• Net Group has analysed the annual reports of the DAX40 companies from 2015 and 2024 for terms with the prefix ‘cyber’.
• The total number of cyber terms has risen by 1422 percent.
• In 2015, only 30 per cent of companies mentioned such terms – in 2024, the figure is 98 per cent.
• The proportion of companies referring to ISO 27001 certification has risen from 5 per cent to 38 per cent.

While twelve corporations mentioned terms with the prefix ‘cyber’ in their annual reports in 2015, this figure has risen to 39 companies in 2024. The total number of these terms has increased by 1,422 percent compared to 2015. The proportion of companies referring to ISO 27001 certification has also grown significantly, from five to 38 percent. This is shown by a recent analysis by the software and consulting firm Net Group.

“Our analysis shows a clear trend: cyber security is an integral part of strategic reporting for almost all DAX40 companies. While only twelve companies used relevant terms in 2015, almost all of them now document their risks, protective measures and standards – in some cases in great detail. The DAX 40 companies are playing a pioneering role here. But the issue is by no means limited to large corporations: cyber security is a universal topic for all companies with digital solutions and an online presence,” says Priit Kongo, Managing Director of Net Group.

Significant increase in mentions of cyber terms

92 percent of companies that already mentioned cybersecurity in their annual reports in 2015 have significantly increased the number of relevant terms: The increase is particularly strong at biotechnology company Qiagen, where the number of mentions of cyber terms has increased twentyfold. This is followed by the Volkswagen Group (+900 percent), Mercedes-Benz Group (+850 percent) and Allianz and Daimler Truck (both +800 percent).

Commerzbank is an exception: its 2024 report no longer contains any mentions of cyber, a decline of 100 percent. This makes the financial services provider the only DAX 40 company without any such references in its current annual report.

Cyber terms were mentioned particularly frequently at Fresenius (124 times), Deutsche Post (63 times), Fresenius Medical Care (59 times), E.ON (57 times) and SAP (40 times).

Cyber risks today: How DAX companies assess their threat situation

Cyber attacks are increasingly being addressed as a specific risk in the annual reports of DAX 40 companies, albeit to varying degrees. Sixteen companies specify the probability of occurrence and potential damage, while 24 companies do not provide any information.

While companies such as Sartorius, a supplier of laboratory and process technology, still considered the risk of possible attacks to be relatively low in 2015, they now expect not only a probability of occurrence of 10 to 40 percent in 2024, but also potential damage in the range of 50 to 100 million euros. SAP also shows a clear change in perspective: in 2014, cyber incidents were considered ‘unlikely’ – despite being rated as “critical” for business, finances and cash flow. Today, the assessment for the possible occurrence of cyber attacks is ‘likely’, with potential impacts of over 500 million euros.

In 2015, there was no mention of cyber risks in the annual reports of companies in the automotive industry, such as Porsche Automobil Holding or the Volkswagen Group. Almost a decade later, both companies list cyber threats as a specific risk to their operations. Porsche now describes cyber attacks as one of the biggest risks to the company.

ISO 27001: More DAX companies report certifications

Between 2015 and 2024, the proportion of DAX 40 companies that mention ISO 27001 certification in their reports rose from five to 38 percent. A further ten percent are in the certification process or are partially certified. The number of companies that make no reference to ISO 27001 fell from 75 to 15 percent over the same period.

‘Companies are no longer just reacting to cyber risks – they are systematically building structures to protect themselves. The fact that this is now also visible in their reporting is an important indicator of maturity. Net Group supports its customers on a daily basis in developing technical, regulatory and organisational security as a unified whole,’ says Kongo.