When a cyber attack hits, most businesses focus on the immediate impact. Systems go down. Operations stall. Customers can’t access services.
And understandably, the priority is getting back up and running as quickly as possible.
But the reality is that many organisations are now facing the true cost of a cyber attack, which often emerges after systems are restored.
The Hidden Cost of Cyber Incidents
New research from Gallagher and the Centre for Economics and Business Research (CEBR) reveals some stark numbers behind this.
In 2025, cyber attacks cost large businesses an estimated £11.7 billion in total.
While business disruption accounted for the largest share, the second-largest cost wasn’t technical remediation; it was litigation, at £3.7 billion.
And that tells an important story. Cyber risk is no longer just an IT issue. It’s a legal, financial and reputational challenge that can follow a business for months, sometimes years, after the initial incident.
Why Litigation Is Rising
Traditionally, UK businesses may have looked at shareholder lawsuits as more of a US issue. But that’s changing quickly.
When a cyber attack occurs today, it can trigger a chain reaction:
- Shareholder claims questioning leadership decisions
- Regulatory scrutiny and potential fines
- Customer disputes and contractual issues
- Long-term reputational damage
In fact, the research highlights that legal and reputational consequences now outweigh the immediate response costs by a significant margin.
Put simply, fixing the breach is only the first step.
The Insurance Gap Businesses Do Not See
Despite 88% of large businesses having cyber insurance, many are not covered for the areas now driving the biggest losses.
Most policies are designed to respond well to the immediate crisis:
- 76% cover data recovery and forensic investigations
- 72% cover business interruption
But when it comes to the longer-term fallout:
- Only 59% have cover for third-party legal claims
- Just 49% are covered for regulatory fines or GDPR penalties
Because it’s precisely these areas, litigation, regulatory action and reputational damage, where costs are growing fastest.
A Shift in How We Think About Cyber Risk
For years, cyber risk has been measured in terms of downtime and recovery. But as recent incidents have shown, the real exposure sits with what happens next.
- Investor confidence can take a hit
- Customers may look elsewhere
- Legal challenges can run for months
- Boards can come under scrutiny
Or, to put it another way, cyber incidents are becoming boardroom risks, not just IT risks.
What Should Businesses Do Now
The good news is this isn’t about creating fear. It’s about creating clarity.
Because with the right advice and the right cover in place, businesses can move forward with confidence.
A few practical steps can make a real difference:
1. Review Your Existing Cyber Cover
Don’t assume your policy covers everything. It’s essential to understand exactly what’s included, and, more importantly, what isn’t.
2. Look Beyond the Immediate Response
Make sure your cover considers the full lifecycle of an incident, including legal defence, regulatory exposure and reputational support.
3. Align Cyber Insurance With Wider Risk Management
Cyber risk doesn’t sit in isolation. It overlaps with directors’ and officers’ (D&O) liability, professional indemnity and broader governance responsibilities.
4. Have a Clear Incident Response Plan
Knowing who to call, legally, technically and commercially, can significantly reduce both the impact and the long-term costs.
Cyber risk isn’t just about the incident itself, it’s about what comes next. With the right protection in place, it’s a risk that can be managed with confidence.
If you’d like to talk through your cyber risks or review your current cover, our specialist team is here to help, contact us at contact@thomas-carroll.co.uk or on 02920 853788.
