from key business decisions, technology investments, and organizational strategy.

The confidence gap between CISOs and CEOs is equally alarming. A 13-percentage-point difference exists between CISO/CSO confidence and CEO confidence regarding compliance with AI regulations, resilience requirements, and critical infrastructure mandates. CISOs, who are closest to the operational realities of compliance, are materially less confident than their CEOs about meeting these requirements. This disconnect suggests that boards and senior leadership may be operating with an overly optimistic view of their organization’s cybersecurity posture.

The technology-business divide extends to risk prioritization as well. PwC finds that 66% of technology executives rank cyber as their highest risk for mitigation, compared to just 48% of business executives. This gap indicates that cybersecurity has not yet achieved the status of a standing business agenda item in many organizations. The report recommends elevating CISO involvement to include strategic planning, capital allocation, and product decisions — a structural change that requires CEO commitment and board-level accountability to implement effectively.

Cyber Risk Quantification: Why 88% Agree but Only 15% Measure

Perhaps the most paradoxical finding in PwC’s 2025 report is the enormous gap between recognition and action in cyber risk quantification. A commanding 88% of executives agree that measuring cyber risk is crucial for prioritizing investments, and 87% say allocating resources to areas of highest risk is of high importance. Yet only 15% of organizations measure the financial impact of cyber risks to a significant extent. This disconnect between conviction and capability represents one of the most critical barriers to effective cybersecurity investment.

The barriers to adoption are well-documented in the report. Data quality remains the primary obstacle — many organizations lack the granular incident data, asset inventories, and threat intelligence necessary to build credible financial models. Scope definition presents another challenge: determining which risks to quantify, at what level of detail, and over what time horizon requires sophisticated methodological frameworks that many organizations have not yet developed. Legal concerns about the potential discoverability of risk quantification analyses in litigation add another layer of complexity.

Despite these barriers, the report identifies a clear correlation between risk quantification maturity and cybersecurity effectiveness. Organizations that have implemented financial measurement of cyber risk demonstrate better budget alignment, more effective board communication, and faster incident response. Only 21% of organizations routinely allocate cybersecurity budgets to their top risks — a figure that PwC expects to improve as more organizations adopt quantification tools and frameworks like NIST CSF 2.0 that emphasize risk-based measurement and prioritization.

Cybersecurity Budgets 2025: Rising Spend With Allocation Friction

PwC’s findings on cybersecurity budgets reveal a paradox of plenty. An impressive 77% of organizations expect their cybersecurity budget to increase in the coming year, with North American companies and the Technology, Media, and Telecommunications sector leading at 82%. Top performers are even more aggressive, with 15% expecting budget increases of 15% or more. These figures signal that cybersecurity has firmly established itself as a priority investment area across industries and geographies.

However, the allocation challenge remains acute. Despite rising budgets, only 21% of organizations routinely direct cybersecurity spending to their actual top risks. This misalignment means that increased spending does not automatically translate into improved security posture. Organizations frequently fall into the trap of spreading resources across a broad portfolio of initiatives rather than concentrating investment on the threats most likely to cause significant harm — a pattern that dilutes the impact of even substantial budget increases.

The report identifies several factors driving this allocation friction. Legacy investment commitments, organizational politics, vendor relationship inertia, and the difficulty of translating risk assessments into budget decisions all contribute to suboptimal spending patterns. PwC recommends that CISOs adopt a more rigorous approach to investment justification, using quantified risk scenarios to demonstrate the financial impact of security investments to CFOs and boards. Organizations that successfully bridge the gap between risk identification and budget allocation report significantly better outcomes in breach prevention, detection speed, and recovery time, as our interactive library of enterprise strategy reports demonstrates.

Digital Trust Insights on Regulatory Impact and Compliance

Cybersecurity regulation has become one of the most powerful catalysts for security investment. PwC’s findings are unambiguous: 96% of executives say cybersecurity regulations have spurred increased cyber investment in the last 12 months. Moreover, 78% believe regulations have helped challenge, improve, or increase their cybersecurity posture. Far from being viewed solely as compliance burden, regulation is increasingly recognized as a constructive force that raises organizational security standards.

