Shareholder litigation from cyber attacks cost large UK businesses £3.7 billion in 2025, according to research from Gallagher and the Centre for Economics and Business Research, making legal fallout the second-biggest expense after disrupted trading.
The two organisations said the overall bill for large UK firms reached £11.7 billion over the year. Direct losses from interrupted trading totalled £5.4 billion, while lost assets, including intellectual property, added £1.3 billion. Regulatory fines were much smaller by comparison at £108 million.
The research, as reported by Intelligent CISO and UKTN, modelled the numbers on a scenario in which each affected company bears the cost of its most severe cyber incident. Both outlets said the immediate response phase was only a sliver of the total burden: businesses spent £226 million on external support such as forensic specialists, consultants and technical remediation, and lost another £51 million to internal labour diverted to incident response and recovery.
UKTN also reported that firms suffered £573 million in reputational damage and £339 million in lost customer goodwill in 2025. Those costs reflect the longer tail of an incident, where investor reaction, weakened market confidence and commercial disruption can linger after systems come back online. Gallagher’s Laura Parris said the risk does not end when an attack is over, and pointed to shareholder lawsuits in the US as a warning sign for UK boards.
Despite that exposure, Gallagher’s research suggests many companies still assume they are covered. Both outlets said 88% of large UK businesses have cyber insurance, but only 59% have cover for third-party legal claims, and fewer than half are insured for regulatory fines or GDPR penalties. The report also said 86% carry directors and officers insurance, although some policies can restrict cover where an incident is tied to governance failings.
The research indicates that legal and reputational costs are becoming a central part of the cyber risk picture for large UK firms. Gallagher said even a 5% rise in the financial impact of attacks, including disruption, shareholder claims and recovery costs, could push annual losses beyond £12 billion in 2026.