LONDON, 11 May, 2026 ─ According to a new report published today by Marsh Risk, a business of Marsh (NYSE: MRSH), and the world’s leading insurance broker and risk advisor, cyber risk is, for the first time, the top concern among UK business leaders. It is cited as the leading concern for 46% of business leaders, up three percentage points from 2024, and up from 20% in 2023.
Marsh Risk’s UK Business Risk Report – which surveyed more than 2,000 business leaders, from sole traders to businesses of with over 250 employees across the UK – provides industry‑level insight and practical recommendations to help organisations prioritise actions, allocate capital and engage with insurers more effectively. The report underscores the need for businesses to adopt flexible risk management approaches that can adapt as threats evolve and interact across domains.
The top risks include cyber threats (46%); economic and financial (44%); compliance, legal and regulatory (40%); and people (39%).
According to the report, high‑profile attacks, greater digitalisation and supply‑chain vulnerabilities have elevated cyber risk to board level, due to widespread operational disruption, potential regulatory exposure and reputational harm. Respondents also highlighted the growing interconnectedness of threats, signaling a move by organisations to prioritise resilience through technology, people and expert guidance.
In response to this, businesses are taking action. Organisations are shifting from siloed risk programmes to scenario‑based planning and integrated frameworks that combine technical controls, people and process. Workforce training, supplier oversight and governance are rising priorities. Increasingly, firms seek specialist advisory support to turn complex data into board‑level decisions and insurance strategies.
Alistair Brighton, CEO, Corporate & Commercial UK, Marsh Risk, said: “Geopolitical tensions, regulatory change and market volatility are clearly continuing to affect long-term planning for UK businesses. A cyber incident can cause operational downtime, regulatory exposure and reputational harm, while economic or geopolitical shocks can increase cyber and supply chain vulnerability. This interdependence makes siloed risk programmes ineffective. Boards want clear metrics, practical scenarios and steps they can take now. They need technical defences, continuous testing, targeted training and robust supplier due diligence that is backed by expert advice.”