The regulatory landscape itself is evolving rapidly. Major frameworks including the EU’s Digital Operational Resilience Act (DORA), the AI Act, the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), Singapore’s updated Cybersecurity Act, and the EU Cyber Resilience Act are creating new obligations around incident reporting, operational resilience testing, and supply chain security. These requirements are particularly impactful for global organizations that must navigate multiple overlapping regulatory frameworks across jurisdictions.

However, the CISO-CEO confidence gap on compliance readiness raises important questions about organizational preparedness. While 96% have increased investment, the quality and depth of compliance efforts vary significantly. PwC recommends using regulatory requirements as an opportunity to strengthen underlying security frameworks rather than treating compliance as a checkbox exercise. Organizations that integrate compliance into their broader security strategy — involving Chief Legal Officers, CFOs, and compliance teams in security planning — achieve better outcomes than those that treat regulation as a standalone workload.

Emerging Threats: Quantum Computing and Connected Devices

PwC’s report identifies quantum computing as an emerging threat that organizations are already beginning to address. Notably, 42% of security executives report that quantum computing has already caused them to address vulnerabilities — a surprisingly high figure that reflects growing awareness of the “harvest now, decrypt later” threat model. As quantum computing capabilities advance, encrypted data collected today could potentially be decrypted in the future, making current encryption investments less secure than organizations might assume.

The convergence of physical and digital risks through connected devices, operational technology, and Internet of Things deployments represents another rapidly expanding threat vector. Connected product attacks rank among the top concerns in PwC’s survey, with particular relevance for manufacturing, healthcare, and energy sectors where OT and IoT systems directly control physical processes. The security challenge is compounded by the typically longer lifecycle of industrial systems, legacy protocols that were not designed with security in mind, and the potential for physical safety consequences from successful cyber attacks.

Third-party risk continues to grow as a major concern, with third-party breaches listed among the most worrying threat scenarios. The increasing complexity of global supply chains, combined with the interconnected nature of modern digital ecosystems, means that an organization’s security posture is only as strong as its weakest vendor relationship. PwC recommends expanding supply chain and vendor security programs, conducting regular third-party assessments, and building contractual security requirements into vendor relationships. CISA’s ongoing threat advisories continue to highlight the critical nature of supply chain security in the current threat environment.

Building Enterprise Cyber Resilience: PwC’s Strategic Roadmap

PwC’s report concludes with a comprehensive strategic roadmap for organizations seeking to close the resilience gap. The first priority is making cybersecurity a standing business agenda item. CEOs should meet regularly with CISOs and Chief Risk Officers, demand measurable reporting tied to business outcomes, and treat cyber as a strategic business risk rather than an IT operational concern. This governance shift requires visible executive sponsorship and accountability at the board level.

The second pillar focuses on aligning budgets to quantified top risks. PwC recommends starting with pilot implementations of cyber risk quantification — even small-scale efforts that demonstrate the financial impact of specific threat scenarios can dramatically improve budget allocation decisions. The goal is to move from qualitative risk assessments (“high/medium/low”) to financial impact estimates that resonate with CFOs and board members (“a breach in this area has a 15% probability of costing $5-10 million within 24 months”).

Third, organizations must build operational resilience playbooks and test them rigorously. This includes establishing dedicated resilience teams, creating comprehensive recovery playbooks for IT-loss scenarios, mapping technology and third-party dependencies, and conducting regular tabletop exercises. The fact that only 31-35% of organizations have broadly implemented these measures represents both the scale of the challenge and the competitive advantage available to organizations that move quickly. Finally, investing in GenAI responsibly — leveraging its defensive capabilities while implementing robust governance, access controls, and internal policies — will separate security leaders from laggards in the years ahead.