Thirty-nine percent of companies are not conducting worst-case scenario simulations, highlighting a critical gap in risk management practices that needs to be addressed.

Only 10% of leaders expressed a lack of confidence in their risk management data in 2025, down from 16% in 2024, reflecting a six-point improvement in trust towards risk data.

45% of elements involved in risk analysis are related to use of cloud computing.

38% of elements involved in risk analysis are related to data ownership.

16% of risks identified through analysis are viewed as organizational concerns.

44% of elements involved in risk analysis are related to operational technology (OT).

56% of companies surveyed say that they are using a formal risk management framework.

42% of companies are focusing more on risk management.

One third of companies surveyed say that risks are assessed informally.

49% of risks identified through analysis are viewed as cybersecurity concerns.

34% of risks identified through analysis are viewed as technology concerns.

45% of elements involved in risk analysis are related to technology procurement.

39% of elements involved in risk analysis are related to data classification.

Rapidly expanding attack surfaces are cited by 38% of cybersecurity and cyber risk leaders as a reason for increased difficulty in managing cyber risk today vs five years ago.

Just 28% of organisations say they are "very effective" at communicating cyber risk to leadership.

Cybersecurity and cyber risk leaders at organizations without full threat visibility have a burnout rate of 63%.

Organisations with strong asset visibility are 2.5 times more likely to communicate cyber risk effectively to the board

Nearly all organisations (99%) assess vendor risk.

Just 17% of organisations have tools to regularly map threats and contextualise them for full visibility.

Cybersecurity and cyber risk leaders at organizations with full threat visibility experience a significantly lower burnout rate of 44%.