In a ministerial letter on cybersecurity, written in October 2025, the UK government made one thing clear to FTSE 350 companies — cyber insurance alone is not enough1.Insurance is vital for mitigating financial impact, however it must be paired with a robust incident response plan that enables swift and coordinated action in the event of an attack.
Getting your Trinity Audio player ready...

Author: Jake Taylor

null

As cyber threats become more frequent and sophisticated, the question organisations face today is no longer 'if' an incident will happen, but 'when'.

From ransomware to data breaches and supply chain disruptions, cyberattacks are now among the most serious risks to business continuity in the UK. According to the government's 2025 Cybersecurity Breaches Survey, published by the Department for Science, Innovation and Technology (DSIT), only about one out of four UK businesses reported having a formal incident response plan in place2.

The rising threat of cyberattacks

Cyberattacks have evolved from isolated IT incidents into strategic threats capable of paralysing entire operations. Over the past year, the UK has seen a sharp rise in both the frequency and complexity of attacks, with nearly 43% of businesses reporting a breach or attempted breach2. These incidents have resulted in costly downtime, data loss and reputational damage.

Earlier this year, the UK retail sector experienced a series of severe cyber incidents that disrupted critical operations3. These attacks resulted in prolonged outages, disrupted payment systems and logistics. The organisations had to temporarily shut down systems to contain the breaches. The interconnected nature of retail ecosystems amplified the impact of these cyberattacks, demonstrating the widespread vulnerabilities within the industry.

The motivations behind such attacks are also shifting. While financially driven ransomware remains common, cybercriminals are trying to cause maximum operational disruption by targeting supply chains, service providers and critical infrastructures. Emerging technologies, such as AI and deepfakes, are making these attacks more challenging to detect.

This evolving threat landscape highlights the need for proactive cyber defence, the right technology and ensuring security policies are in place. A solid and well-planned incident response plan can determine how quickly organisations can recover from a cyber incident.

Why incident response planning matters

An incident response is essential for navigating the complexities of a cyberattack. It provides a structured framework that enables organisations to:

  • Respond quickly and decisively during live incidents, potentially reducing downtime and disruption.
  • Minimise financial losses through coordinated action and faster recovery.
  • Strengthen cyber insurance outcomes, with many insurers offering better terms to businesses that demonstrate proactive risk management.
  • Take pre-emptive action to identify and fix system vulnerabilities.
  • Train employees to reduce human error and improve awareness.
  • Test and refine the plan through simulations to ensure it works when needed most.

Advance preparation ensures that your response plan is not just a document, but a practical tool that supports resilience and recovery.

A Cyber incident response plan is a formalised strategy that is essential for all businesses. It plays a critical role in minimising the impact of an incident by focusing on containing the potential spread and supporting the recovery of your infrastructure. This plan should be regularly tested with all key stakeholders to ensure its efficiency at your most vulnerable time.
Jake Taylor, Corporate Consulting Manager, Cyber Risk Management

Key considerations for an incident response plan

An incident response plan provides a clear and actionable framework for managing cyber incidents and reducing their business impact. It has seven key components, which are:

  1. Preparation: Conduct regular risk assessments to identify vulnerabilities and use these insights to train employees on cybersecurity best practices and their roles in incident response.
  2. Collaboration and communication: Establish clear protocols for coordinating with internal teams and external stakeholders during a crisis. Extend these practices to the supply chain by vetting partners for security compliance. Additionally, maintain a physical copy of the incident response plan to ensure accessibility during digital outages.
  3. Detection and analysis: Use monitoring tools to detect threats, define procedures for incident analysis and assign roles for investigation and documentation.
  4. Containment: Develop strategies to isolate affected systems and prevent further damage, while ensuring backups are secure and accessible for recovery purposes.
  5. Eradication: Identify and remove the root cause of the incident and apply patches or updates to prevent recurrence.
  6. Recovery: Restore affected systems and data from backups, and test systems to ensure they are functioning correctly before resuming operations.
  7. Post-incident review: Conduct a thorough review to identify lessons learned and update the incident response plan based on findings to improve future responses.

Cyber insurance: Beyond financial coverage

Comprehensive cyber insurance offers more than monetary protection. Insurers now provide access to expert response teams, including IT forensics, legal counsel and PR support, which are essential during live incidents. Businesses with rigorous training programmes may even qualify for preferential rates. These added benefits make fully-defined cyber insurance a strategic asset when paired with a solid incident response plan.

Leverage expertise for better protection with Gallagher

Gallagher provides tailored solutions to help businesses develop robust incident response plans and secure appropriate insurance coverage — essential for tackling emerging threats and maintaining operational resilience.

Beyond insurance, our dedicated risk management team offers proactive services, including phishing simulations, vulnerability scanning and security awareness training, to help reduce exposure and strengthen your defences.

To know more, connect with our cyber specialists.

Author Information

Sources

1'Ministerial Letter on Cyber Security,' GOV.UK, 14 Oct 2025.

2'Cyber Security Breaches Survey 2025,' GOV.UK, 19 Jun 2025.

3'The true cost of cyber attacks - and the business weak spots that allow them to happen' BBCNews, 6 Oct 2025.

Disclaimer

The sole purpose of this article is to provide guidance on the issues covered. This article is not intended to give legal advice, and, accordingly, it should not be relied upon. It should not be regarded as a comprehensive statement of the law and/ or market practice in this area. We make no claims as to the completeness or accuracy of the information contained herein or in the links which were live at the date of publication. You should not act upon (or should refrain from acting upon) information in this publication without first seeking specific legal and/or specialist advice. Arthur J. Gallagher Insurance Brokers Limited accepts no liability for any inaccuracy, omission or mistake in this publication, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein. Arthur J. Gallagher Insurance Brokers Limited is authorised and regulated by the Financial Conduct Authority. Registered Office: Spectrum Building, 55 Blythswood Street, Glasgow, G2 7AT. Registered in Scotland. Company Number: SC108909. FP1824-2025. The approval will expire on 20.11.2026

Stay connected with the company that’s connecting the dots with what’s happening in the industry and around the world
Related Articles