Cybersecurity, operational resilience and risk culture are set to dominate UK insurance CRO agendas in 2026, as risk leaders move from designing frameworks to proving they work under stress.
That is the picture from Teneo's UK Financial Services Chief Risk Officer Survey 2026, which polled 40 CROs in late 2025 on priorities, operating models, talent and technology.
Cyber and resilience at the top
Across the sample, 35% of CROs cited cybersecurity and incident response as their top priority for the next 12 months, ahead of operational resilience (28%) and risk culture (25%). For insurers, that focus is landing against a backdrop of rising losses and regulatory pressure.
Market data pointed to elevated cyber loss experience rather than a one-off spike. Brokers reported that UK cyber claims activity remains materially above pre-2020 levels, even as pricing has moderated, with ransomware and data-breach incidents still key drivers of loss severity for insurers and their clients. Public statistics from the UK government's Cyber Security Breaches Survey also showed that around four in 10 businesses report a breach or attack each year, with many incidents going unreported.
In that environment, Teneo said the CRO emphasis is shifting from perimeter defence to real‑time crisis management.
“In our cyber work, we are seeing a clear shift from a sole focus on prevention towards preparedness and response. Firms are increasingly judged on how they manage incidents in real time, including decision-making, communication and recovery, rather than on the existence of controls alone,” said Courtney Adante, president, security risk advisory.
From live incidents, communications and leadership are proving just as material as the technical fix.
“From our experience supporting organisations through live cyber incidents, the technical response is only one part of the challenge. What often determines the outcome is how quickly leaders can make decisions with imperfect information, communicate clearly with regulators, customers and employees and maintain trust while the situation is still evolving,” said Louise Male, senior managing director, strategy and communications.
Regulators are pushing in the same direction. UK operational resilience rules for banks, insurers and larger intermediaries require firms to remain within impact tolerances for important business services under “severe but plausible” disruptions. The Prudential Regulation Authority (PRA) has flagged operational resilience, cyber security, third‑party dependency and solvent exit planning among its core supervisory priorities for insurers over the coming years.
Execution gap in the three lines
Structurally, most CROs said the architecture is in place. Eighty‑five per cent (85%) reported clearly defined risk roles and responsibilities, and 88% said the first line formally owns and manages risk. But only around half described the risk mandate as truly embedded across the business, and just 40% believed the three‑lines‑of‑defence model is consistently understood.
“Most firms have clearly defined CRO mandates and operating models. However, our experience indicates that understanding these roles is not yet consistent across the organisation. The priority has therefore shifted to embedment; ensuring the risk function is clearly understood, appropriately trusted and demonstrably effective in shaping day-to-day decision-making,” said Amanda Rigby, senior managing director and global forensic leader, financial advisory.
Talent, tech and AI move centre stage
The survey also pointed to a talent and technology pivot. More than three‑quarters of CROs expect risk headcount to rise over the next five years, yet 87% see capability gaps, particularly around influencing, technology fluency and cross‑functional leadership.
“What we are seeing in the market is a shift in how firms define strong risk talent. Technical expertise remains important, but the real differentiator is the ability to exercise judgement, communicate clearly and engage credibly with the business in an environment shaped by technology change and regulatory scrutiny,” said Christine Loughrey, senior managing director, people advisory.
On technology, 63% of CROs plan to implement risk tools to automate processes in the next 12 months and 55% aim to upgrade risk data and reporting. Yet only a minority say their systems help identify and manage risks before they crystallise, and just 6% report active data‑quality monitoring.
AI is already used across underwriting, claims and fraud detection in the wider market. Teneo’s findings mirror that trend: most surveyed firms report having AI usage policies, model inventories and basic safeguards in place, while far fewer have embedded bias monitoring, ethical review or ongoing performance tracking. UK regulators, including the PRA and FCA, have signalled that expectations for managing ICT, cyber and AI‑related risks will continue to increase, bringing model governance and accountability further into the CRO spotlight.
