Thirty percent of boards in the UK and Ireland rank cybersecurity and data protection as a top business risk, according to the Corporate Governance Institute. That figure has remained unchanged for five years.
The finding, based on a survey of 500 board directors and C-suite leaders, suggests cyber threats are recognised at senior level without being governed more tightly.
Cybersecurity has become a standing item in many boardrooms as companies contend with ransomware, data theft and disruption to digital systems. Yet the latest research suggests that constant attention has not led to a broader shift in how boards assess the issue.
The institute said the flat reading over five years may indicate that cyber risk has become normalised rather than brought under firmer oversight. In its view, boards are aware of the problem, but many have not embedded cyber risk deeply enough into governance structures.
David Duffy, co-founder and chair of the Corporate Governance Institute, described the lack of movement as a warning sign rather than evidence of stability.
“Cybersecurity has become a permanent feature of the boardroom risk agenda. The fact that 30% of boards still rank it as a top business risk, unchanged for five years, suggests that awareness alone is no longer enough.
Stability in this number does not necessarily mean progress. In many organisations, cyber risk has simply become an accepted risk rather than one that is systematically governed.
The research also highlights notable variation between sectors. Healthcare leaders in particular report heightened concern, with 35% ranking cybersecurity as a top business risk today, compared with 28% five years ago.
This rise reflects the increasing exposure of healthcare organisations to cyber threats, particularly as sensitive patient data, digital infrastructure and connected medical systems become more integral to service delivery.
As organisations become more digitally dependent, the consequences of cyber incidents grow significantly. For sectors such as healthcare, where systems underpin critical services and sensitive data, the stakes are especially high.”
Sector Split
Healthcare stood out in the survey, with concern rising more sharply there than in the overall sample. Thirty-five percent of healthcare leaders now rank cybersecurity as a top business risk, up from 28% five years ago.
That increase reflects healthcare providers’ growing reliance on digital records, networked devices and systems that support clinical operations. A breach or outage can affect not only data protection but also access to services and continuity of care.
Other sectors were not broken out in detail, but the broader result points to a more mixed picture across the economy. The unchanged headline figure suggests some boards may have improved their approach while others have remained static.
The report argues that recognising cyber risk is only part of the issue. Boards also need clear oversight mechanisms, stronger cyber literacy among directors and formal responsibility for resilience within governance structures.
This marks a shift away from treating cybersecurity mainly as a matter for technical teams. Instead, the institute frames it as a question of accountability, risk ownership and regular scrutiny at board level.
That distinction has gained force as cyber incidents move beyond IT departments to affect operations, regulatory exposure, reputation and customer trust. For boards, the question is less whether cyber risk exists than whether directors have the information and processes to oversee it properly.
Duffy said that requires a more direct role for boards.
“Cybersecurity can no longer be treated purely as a technical issue delegated to IT teams. It is fundamentally a governance challenge that requires board-level oversight, clear accountability and ongoing engagement from directors.”
The institute’s broader conclusion is that cyber risk should be treated as part of organisational resilience, especially as digital infrastructure becomes more central to day-to-day activity. In practice, that means repeated review rather than annual discussion, and governance structures that make responsibility clear.
Many companies have increased spending on cyber tools and external advice in recent years, but the survey suggests board practice may not have kept pace. A stable risk ranking over half a decade indicates that technical investment alone has not resolved concerns at the top of organisations.
The findings also raise a broader governance question for directors in heavily regulated or service-critical sectors. If cyber risk remains consistently high on board agendas, directors may need to show not just awareness of threats but evidence that oversight is improving over time.
“The organisations best prepared for the years ahead will be those that treat cyber governance as a continuous board responsibility. Cyber risk is not something that can be reviewed once a year; it requires sustained oversight at the highest level.”
