Estimated reading time: 5 minutes
Once the ransomware ends and systems are restored, the board breathes a sigh of relief. But soon after, letters from shareholders’ lawyers arrive. New research from Gallagher and the Center for Economics and Business Research (CEBR) reveals the true cost of a major cyberattack for large UK businesses. In 2025, the total bill reached £11.7 billion. Trading disruption made up £5.4 billion, and shareholder litigation added £3.7 billion. The attack itself is not the biggest expense; the aftermath is.
The Full Damage Bill
The £11.7 billion total comes from six main types of damage. Trading disruption cost £5.4 billion. Shareholder and class action litigation added £3.7 billion. Lost assets, mostly intellectual property, made up £1.3 billion. Reputational damage cost £573 million, and lost customer goodwill added £339 million. Regulatory fines were £108 million. External response costs, such as hiring forensic specialists and consultants, reached £226 million. Internal staff time spent managing the incident cost £51 million. The trend is clear: response costs are always the smallest part, while legal consequences are the largest.
Litigation: The Long And Expensive Tail
Shareholder litigation is no longer just a US issue; it is now a real concern for UK boardrooms. For years, UK executives saw American companies deal with lawsuits after breaches and believed they were safe because of their location. The Gallagher/CEBR research proves otherwise. Laura Parris, executive director of Financial Lines at Gallagher, said, “The risk doesn’t end when the attack is over.” She noted that in the US, breaches often lead to “costly shareholder lawsuits focused entirely on board oversight.” That trend is now happening in the UK.
This publication has followed the rise in litigation through several reports. Chubb’s 2026 cyber claims analysis showed that privacy lawsuits are now a major factor in total claims costs. At the PLUS Cyber Symposium in early 2026, experts discussed the increasing cyber liability risk for directors. The Gallagher/CEBR research now provides exact UK numbers for a trend that has been growing steadily.
The Insurance Gap Boards Don’t Know About
Almost 88% of large UK businesses have cyber insurance, but this can give a false sense of security. The coverage does not match today’s risks. Most cyber policies cover the immediate response well: 76% of firms have data recovery and forensic investigation cover, and 72% have business interruption cover. However, litigation is a different matter. Only 59% have cover for third-party legal claims, and just 49% are covered for regulatory fines or GDPR penalties.
Directors’ and officers’ insurance does not always fill this gap. While 86% of large firms have D&O cover, many policies limit coverage if the incident involves governance failures. This is exactly where cyber-related shareholder claims often fall. Parris was clear: “Having a policy is not the same as being fully protected.” She urged boards to check how their cyber and D&O policies would respond to these claims before they face a real one.
Munich Re’s 2026 cyber trends analysis found that many large companies are increasingly aware of gaps in their insurance policies. BakerHostetler’s 2026 Data Security Incident Response Report showed that legal costs from cyber incidents often go far beyond the technical response. The Gallagher/CEBR data backs up both findings with solid UK figures.
What CFOs And General Counsel Should Do Right Now
The £3.7 billion in litigation is not just a worst-case guess. The research uses a severe-outcome model, meaning each affected firm faces the cost of its worst incident. The risk is widespread: about 69% of large UK businesses were hit by a cyberattack in 2025, which is around 5,077 firms. If the total financial impact rises by just 5%, annual losses could exceed £12 billion in 2026. The trend is only going up.
CFOs and General Counsel have two main challenges. First, there is a gap between what cyber insurance covers and the real costs of litigation. Second, many assume D&O insurance will cover shareholder claims related to governance, but many policies limit this. Ask your broker for a coverage analysis now. Compare your litigation risks with your current cyber and D&O policy terms. Check which policy would respond first if a cyber incident leads to a shareholder claim. Also, find out if governance failures would trigger a D&O exclusion in your policy. Having this conversation with your broker now is much cheaper than dealing with a lawsuit later.
FAQ: Shareholder Litigation And The UK Cyber Insurance Gap
Large UK businesses suffered an estimated £11.7 billion in total cyberattack costs in 2025. Shareholder litigation accounted for £3.7 billion of that figure, making it the second-largest single cost category after trading disruption at £5.4 billion.
Shareholder lawsuits focus on board oversight and disclosure failures, not just the technical breach. Legal and reputational consequences accumulate over months. They reflect investor reaction, weakened market confidence, and extended commercial disruption, not the immediate cost of the incident itself.
Generally, no. Only 59% of large UK businesses carry cover for third-party legal claims. Only 49% have cover for regulatory fines or GDPR penalties. Cyber policies protect the immediate response well, but leave significant litigation exposure uncovered.
Not automatically. While 86% of large firms carry D&O insurance, many policies restrict coverage when incidents are connected to governance failings. Boards should review their policy terms with a broker to confirm coverage in a cyber-triggered scenario.
Request a coverage gap analysis from your broker. Map your current cyber and D&O policies against litigation exposure. Test how both policies respond to a cyber-triggered shareholder claim before one arrives.
Related Cyber Insurance Posts
- Cyber Insurance News & Information Podcast -Episode #3
- Why Your Minimum Viable Business Is The Real Cyber Insurance Question
- Gap Opening Between D&O and Cyber Insurance(Opens in a new browser tab)
- Ransomware is Back, Cyber Insurers Report(Opens in a new browser tab)
- D&O or D&O Not, There is No Try — Directors and Officers Need to Worry About D&O Insurance for Cybersecurity(Opens in a new browser tab)
