New research from Gallagher and CEBR reveals shareholder litigation accounted for £3.7 billion of the £11.7 billion total cost of cyber-attacks to large UK businesses in 2025, with legal and reputational fallout emerging as major financial risks for boards.
Shareholder litigation accounted for £3.7 billion of the £11.7 billion total cost of cyber-attacks to large UK businesses in 2025, according to new research from leading global insurance brokerage Gallagher and the Centre for Economics and Business Research (CEBR).
The numbers are modelled on a scenario where each affected firm incurs the cost of its most severe cyber incident. Litigation was the second largest cost after £5.4 billion in direct losses from disrupted trading. Lost assets, including intellectual property, added a further £1.3 billion to company losses, while regulatory fines totalled £108 million.
By contrast, the immediate cost of responding to an attack was much lower. Businesses spent £226 million on external support, including forensic specialists, consultants and technical remediation, while businesses lost £51 million in internal labour costs from staff time which was diverted to manage the incident and restore systems.
Together, these response costs are only a small share of the total financial impact. The far larger exposure now lies in the legal and reputational consequences that follow, with shareholder action and class actions emerging as significant financial risks for directors.
The cost of getting it wrong
When cyber incidents escalate, the costs extend well beyond the initial disruption. In 2025 alone, businesses incurred £573 million in reputational damage and £339 million in the resulting lost customer goodwill on top of direct disruption and litigation costs.
These losses are driven by long-term effects, like investor reaction, weakened market confidence and prolonged commercial disruption, rather than the immediate technical breach.
With the risks of cyber-attacks on large UK businesses remaining very high, even a 5% rise in the financial impact of these, including disruption, shareholder claims and recovery costs, could push total annual losses beyond £12 billion in 2026.
Insurance confidence remains misplaced
Despite the scale of losses, most large UK businesses believe they are protected as nearly nine in ten (88%) have purchased cyber insurance. Cover is most effective in the immediate aftermath with 72% of businesses insured for costs arising from the interruption, 76% for data recovery and forensic investigation and the technical clean-up that follows a breach.
However, a lot of the emerging litigation costs sit elsewhere. Only 59% have cover for third-party legal claims, and fewer than half (49%) are insured for regulatory fines or GDPR penalties.
While 86% of firms carry directors and officers insurance, many policies restrict cover where incidents are linked to governance failings, meaning firms should check with their broker which insurance policy will cover them for these costs.
Laura Parris, Executive Director of Financial Lines at Gallagher, said: “For years, boards have measured cyber risk in terms of system downtime and IT recovery however the risk doesn’t end when the attack is over. As the high-profile attacks on high street retailers last year show, the legal, financial and reputational fallout can drag on for months.
“In the US, breaches have gone even further, triggering costly shareholder lawsuits focused entirely onboard oversight and disclosure. With cyber governance under growing scrutiny, our research shows UK boards are not immune to losses on a similar scale either.
“Many organisations take comfort in the fact they have cyber insurance in place. But as the risk profile evolves and becomes more complex, having a policy is not the same as being fully protected. If boards aren’t actively testing how their cyber and directors and officers insurance respond to cyber-triggered claims, they may find that the liabilities that hurt most are the ones that aren’t fully insured.”
