Skip to main content
Marsh logo

Article

Cyberattacks now front and centre for UK boards

Discover effective strategies UK company boards can use to mitigate and protect against cyberattack risks: prevention, incident response plans and insurance.

01/12/2025 · 10 minute read

Cyberattacks have cost UK businesses billions of pounds, with over half of UK companies facing at least one incident over the last five years. Any company can be a target, from household names to sole traders, and the threat landscape is only growing more aggressive and opportunistic.

A multi-faceted threat landscape

Many cyberattacks originate from foreign actors, particularly those based in Russia and North Korea, which have well-established hacker groups and “bot farms” that direct their energies towards the West. Others are from criminal gangs who come together on the dark web, where “ransomware as a service” packages are now available to be bought or leased from developers, meaning anyone can launch an attack. Social engineering techniques are also developing, with attackers using AI to create increasingly realistic emails and voice calls designed to trick people into disclosing logins and multifactor authentication (MFA) codes.

The impact of a cyberattack can be severe. There is the financial repercussion of losses due to stalled production or sales, the potential knock-on effect on share price, and the costs of recovery, but also the reputational damage to your brand if customers and other stakeholders lose confidence in your ability to protect their personal data and recover quickly and effectively from an incident.

There is also a risk of regulatory action from the Information Commissioner’s Office (ICO). The ICO investigates data breaches, including those resulting from cyberattacks, and can issue significant fines to organisations that fail to adequately protect personal data. Additional regulations, such as the Network and Information Security Directive 2 (NIS2), the Digital Operational Resilience Act (DORA), and the UK’s Cyber Security and Resilience Bill, which has recently been introduced to parliament, place greater requirements on businesses to strengthen cyber defences and build the resilience to survive cyberattacks.

What can businesses do about it?

Prevent

There are many steps businesses can take to minimise the risk of a cyberattack. These include:

  • Staff training, such as phishing exercises.
  • Implementing MFA to reduce the risk of unauthorised access to systems.
  • Using firewalls and antivirus software.

Having segregated systems so that you can isolate affected areas in the event of an attack will also help. However, hackers are aware of all these measures and are working to overcome them. Often, the “weak link” is human nature; employees trusting people who cannot be trusted or trying to help people who should not be helped. That is why corporate culture is key. The board must lead from the top in communicating the risks to their employees and embedding cyber resilience at every level.

Businesses should also ensure strong governance and oversight over supply chain cyber risk management, so that cyber resilience is embedded throughout the supply chain. This is a significant challenge for large, international businesses, but the risks of failing to do can be even more significant. Criminals deliberately and strategically target suppliers as a way to access larger businesses. An attack on a key member in the supply chain can have knock-on effects throughout the wider business. 

Prepare

Businesses should have incident response plans that are regularly tested, so that when the worst happens, everyone knows their role. However, as the CEO of Co-op recently wrote in an open letter to businesses, “While you can plan meticulously, invest in the right tools, and run countless exercises, nothing truly prepares you for the moment a real cyber event unfolds. The intensity, urgency, and unpredictability of a live attack are unlike anything you can rehearse. That said, those drills are invaluable; they build muscle memory, sharpen instincts, and expose vulnerabilities in your systems”.

Just as all businesses run fire drills to ensure everyone knows where to go and what to do in the event of a fire, the same should be done for a cyberattack, which is statistically more likely than any fire.

Consideration should also be given to how you will communicate if systems go down or are known to be compromised. Attackers often lurk within email systems and chat tools. Communicating via these channels can alert attackers to your investigation and containment plans. This gives them time to escalate their attack or delete evidence. Instead, have a pre-approved, out-of-band communication platform ready for deployment if a breach is suspected. Marsh Central can support businesses with this.

Insure

Cyber insurance can cover the costs of a cyberattack and provide valuable support in a time of crisis. Coverage typically includes the cost of dealing with the incident itself, such as:

  • Bringing in external vendors to support with containment of the breach.
  • Investigation into the extent of the compromise and impacted data.
  • Recovery of systems and data.
  • The cost of legal advice following an incident.
  • Notifying individuals of personal data breaches.

There may also be cover for ransom payments and expert ransom negotiation services. A core component of the coverage is business interruption arising from the incident. This can cover the loss of profits caused by system downtime. Policies also cover the longer tail impact of attacks, such as regulatory action and legal claims that follow cyber incidents.

Cyber insurers also offer access to 24/7 hotlines providing access to curated panels of pre-approved vendors. Insurers see hundreds of similar attacks every year, and can bring valuable knowledge and experience to supplement your internal capabilities.

Commercial crime insurance can also cover direct financial loss arising from a social engineering attack. That is the sum actually stolen from the business by fraudsters, which would not otherwise be covered by a cyber policy. As set out below, directors and officers liability insurance (D&O) is also a vital piece in the puzzle for businesses looking to insure against these risks.

Respond

Cyberattacks often overwhelm internal teams, who can lack the time, resources, and experience to contain, investigate, and recover from the attack. It is common to see IT and executive teams working through the night in the first days of a cyberattack, draining energy and risking burnout. Bringing in external forensic IT experts, lawyers, communications specialists, and ransom negotiators to support your team from day one will alleviate pressure and minimise losses.

Marsh clients can access our Cyber Incident Management (CIM) service for support in coordinating and aligning these vendors, both before and during an incident, as well as engaging insurers and managing a cyber event.

