IT and financial leaders at the UK’s largest firms have a poor understanding of cyber risk as a financial risk, despite 74% of mid-to-large UK businesses experiencing cybercrime, according to a new survey by cyber risk solutions provider Resilience.
The findings reveal a disconnect between what causes the greatest financial losses for companies and what dominates media coverage. They also highlight the urgent need for cybersecurity leaders to educate themselves and adopt the right solutions for more informed decision-making regarding cybersecurity investments and risk management.
The survey, conducted in partnership with YouGov, surveyed 206 financial and IT decision-makers from UK firms with annual revenues exceeding £100 million.
Data breaches were identified as the top concern for business leaders, with 72% considering them their primary cyber risk. Whereas only 47% expressed concern about ransomware, despite the National Cyber Security Centre (NCSC) labelling it the UK’s most significant cyber threat.
Although ransomware causes larger financial losses, accounting for more than 80% of Resilience clients’ losses in 2023-24, data breaches are subject to stricter regulations. Under the General Data Protection Regulation, companies must report breaches within 72 hours, adding pressure to manage them effectively.
Another blind spot for business leaders is third-party vendor oversight. While 83% of leaders say they are familiar with the vendor systems their businesses use, only 35% believe their vendor due diligence effectively mitigates cyber risks. Nearly half (47%) reported disruptions lasting at least 12 hours due to vendor-related issues.
Larger businesses show a slightly better understanding of vendor risks. For instance, 44% of large businesses consider vendor outages a major concern, compared to 40% overall. Companies with revenues over £750 million (43%) are more likely than those with revenues under £250 million (24%) to view vendor due diligence as an effective way to reduce cyber risks.
As cybercriminals increasingly target larger firms, mid-sized businesses often lack the resources to handle third-party attacks effectively. While 34% of companies with revenues over £1 billion reported no impact from vendor outages, many mid-sized firms struggle.
The survey also emphasises the need for mid-sized firms to better understand cyber risk in financial terms. According to the UK government, cyber breaches cost mid-to-large firms an average of £10,830 in 2023.
However, only 54% of businesses maintain quantitative risk registers, which limits their ability to assess the financial impact of cyber-attacks. Quantifying cyber risk enables business leaders to prioritise security controls, optimise insurance investments, and reduce the likelihood of significant losses.
When considering strategies to mitigate the impact of cyber incidents, just 62% of leaders considered any one measure effective, with education on cybersecurity being the most commonly identified.
Vishaal ‘V8’ Hariprasad, CEO and co-founder of Resilience, said, “Cyber risk has become an undeniable reality for businesses of all sizes, yet our findings highlight a concerning gap in understanding and preparedness, particularly in how leaders assess and manage these risks as financial risks.
“Traditional approaches are no longer enough, and organisations must embrace a financial lens to improve their cyber business decision making and achieve cyber resilience. By quantifying and modelling potential impacts, investing in effective mitigation strategies, and ensuring return on investment on cyber insurance, business leaders can receive real value in countering cybercrime. Only by bridging these gaps can businesses stay resilient in the face of growing threats.”
