UK businesses are grappling with a hidden cost of cybercrime that extends far beyond immediate operational disruption, with large companies collectively spending £3.7bn on legal costs to defend shareholder lawsuits following cyberattacks last year. The staggering figure, unveiled by insurance giant Gallagher and the Centre for Economics and Business Research (CEBR), underscores how cyber incidents are creating cascading financial liabilities that ripple through corporate balance sheets long after systems are restored.
The research, analysing 2025 data, found that firms with over 250 employees face an average cyberattack cost of £13.4m—a marked escalation from previous years that reflects both the increasing sophistication of threat actors and the mounting legal exposure companies face from shareholders seeking compensation for security breaches.
This legal burden represents a fundamental shift in how cyber risk translates into corporate financial impact. Beyond immediate operational costs and system recovery, businesses now confront protracted litigation expenses that can dwarf the initial breach costs. For CFOs, this data signals that traditional cybersecurity budgeting may severely underestimate total risk exposure.
The Government recognised the escalating threat landscape in 2023 when the Department for Digital, Culture, Media and Sport launched its updated cyber security strategy, targeting an expansion of the UK's cyber security workforce and enhanced national resilience capabilities.
However, Labour's Shadow Chancellor Rachel Reeves argues current measures fall short, calling for increased Government funding for cyber security initiatives and improved intelligence sharing mechanisms between private sector entities and authorities.
For UK businesses, these findings crystallise the business case for comprehensive cyber security investment. Companies must view cybersecurity not merely as an IT expense but as essential corporate governance infrastructure. This includes deploying robust security protocols, implementing staff training programmes, and investing in advanced threat detection systems.
The macro implications extend beyond individual corporate balance sheets. With cyber threats escalating in frequency and financial impact, sustained investment in national cyber resilience becomes critical for maintaining the UK's competitive position in the global digital economy. Enhanced public-private collaboration on threat intelligence sharing could help mitigate both direct attack costs and subsequent legal liabilities across the business community.