Cyber Awareness Month may occur only once a year, but cyber risks are ever-present for businesses, regardless of their size. With the frequency and sophistication of these attacks growing, and costing the U.K. economy an estimated £27 billion per year, it's vital that organizations understand the full cost of a cyber breakdown and how they can minimize this.
Among SMEs, ransomware attacks, data breaches and phishing incidents continue to rise, often leaving these businesses with fewer resources to respond and recover effectively. The average cost for businesses to remedy a cyberattack is estimated to be £21,000, an amount that can even bankrupt smaller companies.
U.K. businesses are facing a sobering reality: The actual cost of a cyberattack extends far beyond immediate recovery. While initial costs cover detection and response, hidden costs, such as lost business income, data restoration, regulatory fines, and reputational management, can linger.
Why Recovery Costs Don't Tell the Whole Story
For businesses, it's not a matter of if a cyberattack will hit you, but when. Just over four in 10 businesses (43%) reported experiencing a cyber breach or attack in the past 12 months, equating to approximately 612,000 businesses.
Reports suggest that 60% of small companies go out of business within six months of a cyberattack. For those who survive, they face major setbacks. For small businesses, a cyber breach or attack can set them back £65,000. However, this can be an underestimation of the full scale of the impact, as there is other fallout from cyber breaches, not limited to economic losses, but also reputational damage. The full cost of a cyber breach can involve challenges such as:
Business Interruption & Income Loss
The cyber landscape risk is changing, and increasingly, attackers aren't just looking to steal data but also to disrupt business.
A cyber breach or attack isn't an isolated incident. Once that happens, there are knock-on effects on businesses, from downtime that disrupts sales, issues with supply chains and eroded client trust. Many businesses will lose weeks of income, which can cripple small operations, especially in industries heavily reliant on online sales and client management.
For instance, if a business is targeted with ransomware and a demand for payment, accompanied by a threat that the company's data will not be restored unless payment is made, the business would be unable to conduct its day-to-day operations. Having a cyber policy that covers Direct and Dependent Cyber Business Interruption would be essential in this case to minimize losses.
M&S, for example, estimated that its cyberattack, which started in April 2025 and resulted in subsequent downtime, would cost them around £300 million in profit due to lost sales and increased operational costs from suspending online orders.
Data Recovery & System Restoration
Rebuilding technical processes, whether it involves systems, restoring backups, or investigating vulnerabilities, creates additional costs. Businesses may require specialist security experts to investigate and mitigate the loss. In the case of SMEs, they often don't have this expertise in-house.
Regulatory Compliance, Legal Fees & Penalties
Cyber breaches that result in a business's loss of personal or confidential information can lead to customer claims, breach of contract disputes, or regulatory fines under the Data Protection Act (GDPR).
Fines and legal fees under GDPR can push recovery costs even higher, particularly for SMEs that may lack in-house compliance expertise. The highest maximum an organization can be fined for this is £17.5 million or 4% of the total annual revenue in the previous financial year. Moreover, depending on the type of attack, there may be requirements to report to the Information Commissioner's Office (ICO).
Legal representation costs and external consultancy fees are high. However, with the right insurance policy in place, these costs can be covered.
Reputational Damage
The full cost of a cyberattack isn't always financial; it's often reputational, as well. If customers' data is stolen, it can affect future relationships, lead to customer churn, and ultimately affect the brand's value.
The Insurance Safety Net
Cyber insurance provides (indirect and direct) financial protection and access to expert legal and risk management support, enabling businesses to improve their operational resilience, defenses and adopt a proactive security approach.
Given the prevalence of cyber attacks, with AI making them more sophisticated, it's more critical than ever that businesses of all sizes invest in cyber insurance. It shouldn't be an afterthought; it needs to be a key priority for business resilience.
Encouragingly, many small businesses are taking note, with an increased uptake of cyber insurance from 49% in 2024 to 62% in 2025. There has also been an increase in security risk assessments and business continuity plans that address cybersecurity.
Coverage now extends far beyond simple data breaches. It can include ransomware payments, business interruption, legal fees, and even the cost of notifying affected customers.
Building Resilience Beyond Insurance
Insurance is a vital part of the cyber risk puzzle, but it's not a one-stop fix. The best insurance policies will be those that embed risk management into their policies, offering advice on how to appropriately train staff, create a risk management plan, implement multi-factor authentication, conduct regular audits, and more. Increasingly, the role of insurers is evolving to enable them to act as partners in prevention, not only by paying claims when things go wrong.
