Cyberattacks Are Costing UK Businesses £11.7bn a Year - and the Worst Damage Happens After the Hack

The cyberattack is no longer the crisis. The crisis comes afterwards....

Not when the systems go down. Not when online orders fail. Not even when customer data is stolen. The real financial damage increasingly arrives in the months that follow - through lawsuits, collapsing consumer confidence, regulatory scrutiny and prolonged commercial disruption that can outlast the breach itself.

Last year, cyberattacks cost large UK businesses an estimated £11.7bn, according to new research from Gallagher and the Centre for Economics and Business Research (CEBR). The figures are staggering not simply because of their scale, but because they reveal how dramatically the economics of cybercrime have changed.

The single biggest cost was £5.4bn in lost trading caused by disrupted operations. But the second largest was even more striking: £3.7bn spent dealing with shareholder litigation and legal action linked to cyber incidents.

That means British businesses are now spending almost as much fighting the fallout from cyberattacks as they are losing from the attacks themselves.

The implications are profound.

For years, companies treated cybersecurity as a technical issue - an operational risk managed by IT departments and measured through downtime, system recovery and data loss. The latest wave of attacks against Marks & Spencer, Harrods, the Co-op and Jaguar Land Rover suggests that model is obsolete.

Cyber risk has escaped the server room. It is now a boardroom, legal and financial crisis capable of inflicting damage long after systems are restored.

The numbers tell the story....

• £5.4bn in direct disruption
• £3.7bn in litigation exposure
• £1.3bn in lost assets and intellectual property
• £573m lost in further reputational damage
• £400m wiped out by customers abandoning companies after breaches - cancelling contracts, reducing spending or switching providers
• £108m in regulatory fines

Together, the figures expose a reality many executives are only beginning to confront: cyberattacks have become one of the largest hidden financial liabilities in modern business.

And the true costs are often invisible at first.

The M&S Attack Was a Warning to Corporate Britain

When Marks & Spencer suspended online orders following a cyberattack last April (2025), customers saw empty shelves, failed deliveries and disrupted click-and-collect services. Internally, however, the consequences were far more severe.

The attack reportedly forced weeks of operational disruption and triggered substantial recovery, legal and remediation costs. More significantly, it opened the door to wider scrutiny over governance, preparedness and corporate oversight.

That pattern is becoming increasingly common. The attack itself may last days. The financial consequences can persist for quarters.

What once looked like a technology failure now behaves more like a corporate contagion event - spreading into investor relations, legal exposure, brand damage and long-term commercial performance.

The Gallagher research argues these costs are driven by “long-term effects” including weakened market confidence, investor reaction and prolonged disruption. In other words, the breach is merely the beginning of the economic impact.

That distinction matters because it fundamentally changes how cyber risk should be understood.

A decade ago, boards worried primarily about whether hackers could access systems. Today, they must also worry about whether shareholders will sue, regulators will investigate, customers will leave and insurers will still provide affordable cover afterwards.

Cybersecurity is no longer simply about protection.....it is about survivability.

Britain’s Retailers Became the Perfect Targets

The recent attacks on major UK retailers exposed just how vulnerable modern businesses have become.

Retailers operate vast digital ecosystems containing customer data, payment systems, logistics networks, supply chains and e-commerce infrastructure - all of which must function continuously. Many also rely on ageing legacy systems layered with newer technology built rapidly during the expansion of online commerce.

The result is an enormous and increasingly fragile attack surface.

Retailers are especially exposed because disruption becomes instantly visible. A manufacturing breach may remain hidden from consumers for weeks. A retailer unable to process online orders becomes front-page news within hours.

That visibility amplifies reputational damage.

Gallagher estimates UK businesses lost more than half a billion pounds last year through reputation-related fallout alone. In the digital economy, trust increasingly behaves like infrastructure: once damaged, it can take years to rebuild.

For consumer-facing companies, reputational resilience may soon become as important as cyber resilience itself.

The Hidden Shift From IT Risk to Governance Risk

The most important lesson from the latest attacks may not concern hackers at all. It concerns boards.

The emergence of billions in litigation costs suggests cyberattacks are evolving into governance events rather than purely technical incidents. Investors increasingly expect directors to demonstrate active oversight of cyber preparedness, resilience planning and incident response.

That expectation is reshaping corporate accountability. In the United States, shareholder lawsuits following major cyber breaches have become increasingly common. Britain now appears to be moving in the same direction.

The implications could be enormous.

If cyber preparedness becomes viewed as a fiduciary responsibility, directors themselves may face greater scrutiny following major attacks. Questions that once sat with IT teams are rapidly escalating into issues of corporate governance:

• Did the board adequately understand the company’s cyber exposure?

• Was sufficient investment made in resilience?

• Were vulnerabilities known but ignored?

• Was the market informed quickly enough?

• Did executives accurately communicate risk to shareholders?

These are no longer hypothetical questions. They are becoming legal and financial ones.

A Growing Drag on the British Economy

The wider economic implications extend far beyond individual businesses.

Research from the Department for Science, Innovation and Technology (DIST) estimates cybercrime costs the UK economy roughly £14.7bn annually - equivalent to around 0.5 per cent of GDP. Intellectual property theft alone may account for billions more each year.

That makes cyber insecurity more than a corporate problem. It is increasingly functioning as a drag on national productivity and economic growth.

Money that could be invested into expansion, hiring, innovation or infrastructure is instead being diverted into recovery costs, litigation, insurance premiums and defensive security spending.

At the same time, attacks are becoming more sophisticated.

Artificial intelligence is accelerating phishing campaigns, automating reconnaissance and enabling more convincing social engineering attacks at scale. Criminal groups are operating with increasing professionalism, often functioning like multinational businesses complete with customer service operations and affiliate structures.

Defenders, meanwhile, remain burdened by legacy systems, fragmented infrastructure and chronic cybersecurity skills shortages.

The imbalance is growing.

The Era of Cheap Cybersecurity Is Over

For years, many organisations approached cybersecurity as a compliance exercise - important, but ultimately secondary to growth, efficiency and customer experience.

That calculation is becoming harder to justify.

The latest figures suggest cyberattacks are no longer isolated operational setbacks. They are becoming major financial events capable of triggering years of corporate fallout.

The lesson from M&S, Harrods and others is not simply that businesses are vulnerable to hackers.

It is that the modern cyberattack has evolved into something much larger: a legal, reputational and economic shock capable of destabilising entire organisations long after the systems come back online.

The companies that survive the next decade of cyber threats may not be those that avoid every breach.

They may simply be the ones financially and operationally resilient enough to withstand what happens afterwards.