The UK leads Europe in terms of cyber resilience, ahead of France and Germany, according to a report from Diligent Institute and Bitsight.
The research found that companies with either a specialized risk committee or audit committee achieve better cybersecurity performance than those with neither, with ratings of 710 and 650 respectively.
All of the UK companies in the report had an audit committee, while the region also boasted the second-highest number of specialized risk committees, found in just under half of surveyed companies.
The authors said these numbers are reflected in the UK’s average security rating, which was the fourth-highest of the countries analyzed, at around 690 out of 900. This put the UK ahead of countries such as France, Japan, and Germany but slightly behind Australia (700), the United States (710), and Canada (710).
Highly regulated industries, such as healthcare and financial services, were found to have the highest cybersecurity ratings.
The report concluded that companies with advanced cybersecurity performance create 372% higher shareholder returns, compared to peers with only basic cybersecurity performance.
"Cybersecurity is no longer about simply mitigating risk, it's now a key indicator of financial performance," said Homaira Akbari, CEO of AKnowledge Partners and member of Bitsight’s Advisory Board.
"Companies must treat cybersecurity as a cornerstone of their business strategy, guided by clear, ambitious benchmarks, and backed by the full support of their boards."
The average total shareholder return for companies with advanced security performance ratings over a five-year and three-year period was 71% and 67%, respectively, while companies in the basic performance range delivered just 37% and 14%.
Companies with a higher number of independent directors are more likely to have advanced security ratings, as are companies with specialized risk committees.
"These findings show that cybersecurity is not just an IT problem — it is an enterprise risk that has a material impact on a company’s near-term performance and long-term health and one that management and the board need to be up to speed on," said Keith Fenner, SVP and GM EMEA at Diligent.
"With the cybersecurity threat and governance landscapes in the UK becoming more sophisticated and complex, now is the time for boards and leaders to build their competency around cyber risk."
Security imbalance in smaller firms remains
The UK’s healthcare sector had the highest average security ratings overall at 730. Of the companies with advanced security performance ratings, 33% came from the financial services sector, with an average rating of 720.
By comparison, just a quarter of companies with basic security performance ratings came from the industrials sector, while the sector with the lowest overall performance rating was the communications sector at 630.
But while the mid-to-large-sized companies surveyed for this report showed a strong security posture, the same can't be said for smaller UK firms. A recent government-led survey on enterprise security capabilities found many UK firms struggling to adapt to security threats.
The report noted that smaller firms are focusing mainly on reaction and response, rather than on preventative measures, while medium-sized firms find it challenging to keep pace with developments in cyber security.
