For the first time, cyber risk has overtaken all other threats as the primary concern for UK business leaders, being cited as the leading concern for 46% of business leaders, up three percentage points from 2024 and more than doubling from 20% in 2023, according to a new report from Marsh Risk.
The UK Business Risk Report stresses the need for flexible, dynamic risk management frameworks that can adjust as threats evolve and interact, particularly where cyber, economic and regulatory risks amplify one another.
Cyber threats were ranked the top risk by 46% of respondents, compared to 44% for economic and financial risks, 40% for compliance, legal and regulatory concerns, and 39% for people‑related issues such as skills and talent.
According to the report, high‑profile attacks, greater digitalisation and supply chain vulnerabilities have pushed cyber firmly onto the board agenda, as businesses grapple with the potential for widespread operational disruption, regulatory exposure and reputational harm. Respondents also highlighted the growing interconnectedness of threats, signalling a shift towards resilience built around technology, people and specialist advice rather than isolated technical fixes.
This mirrors wider market experience, where ransomware, business email compromise and supply chain intrusions have generated sizeable first‑ and third‑party losses, as well as business interruption events and regulatory scrutiny. This has also underlined the need to understand not just point‑in‑time security controls but also enterprise‑wide resilience – including backup strategies, incident response capabilities and dependence on critical vendors such as cloud providers and managed service partners.
In response, businesses are moving away from siloed risk programmes towards scenario‑based planning and integrated frameworks that combine technical controls, people and process. Workforce training, supplier oversight and governance are rising priorities. Increasingly, firms are seeking specialist advisory support to turn complex data into board‑level decisions and insurance strategies.
Furthermore, more clients are framing cyber within enterprise risk management and operational resilience programmes, using tabletop exercises and scenario analysis to understand potential loss ranges and insurance gaps, and linking cyber risk improvements to desired coverage terms, limits and retentions.
Underwriters, in turn, are paying closer attention to governance, incident response maturity and third‑party dependencies, not just technical controls. Insureds that can evidence tested incident response plans, robust supplier due diligence and continuous control monitoring are increasingly better placed when negotiating coverage breadth, sub‑limits and pricing.
Demand for cyber capacity is expected to remain strong, as mid‑market and smaller organisations become more aware of their exposure and seek dedicated protection against business interruption, data loss and regulatory liabilities. Wordings are likely to continue evolving, particularly around business interruption triggers, systemic events and the interaction between cyber, war and terrorism exclusions, as markets refine their approach to aggregation risk.
At the same time, carriers and brokers are expanding pre‑loss services, including security posture assessments, incident‑response retainers and training, as part of cyber programmes aimed at reducing claims frequency and differentiating propositions. Cyber incidents also continue to intersect with other classes, including professional indemnity, directors’ and officers’ liability, crime and property/business interruption, prompting greater coordination between cyber, financial and speciality lines when structuring programmes.
"Geopolitical tensions, regulatory change and market volatility are clearly continuing to affect long-term planning for UK businesses," said Alistair Brighton, CEO of corporate and commercial UK at Marsh Risk. "A cyber incident can cause operational downtime, regulatory exposure and reputational harm, while economic or geopolitical shocks can increase cyber and supply chain vulnerability."
