Cyber attacks generated an estimated £11.7 billion in losses for large UK businesses during 2025, with shareholder litigation making up £3.7 billion of the total cost, according to new research from Gallagher, the international insurance brokerage, risk management and consulting firm, in partnership with the Centre for Economics and Business Research (CEBR).
The research models a scenario in which each affected company experiences the financial impact of its most serious cyber incident.
Gallagher and CEBR found that shareholder litigation represented the second largest area of financial loss, behind £5.4 billion linked to business interruption and disrupted trading activity. Businesses also recorded £1.3 billion in losses tied to stolen or compromised assets, including intellectual property, while regulatory penalties totalled £108 million.
The report indicated that the direct costs of responding to cyber incidents were comparatively modest. Large UK businesses spent around £226 million on external support such as forensic investigators, technical consultants and remediation services. A further £51 million was attributed to internal staffing costs, as employees were diverted from normal operations to manage incidents and restore systems.
Gallagher said the broader financial exposure increasingly stems from the legal, commercial and reputational consequences that emerge after an attack rather than the immediate technical disruption. According to the company, shareholder disputes and class actions are becoming a growing source of financial risk for corporate boards and senior executives.
The research also examined the wider reputational impact of cyber incidents. Gallagher estimated that businesses suffered £573 million in reputational damage during 2025, alongside £339 million in reduced customer goodwill. The company said these costs are often driven by longer-term issues such as investor concern, declining market confidence and extended operational disruption.
Gallagher warned that if the financial impact of cyber-attacks rises by a further 5% in 2026, including disruption, legal claims and recovery expenses, annual losses for large UK businesses could exceed £12 billion.
Despite the scale of the potential losses, Gallagher’s findings suggest many organisations remain confident in their insurance arrangements. The research showed that 88% of large UK businesses have cyber insurance policies in place. Most cover is concentrated on immediate recovery measures, with 72% insured for business interruption costs and 76% covered for data recovery, forensic investigations and technical remediation work following a breach.
However, Gallagher found that protection against legal and regulatory consequences is less common. Only 59% of businesses have insurance covering third-party legal claims, while 49% are insured for regulatory penalties or GDPR-related fines. Although 86% of companies hold directors’ and officers’ insurance, Gallagher noted that some policies may limit cover where governance failings are linked to the cyber incident, leaving organisations potentially exposed.
Laura Parris, Executive Director of Financial Lines at Gallagher, commented: “For years, boards have measured cyber risk in terms of system downtime and IT recovery however the risk doesn’t end when the attack is over. As the high-profile attacks on high street retailers last year show, the legal, financial and reputational fallout can drag on for months. In the US, breaches have gone even further, triggering costly shareholder lawsuits focused entirely onboard oversight and disclosure. With cyber governance under growing scrutiny, our research shows UK boards are not immune to losses on a similar scale either.
“Many organisations take comfort in the fact they have cyber insurance in place. But as the risk profile evolves and becomes more complex, having a policy is not the same as being fully protected. If boards aren’t actively testing how their cyber and directors’ & officers’ insurance respond to cyber-triggered claims, they may find that the liabilities that hurt most are the ones that aren’t fully insured.”
