Shareholder litigation accounted for £3.7 billion of the £11.7 billion total cost of cyber-attacks borne by large UK businesses in 2025, joint research from insurance brokerage Gallagher and the Centre for Economics and Business Research (CEBR) has found.
"For years, boards have measured cyber risk in terms of system downtime and IT recovery however the risk doesn't end when the attack is over," said Laura Parris, executive director of financial lines at Gallagher.
She pointed to last year's attacks on high street retailers, noting that "the legal, financial and reputational fallout can drag on for months", and said breaches in the US had triggered shareholder lawsuits centred on board oversight and disclosure.
The figures are modelled on a scenario in which each affected firm absorbs the cost of its most severe cyber incident, with direct losses from disrupted trading topping the list at £5.4 billion, followed by litigation.
Lost assets such as intellectual property added £1.3 billion, while regulatory fines reached £108 million, the research found.
Immediate response costs were considerably smaller. Companies spent £226 million on external support, covering forensic specialists, consultants and technical remediation, while a further £51 million was lost in internal labour as staff were redirected to incident management and system restoration.
The larger exposure now sits with the legal and reputational fallout that follows an attack, with shareholder action and class actions emerging as material risks for directors.
The findings align with broader market sentiment heading into 2026. A recent Everywhen survey found 65% of respondents ranked cyber-attacks as the biggest risk facing professional firms in 2026, more than three times higher than the next concern listed.
Reputational damage cost UK businesses £573 million in 2025, with a further £339 million attributed to lost customer goodwill, according to Gallagher and CEBR.
The research links these figures to investor reaction, weakened market confidence and prolonged commercial disruption rather than the technical breach itself.
Even a 5% increase in the financial impact of cyber-attacks could push total annual losses above £12 billion in 2026, the brokerage and CEBR estimate.
Around 88% of large UK businesses have purchased cyber insurance, with 72% insured for business interruption costs and 76% for data recovery, forensic investigation and technical clean-up.
Cover for litigation-related exposures is less consistent. Only 59% of firms hold cover for third-party legal claims and 49% are insured against regulatory fines or GDPR penalties.
While 86% of firms carry directors' and officers' (D&O) insurance, many policies restrict cover where incidents are linked to governance failings, prompting Gallagher to advise companies to verify policy scope with their broker.
"Many organisations take comfort in the fact they have cyber insurance in place. But as the risk profile evolves and becomes more complex, having a policy is not the same as being fully protected," Parris said.
She added that boards failing to stress-test how cyber and D&O policies respond to cyber-triggered claims may discover the most damaging liabilities are those left uninsured.
