Cyber risk stuck at 30% for five years as boards fail to move beyond awareness
New research from The Corporate Governance Institute (TCGI) finds 30% of boards rank cybersecurity and data protection as a top business risk, unchanged for five years.
Cybersecurity and data protection continue to represent a persistent boardroom concern, according to new research from The Corporate Governance Institute, which found that 30% of boards rank cyber risk as a top business threat today, a figure that has remained unchanged for five years. The findings are based on a survey of 500 board directors and C suite leaders across the UK and Ireland.
The findings, published in the whitepaper Boardroom Resilience in 2026: Independent Research Into Board Readiness, Risk and Strategy, suggest that while cyber risk remains firmly on board agendas, the lack of movement in this figure may indicate that it has become normalised at the board level rather than meaningfully addressed.
Speaking on the findings, David Duffy, co-founder and chair of The Corporate Governance Institute, said: “Cybersecurity has become a permanent feature of the boardroom risk agenda. The fact that 30% of boards still rank it as a top business risk, unchanged for five years, suggests that awareness alone is no longer enough.
Stability in this number does not necessarily mean progress. In many organisations, cyber risk has simply become an acceptable risk rather than systematically governed.
The research also highlights notable variation between sectors. Healthcare leaders in particular report heightened concern, with 35% ranking cybersecurity as a top business risk today, compared with 28% five years ago.
This rise reflects the increasing exposure of healthcare organisations to cyber threats, particularly as sensitive patient data, digital infrastructure and connected medical systems become more integral to service delivery.
Duffy continues: “As organisations become more digitally dependent, the consequences of cyber incidents grow significantly. For sectors such as healthcare, where systems underpin critical services and sensitive data, the stakes are especially high.”
The report argues that while many boards recognise cyber risk, fewer have fully embedded it into governance structures. Moving beyond awareness requires boards to establish clear oversight mechanisms, develop stronger cyber literacy at the board level and ensure accountability for cyber resilience sits firmly within governance frameworks.
Duffy added: “Cybersecurity can no longer be treated purely as a technical issue delegated to IT teams. It is fundamentally a governance challenge that requires board-level oversight, clear accountability and ongoing engagement from directors.”
The research concludes that boards must increasingly treat cyber risk as a strategic resilience issue, particularly as digital infrastructure becomes central to organisational operations.
Duffy concluded: “The organisations best prepared for the years ahead will be those that treat cyber governance as a continuous board responsibility. Cyber risk is not something that can be reviewed once a year, it requires sustained oversight at the highest level.”