![acquisition three jigsaw]](https://d17mj6xr9uykrr.cloudfront.net/Pictures/274x183/4/9/8/122498_acquisitionthreejigsaw_905211.jpg)
To combat greater interconnectivity of risks, organisations are ‘shifting from siloed risk programmes to scenario‑based planning and integrated frameworks that combine technical controls, people and process,’ says broker’s chief executive for UK corporate and commercial
The growing use of technology and rapid advances in artificial intelligence (AI) has pushed cyber risk to the top of the agenda for UK corporates, according to new research published by broker Marsh yesterday (11 May 2026).
The firm’s UK Business Risk Report – which surveyed 2,000 UK business leaders, encompassing sole traders to organisations with over 250 staff – found that, for the first time, cyber risk is the top concern among UK business leaders.
It was cited as the leading concern for 46% of respondents – up three percentage points from 2024’s report and up from 20% compared to 2023’s edition.
Following cyber threats, respondents identified economic and financial (44%), compliance, legal and regulatory (40%), as well as people (39%) risks as other leading risk management priorities.
During a media briefing held on 11 May 2026, to coincide with the launch of London Risk Week, Alistair Brighton – chief executive for corporate and commercial UK at Marsh – noted that while the pace of technological change was the primary concern for UK business leadership, the broker’s report also found a growing interconnection between respondents’ major risks, requiring a fresh and detailed look at company resilience plans.
He told attendees: “This year’s report finds business leaders operating in a fluctuating macroeconomic environment – with easing inflation, lower interest rates and steadier energy prices, but facing persistent threats from cyber crime, political turbulence and extreme weather.
“A defining theme is interconnectivity. Risks are now a complex web in which incidents in one area – people, supply chain, compliance – can cause cyber incidents and cyber events can cascade into financial and regulatory consequences and brand and reputational damage.
“In response to this, businesses are taking action. Organisations are shifting from siloed risk programmes to scenario‑based planning and integrated frameworks that combine technical controls, people and process.”
Cyber concerns
Although the interconnectivity of risks was a prominent trend arising from Marsh’s newly published report, Brighton acknowledged that 2026 marked the “first time” that cyber risk had escalated to the top of UK risk agendas, based on respondent feedback.
He said: “For the first time, cyber risk is the top concern [in Marsh’s report], driven by high profile [cyber] attacks, rising incident costs and cyber risks originating in third party suppliers. Nearly half of UK businesses identify cyber crime as a real worry.”
Kelly Butler, head of the UK cyber practice at Marsh, added that cyber was no longer seen as a peripheral risk for businesses and risk managers.
“Cyber is now at a place where it cannot be ignored,” she explained. “Businesses need to build resilience. The risks touch every part of the economy.
“The rise of new technologies such as artificial intelligence are heightening the awareness of businesses to the impacts. AI can bring with it new risks, but also increasing defensive capabilities.
“Cyber threats have the power to cascade through a business and its supply chains. The resilience of supply chains is a crucial concern for risk managers.
“Cyber incidents damage brands, can result in increased regulatory scrutiny and create immeasurable losses for a company.”
For Butler, cyber risks should be at the heart of business resilience plans given the greater use of technology in every part of the operating environment.
Read: Data focused captives can be complementary buffer to plug emerging risk coverage gaps
Read: Cyber market ‘has not yet built the infrastructure’ to operate sustainably at scale
Explore more risk management related content here, or discover more news here
“We need to be clear about the risks that technology can present and the opportunities technology can bring,” she continued. “At present when it comes to cyber resilience, too many firms still lack the basics. The use of cyber insurance is growing, but it is not a substitute for preparedness.
“I cannot stress to businesses leaders enough [that] it is all about preparedness, preparedness, preparedness.”
Building resilience
Butler added that companies have to look at three core steps to increase their resilience.
The first is to harden the fundamentals of their cyber risk programmes and ensure they are regularly put to the test. Secondly, treat supply risk as an enterprise risk. And thirdly, “put cyber in the boardroom with measurable metrics so decisions can be made with clarity”.
Marsh’s report confirmed that businesses are taking action to mitigate today’s risk landscape.
For example, organisations are shifting from siloed risk programmes to scenario‑based planning and integrated frameworks that combine technical controls, people and process. Workforce training, supplier oversight and governance are rising priorities.
Furthermore, firms are increasingly seeking specialist advisory support to turn complex data into board level decisions and insurance strategies.
Brighton added that businesses need to become proactive and look at a corporate-wide resilience strategy to break down any risk silos and mitigate the growing interconnection of threats.
“Perhaps the clearest sign that business leaders recognise they are operating in a diverse web of risk and are responding with purpose lies in their ambitions to use tools and technology to build streamlined, adaptable risk management capabilities,” he explained.
Brighton said businesses need to plan for the worst to ensure they could weather future incidents.
“You do not fix your roof when it starts to rain,” he said. “Resilience needs to be implemented before the event.”
No comments yet