- Cyber-attacks cost large1 UK businesses an estimated £11.7 billion in total in the last year
- Litigation was the second largest cost after the direct costs associated with lost trading (£5.4billion)
Shareholder litigation accounted for £3.7 billion of the £11.7 billion total cost of cyber-attacks to large UK businesses in 2025, according to new research from leading global insurance brokerage, Gallagher and the Centre for Economics and Business Research (CEBR).
The numbers are modelled on a scenario where each affected firm incurs the cost of its most severe cyber incident. Litigation was the second largest cost after £5.4 billion in direct losses from disrupted trading. Lost assets, including intellectual property, added a further £1.3 billion to company losses, while regulatory fines totalled £108 million.
By contrast, the immediate cost of responding to an attack was much lower. Businesses spent £226 million on external support, including forensic specialists, consultants and technical remediation, while businesses lost £51 million in internal labour costs from staff time which was diverted to manage the incident and restore systems.
Together, these response costs are only a small share of the total financial impact. The far larger exposure now lies in the legal and reputational consequences that follow, with shareholder action and class actions emerging as significant financial risks for directors.
The cost of getting it wrong
When cyber incidents escalate, the costs extend well beyond the initial disruption. In 2025 alone, businesses incurred £573 million in reputational damage and £339 million in the resulting lost customer goodwill2 on top of direct disruption and litigation costs. These losses are driven by long-term effects, like investor reaction, weakened market confidence and prolonged commercial disruption, rather than the immediate technical breach.
With the risks of cyber-attacks on large UK businesses remaining very high, even a 5% rise in the financial impact of these, including disruption, shareholder claims and recovery costs, could push total annual losses beyond £12 billion in 2026.
Insurance confidence remains misplaced
Despite the scale of losses, most large UK businesses believe they are protected as nearly 88% have purchased cyber insurance. Cover is most effective in the immediate aftermath with 72% of businesses insured for costs arising from the interruption, 76% for data recovery and forensic investigation and the technical clean-up that follows a breach.
However, a lot of the emerging litigation costs sit elsewhere. Only 59% have cover for third-party legal claims, and 49% are insured for regulatory fines or GDPR penalties. While 86% of firms carry directors' & officers' insurance, many policies restrict cover where incidents are linked to governance failings, meaning firms should check with their broker which insurance policy will cover them for these costs.
Laura Parris, executive director of Financial Lines at Gallagher, said: "For years, boards have measured cyber risk in terms of system downtime and IT recovery however the risk doesn't end when the attack is over. As the high-profile attacks on high street retailers last year show, the legal, financial and reputational fallout can drag on for months. In the US, breaches have gone even further, triggering costly shareholder lawsuits focused entirely onboard oversight and disclosure. With cyber governance under growing scrutiny, our research shows UK boards are not immune to losses on a similar scale either.
"Many organisations take comfort in the fact they have cyber insurance in place. But as the risk profile evolves and becomes more complex, having a policy is not the same as being fully protected. If boards aren't actively testing how their cyber and directors' & officers'; insurance respond to cyber-triggered claims, they may find that the liabilities that hurt most are the ones that aren't fully insured."
Methodology
The analysis was conducted by the Centre for Economics and Business Research (CEBR) in February 2026, based on a survey of large UK businesses (250+ employees), weighted to be representative of the large-business population. The findings were scaled to an estimated universe of 7,400 firms and estimated the share of large firms experiencing a cyberattack in the last 12 months (69% of large businesses, around 5,077, in 2025).
Firms reporting no material negative outcome were excluded from the costing exercise. Among those experiencing an attack, approximately 6% reported no negative outcome, while the remainder reported one or more adverse impacts, including business disruption, data loss, reputational damage, legal costs, lost business, ransom payments, or regulatory fines.
Costs were estimated under a severe-outcome scenario, in which each affected firm is assumed to incur the cost of its single worst cyber incident, rather than an average incident. Unit costs for this specifically were sourced from PwC's Information Security Breaches Survey (2015), which reports costs associated with large organisations' single-worst breach.