Cyberattacks are expected to cost large UK businesses £11.7bn in 2025, with shareholder litigation accounting for £3.7bn of the total cost, according to new research by international insurance broking, risk management and consultancy firm Gallagher, in collaboration with the Center for Economics and Business Research (CEBR).
The study simulated a scenario in which each affected company experienced the most severe financial impact of a cyber incident.
Gallagher and CEBR found that shareholder litigation was the second largest area of financial loss, after £5.4 billion related to business interruption and disruption to trading activity. Businesses also suffered losses of £1.3 billion due to the theft or damage of assets, including intellectual property, while regulatory penalties totaled £108 million.
The report notes that the direct costs of responding to a cyber incident are relatively low. Large UK businesses spend around £226m on external support such as forensic investigators, technical consultants and remediation services. A further £51m was attributed to internal staff costs as staff were diverted from normal operations to managing incidents and recovery systems.
Gallagher said the broader financial risk increasingly stems from the legal, business and reputational consequences that arise after an attack, rather than immediate technology disruption. The company said shareholder disputes and class-action lawsuits are becoming a growing source of financial risk for its boards and senior executives.
The study also examines the broader impact of cyber incidents on reputation. Gallagher estimates that the loss of corporate reputation in 2025 will reach 573 million pounds, and the loss of customer goodwill will reach 339 million pounds. The company said these costs are often caused by long-term issues such as investor concerns, declining market confidence and prolonged operational disruptions.
Gallagher warned that if the financial impact of cyberattacks rises by a further 5% in 2026 (including disruption, legal claims and recovery costs), annual losses to large UK businesses could exceed £12bn.
Despite the scale of potential losses, Gallagher’s findings indicate that many organizations remain confident in their insurance arrangements. Research shows that 88% of large UK businesses have a cyber insurance policy in place. Most policies focus on immediate recovery measures, with 72% covering business interruption costs and 76% covering data recovery, forensic investigations and technical remediation efforts following a breach.
Gallagher found, however, that protections against legal and regulatory consequences were less common. Only 59% of businesses have insurance covering third-party legal claims, while 49% are insured against regulatory penalties or GDPR-related fines. While 86% of companies hold D&O insurance, Gallagher noted that some policies may limit coverage for governance failures related to cyber incidents, leaving organizations potentially at risk.
Laura Parris, Executive Director of Gallagher Financial Lines, commented: “For many years, the board has been addressing system downtime and IT Recovery comes as a measure of cyber risk, but the risk doesn’t end after the attack. As last year’s high-profile attack on high street retailers showed, the legal, financial and reputational impact can last for months. In the US, breaches have been even more severe, triggering costly shareholder litigation that focuses entirely on board oversight and disclosure. As cyber governance comes under increasing scrutiny, our research shows that UK boards are not immune to losses of similar scale.
“Many organizations feel comfortable in the fact that they have cyber insurance. But as risk profiles evolve and become more complex, having a policy does not equate to being fully protected. If boards do not proactively test how their cyber insurance and directors and officers’ insurance respond to cyber-induced claims, they may find that the liabilities that are most harmed are those that are not fully insured.”