The other two major risks to businesses, according to the survey from the Chartered Institute of Internal Auditors (IIA), were regulatory change (59%) and digitalisation (58%).
The collaborative report between eight European Institutes of internal auditors in Belgium, France, Germany, Italy, the Netherlands, Spain, Sweden and the UK and Ireland included 528 survey responses and interviews with 46 heads of internal audit.
For the second year running cyber security has topped the list of concerns, and in 2018 it came second. This year also saw and 18% increase in those putting it among their top five risks.
One CEO of a German transport group said the company in recent years had had doubled the number of IT auditors “in order to be able to thoroughly audit cyber security”.
Meanwhile, the CEO of a Spanish multinational banking group said that the challenge they’re now facing is that auditors who understand cyber security risk and controls are now being attracted away from the bank.
“Cyber security is a problem we regularly see on the news from the theft of 500 million Marriott hotel guests’ personal information, to the security breach which exposed 50 million Facebook user identities,” Ian Peters, chief executive of IIA told City AM.
He also pointed out that the risks from regulatory changes, second on internal auditors’ lists, was likely to increase for UK and Irish business due to the impact of Brexit on regulation.
The report recommended various ways for businesses to increase their resilience to cyber threats, including by recruiting an internal or external cyber security expert; assessing how customer services chatbots are protected against breaches and by assessing security of cloud services.
In May, Deloitte committed to spending an additional £428m on improving its cyber security capabilities, saying it will hire 500 new staff.
That same month reports found that the Big Four currently dominate cyber security recruitment, with the research showing for example that of every 17 new recruits to KPMG one is for a cyber security role.