Board oversight of cybersecurity in the spotlight

In October 2025, ministers, the CEO of the National Cyber Security Centre (NCSC), and the director general of the National Crime Agency wrote to directors of UK companies to emphasise three steps that businesses must take to tackle the rising cyber threat:

1.       Make cyber risk a board-level priority using the Cyber Governance Code of Practice

The letter emphasises the importance of boards adhering to the Cyber Governance Code of Practice. This covers cyber risk management including: agreeing senior ownership of cyber security risks; embedding cyber strategy as part of the wider organisation strategy; recognising the importance of training and culture in raising awareness to prevent attacks and ensure preparedness in the event of an attack; incident planning, including response, recovery, and a lessons-learned procedure; and providing assurance and oversight through formal reporting to the board and two-way communication with the chief information security officer (CISO) or equivalent.

2.       Sign up for the NCSC’s early warning service

The NCSC early warning system is designed to detect and alert businesses about emerging cyber threats and vulnerabilities at an early stage, so they can take steps to protect their systems and data.

3.       Require Cyber Essentials in your supply chain

The letter recommends embedding cyber resilience within the supply chain to avoid the domino effect of a cyber incident on interconnected businesses. It suggests ensuring businesses in your supply chain are certified under the government-backed Cyber Essentials scheme — the minimum standard of cybersecurity for organisations in the UK.

The consequences of getting it wrong

The consequences for boards that fail to embed cybersecurity within their oversight and governance framework could be severe.

Company directors have a fiduciary duty to act in the best interests of the company, including managing risks related to cybersecurity. In the event of a cyberattack, they run the risk of claims by shareholders or the company itself (potentially in the form of a derivative action) for breach of that duty. While claims relating to the management of the company are generally brought against the traditional C-Suite, personal liability of CISOs in connection with cyber incidents is no longer just a theoretical possibility, as high-profile examples arising out of recent cyberattacks have shown.

There is also the regulatory risk. The ICO can investigate and take enforcement action against directors for a company’s breach of data protection laws, as well as the company itself, and directors can be held personally liable if the data breach was caused by their actions or negligence. This could include, for example, a cyberattack facilitated by a failure to enforce multi-factor authentication that led to the loss of personal data.

If a cyberattack and its aftermath results in a significant fall in share price for a listed company, shareholders could bring a claim under Section 90A of the Financial Services and Markets Act. This could be based on an allegation that representations about the cybersecurity of the company made by the board of directors were misleading. If shareholders relied on these representations in buying shares in the company, and then lost money when evidence of misrepresentations came to light, for example, as a result of a ransomware attack and the findings of an ICO investigation, they could sue for that loss. The UK has seen increasing numbers of FSMA S.90A securities claims in recent years.

The importance of D&O insurance

Boards should ensure that their D&O policies are robust enough to respond to any claims that may arise out of these attacks, and should speak to their broker to discuss any areas of concern. Below are some key points to consider.

1.       Limits

Ensure that you have adequate limits available to cover legal fees and other expenses that might be incurred in responding to a claim. Claims can be brought even if cybersecurity procedures are robust and a fortuitous event could not be stopped, so having the insurance available to fund a strong defence is essential. This applies to individual directors’ and officers’ costs, as well as company costs in the event of a securities claim.

2.       Side C cover

D&O policies that insure against securities claims, also known as “Side C” cover, will indemnify the company in the event of a FSMA S.90A claim by shareholders of the company. It protects the company’s balance sheet for these often very costly claims by covering legal fees, other expenses, and settlements and damages awards should the case go to trial.

3.       Investigation costs

Check that your D&O policy covers individuals’ legal and other costs incurred in the event of a regulatory investigation or enforcement action, or even pre-inquiry or internal investigations following a cyberattack, when directors may be called to interview and benefit from independent legal advice. Some policies will also cover civil fines and penalties to the extent insurable.

4.       Public relations costs

Some D&O policies will pay for a public relations firm to help mitigate reputational damage in the event of a cyberattack, which may be available for the company itself as well as for individuals. Often this cover is sub limited, so check that the amount available is still appropriate, especially if it was negotiated some years ago, as inflationary pressures on fees might have eroded its value.

5.       Programme structure

Consider whether your D&O programme structure provides adequate protection for individuals who may find themselves in the firing line in the event of a cyberattack. For example, ring-fenced cover for individuals, such as Marsh Alpha, can provide additional security for directors and officers if the company is unwilling or unable to indemnify them, or if the main policy limit has been exhausted, for example, by a securities claim. You can also consider purchasing D&O cover as part of your programme that is reserved just for your CISO (or equivalent), so they can feel secure knowing they have insurance protection that cannot be eroded by claims against the company or the board.

Speak to your Marsh contact if you have any questions about your cyber insurance, cyber incident response readiness, or your D&O insurance.

Contact us

Our people

Helen Nuttall

Helen Nuttall

UK Head of Cyber Incident Management, Marsh

  • United Kingdom

Zelda Pitman

Zelda Pitman

Senior Client Executive, Management Liability

  • United Kingdom

Related Insights

user typing login and password, cyber security concept, data protection and secured internet access, cybersecurity

Article

Cyber Security Resilience Bill

19/11/2025
Cybersecurity risk

Article

What is cybersecurity risk?

31/10/2025
Glass globe lights

Article

Global instability and rising cyber risk

31/10/2025
Futuristic smart city scene featuring AI-generated grid

Report

Inside the Ransomware Ecosystem

28/10/2025
View more