Cyberattacks hit UK businesses with £3.7bn in legal costs last year
Large UK businesses were forced to fork out £3.7bn to defend legal action brought by shareholders last year over cyberattacks, according to new research from insurance giant Gallagher and the Centre for Economics and Business Research (CEBR).
Cyberattacks cost firms with over 250 employees an estimated £11.7bn in total, with litigation being the second largest expense after a £5.4bn hit in direct losses from disrupted trading.
Lost assets accounted for a further £1.3bn for companies, while regulatory fines cost £108m.
Shareholder legal action and class actions are emerging as “significant financial risks” for firms and their directors, Gallagher and the CEBR said, which are likely to cause “reputational consequences”.
Firms lost £573m in costs relating to reputational damage and nearly £400m revenue lost for customers cancelling contacts, reducing spending, or switching to alternative suppliers following the incidents.
This follows a number of household names including Marks & Spencer, the Co-op, Harrods and Jaguar Land Rover suffering devastating cyber attacks last year which severely disrupted day-to-day business and affected millions of customers.
M&S in particular is facing legal action over its cyber incident which saw the retailer completely halt orders on its website for nearly seven weeks and take a reported 99 per cent plunge on profits from £391.9m to £3.4m for the first part of the year.
‘Long term effects’ for firms from cyberattacks
The insurance broker and economics research body said these costs are “driven by long-term effects” for firms, including weakened market confidence, investor reactions, and “prolonged commercial disruption”.
“For years, boards have measured cyber risk in terms of system downtime and IT recovery; however the risk doesn’t end when the attack is over,” executive director of financial lines at Gallagher, Laura Parris said.
“As the high-profile attacks on high street retailers last year show, the legal, financial and reputational fallout can drag on for months,” Parris added.
Gallagher and the CEBR said that by contrast, firms spent a much lower amount on responding to attacks, with £226m shelled out on external support such as forensic specialists, consultants, and technical remediation.
Businesses also handed over a further £51 million internally for staff diverting their time spent doing their usual tasks to manage incidents and restore compromised systems.