Significant cyberattacks in the UK rose during last year by 129%, with the National Cyber Security Centre (NCSC) handling around four major incidents every week.
According to Everywhen, these attacks are creating a major threat to the business sector.
"Cyber risk affects every level of society, from governments protecting essential services and businesses navigating fluctuating markets and supply chain delays, through to organisations fighting to keep their operations running," said Neil D'Mello, Everywhen's client director (South division). "These high stakes were evident in recent large-scale cyberattacks, which had major consequences."
The recent wave of high-profile incidents has underlined both the potential scale of uninsured loss and the value of robust cyber cover when events do occur.
After the 2025 cyberattack on Marks & Spencer, the retailer’s market capitalisation fell by around £1 billion, and customer data was allegedly stolen. Independent estimates suggested the group lost more than half of its first-half pretax profit, with adjusted profit dropping 55.4% to £184.1 million in the six months to Sept. 27, 2025, after online clothing orders were halted for several weeks.
For the insurance market, the incident is expected to trigger one of the largest corporate cyber recoveries seen in the UK to date. M&S may claim up to £100 million from its cyber insurance programme, which covers both direct and third-party losses. That payout would only partially offset an estimated £300‑plus million hit to profits and sales, but it provides a tangible demonstration to boards of the financial protection that specialist cyber insurance can deliver.
Last year, Jaguar Land Rover also reported a £485 million pre‑tax loss for the quarter versus a £398 million profit a year earlier, after being forced to shut down networks and halt highly automated production lines for weeks.
JLR's factories were effectively offline for most of September 2025, with phased restarts only beginning in October. This event was widely described as the costliest cyberattack in UK history, with an estimated £1.9 billion economic impact on the wider economy and considerable supply chain disruption with as many as 5,000 suppliers affected.
According to D'Mello, one of the biggest issues to come out of these cyberattacks is how supply chains, particularly for SMEs, were affected.
“These types of cyber outages can break a business, even when they’re not the initial target. Cyber policies that include legal defence, PR and interruption cover aren’t optional, they are an essential part of a forward thinking and grounded defence strategy," D'Mello added.
Those comments echo wider market evidence. Research commissioned by Howden indicated that 52% of UK private-sector companies have suffered at least one cyberattack over the past five years, at an average cost of 1.9% of annual revenue, with almost half of SMEs in the £2 million to £50 million turnover band reporting an incident.
Meanwhile, the Association of British Insurers (ABI) has reported that UK cyber claims payouts jumped to around £197 million in 2024, up from £59 million a year earlier, with the majority of claims coming from smaller organisations.
Despite the scale of recent attacks, cyber insurance penetration in the UK remains patchy, especially outside the largest corporates.
Government figures from the Cyber Security Breaches Survey 2025 showed that 45% of UK businesses report having some form of insurance against cyber security risks, most commonly as part of a wider policy, while only 7% hold a stand‑alone cyber policy.
Market research focused on SMEs tells a similar story. GlobalData's 2025 UK SME Insurance Survey found that just over 40% of UK SMEs currently hold cyber insurance, with take-up ranging from 13.1% among sole traders to 63% among medium-sized firms. Cost concerns, a belief that "we're too small to be a target" and assumptions that existing commercial policies already provide cyber cover are among the main barriers.
As the frequency and severity of cyberattacks rises, so does the government's determination to tackle them. A dedicated Cyber Action Plan has been announced and the Government has committed £210 million to strengthening public services against cyber threats. The plan sets a new overall standard for security and accountability, raising expectations for every organisation connected to government services.
For SMEs, industry experts said the focus has to be on cyber insurance solutions that can provide coverage that includes threat alerts and proactive insight, access to cyber security tools and expert advice, as well as cover for legal defence, PR costs, loss or damage and business interruption.
