PRESS RELEASE: EMBARGOED UNTIL 00:01 TUESDAY 23 SEPTEMBER 2025

Cybersecurity Biggest Risk for 2026 as Businesses Reel from Wave of Major Attacks

Annual poll of Chief Internal Auditors reveals cybersecurity remains the number one risk, with digital threats intensifying following attacks on M&S, the Co-Op, Harrods, The North Face and Jaguar Land Rover

A new survey of nearly 900 Chief Internal Auditors across the UK and Europe has found that cybersecurity and data security has been ranked the top risk facing organisations, with more than eight in ten respondents identifying it as a leading threat. The findings are published in this year’s Risk in Focus 2026 report, produced by the Chartered Institute of Internal Auditors in partnership with thirteen other European Institutes of Internal Auditors and the European Confederation of Institutes of Internal Auditing (ECIIA).

This warning comes amid a wave of high-profile cyberattacks targeting major UK businesses, underscoring the urgent need for stronger cyber resilience. At the same time, with geopolitical tensions on the rise, the UK’s National Cyber Security Centre (NCSC) has issued stark warnings about the “enduring and significant” threat to the UK’s critical infrastructure from hostile states such as China, Iran, North Korea and Russia.

Top findings:

·        Cybersecurity and data security were ranked as the top five risk by over 80% of respondents. It is also the risk area that internal audit teams are spending the most time and effort auditing.

·        Human capital, diversity and talent management retained its position as the 2^nd largest threat to organisations in 2026 – with almost half (48%) ranking it a top five risk. Fears of deskilling because of AI, and an inability to attract and retain the right skills to combat evolving threats, were major concerns.

·        Digital disruption, new technology, and AI continued to be one of the fastest-growing risks, moving from 4^th place last year to 3^rd place this year, with 47% ranking it a top risk.

·        Macroeconomic and geopolitical uncertainty was in joint 4^th place for 2026, together with changes in laws and regulations. Chief Internal Auditors who took part in the research agreed that the threat permeated every other risk category. Underscoring the interconnected and complex risk landscape organisations now face.

Cyber Threats Rising Amid High-Profile Attacks

The dominance of cybersecurity as the biggest risk comes as no surprise, given the recent spate of attacks that have disrupted operations, compromised customer data, and damaged the reputations of some of the UK’s most recognisable brands. These incidents are having a real and measurable impact on profitability and long-term sustainability. For example, M&S has estimated losses of £300 million in operating profits, while Jaguar Land Rover has been forced to shut its factories for weeks, triggering a ripple effect that had a devastating impact on smaller businesses throughout its supply chain.

Although Chief Internal Auditors participating in Risk in Focus 2026 indicated that cybersecurity is the risk area where they spend the most time and effort auditing, the recent attacks raise serious questions about whether organisations are taking the threat as seriously as they should. Notably, the research also reveals that organisations are not only facing more frequent attacks, but these incidents are becoming increasingly severe, sophisticated, and often powered by advances in AI.

Internal Audit: A Critical Partner Against Fast-Evolving Threats

The Chartered Institute of Internal Auditors is urging boards and senior management to harness the power, experience and expertise of their internal audit teams to independently assess and strengthen the effectiveness of their cyber controls and risk management. Where weaknesses are identified, internal audit can play a vital role in recommending improvements to protect businesses from these fast-evolving threats. This reflects the principles set out in the Cyber Governance Code of Practice, published in April 2025, which advises boards to ‘gain assurance that cyber security considerations are integrated and consistent with existing internal and external audit and assurance mechanisms’.

Anne Kiem OBE, Chief Executive of the Chartered Institute of Internal Auditors, said:

“The recent wave of cyberattacks on major UK businesses is a stark reminder that cybersecurity must remain at the top of every board’s agenda. Our Risk in Focus 2026 research shows that Chief Internal Auditors are acutely aware of the escalating threat landscape, particularly as AI and digital disruption accelerate. Internal audit is uniquely positioned to provide independent assurance for boards that cyber and digital controls are robust and effective, helping organisations to build resilience and protect their bottom lines.”

The survey included the views of Chief Internal Auditors from fifteen European countries, including Austria, Belgium, France, Germany, Greece, Hungary, Ireland, Italy, Luxembourg, the Netherlands, Norway, Spain, Sweden, Switzerland and the UK.

-- ENDS --

FOR MORE INFORMATION / FURTHER COMMENT CONTACT GAVIN HAYES ON GAVIN.HAYES@CHARTEREDIIA.ORG / 07900195591

Notes to editors

The top ten risks for Risk in Focus 2026 were:

1.       Cybersecurity and data security (81.80%)

2.       Human capital, diversity, talent management and retention (47.78%)

3.       Digital disruption, new technology and AI (47.33%)

4.       Change in laws and regulations (44.94%)

5.       Macroeconomic, social and geopolitical uncertainty (44.94%)

6.       Business continuity, operational resilience, crisis management and disasters response (38.91%)

7.       Market changes, competition and changing consumer behaviour (32.08%)

8.       Supply chain, outsourcing and 'nth' party risk (28.78%)

9.       Financial, liquidity and insolvency risks (26.96%)

10.    Climate change, biodiversity and environmental sustainability (22.53%)

About Risk in Focus 2026

·        For the past ten years, Risk in Focus has sought to help Chief Internal Auditors understand how their peers view today’s risk landscape as they prepare their audit plans for the year ahead.

·        Risk in Focus 2026 research was conducted in April and May 2025. Data was collected through a quantitative survey among Chief Internal Auditors across 15 European countries which included: Austria, Belgium, France, Germany, Greece, Hungary, Ireland, Italy, Luxembourg, The Netherlands, Norway, Spain, Sweden, Switzerland and the UK. The survey elicited 879 responses.

·        Simultaneously, five roundtables were organised with 44 participants covering five of the key risk areas covered in the report. In addition, we also conducted 10 one-to-one interviews with subject matter experts that included mainly Chief Internal Auditors, but also academics, non-executive directors and industry experts to provide deeper insights into how these risks are manifesting and developing.

The full spreadsheet/data set is available to download here.

This year’s Risk in Focus 2026 report is available to download here.

About the Chartered Institute of Internal Auditors

The Chartered Institute of Internal Auditors (Chartered IIA) is the professional body dedicated exclusively to championing and supporting the vital work of internal auditors in the UK and Ireland since 1948. It is the leading voice for over 10,000 internal audit professionals in organisations spanning all sectors of the economy. The Chartered IIA champions and promotes the valuable contribution its members make to good corporate governance, strong risk management processes and a rigorous internal control environment, ensuring the long-term success of all organisations.