Shareholder litigation accounted for £3.7bn of the £11.7bn total cost of cyber attacks to large UK businesses in 2025, according to new research from global insurance brokerage Gallagher and the Centre for Economics and Business Research (CEBR).
The numbers are modelled on a scenario where each affected firm incurs the cost of its most severe cyber incident. Litigation was the second largest cost after £5.4bn in direct losses from disrupted trading.
Lost assets, including intellectual property, added a further £1.3bn to company losses, while regulatory fines totalled £108m.
By contrast, the immediate cost of responding to an attack was much lower. Businesses spent £226m on external support, including forensic specialists, consultants and technical remediation, while businesses lost £51m in internal labour costs from staff time which was diverted to manage the incident and restore systems.
The research found that, together, these response costs are only a small share of the total financial impact. The far larger exposure now lies in the legal and reputational consequences that follow, with shareholder action and class actions emerging as significant financial risks for directors.
In 2025 alone, businesses incurred £573m in reputational damage and £339m in the resulting lost customer goodwill on top of direct disruption and litigation costs. These losses are driven by long-term effects, like investor reaction, weakened market confidence and prolonged commercial disruption.
Despite the scale of losses, most large UK businesses believe they are protected, with 88% having purchased cyber insurance. Cover is most effective in the immediate aftermath, with 72% of businesses insured for costs arising from the interruption, and 76% are insured for data recovery and forensic investigation, plus the technical clean-up that follows a breach.
However, a lot of the emerging litigation costs sit elsewhere. Only 59% have cover for third-party legal claims, and fewer than half (49%) are insured for regulatory fines or GDPR penalties.
“For years, boards have measured cyber risk in terms of system downtime and IT recovery. However the risk doesn’t end when the attack is over,” says Laura Parris, executive director of financial lines at Gallagher.
“As the high-profile attacks on high street retailers last year show, the legal, financial and reputational fallout can drag on for months. In the US, breaches have gone even further, triggering costly shareholder lawsuits focused entirely onboard oversight and disclosure. With cyber governance under growing scrutiny, our research shows UK boards are not immune to losses on a similar scale either.”
