Research and analysis

Summary of research on the economic impact of cyber attacks

Published 12 November 2025

© Crown copyright 2025

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/independent-research-on-the-economic-impact-of-cyber-attacks-on-the-uk/summary-of-research-on-the-economic-impact-of-cyber-attacks

Introduction 

Keeping the British people safe is the first duty of government. That is why national security is the foundation of the government’s Plan for Change. Cyber attacks represent one of the most pressing threats to the UK’s national security and economic stability in the modern era, with the UK being the most targeted country for cyber attacks in Europe.[footnote 1] The UK’s ability to achieve innovation and growth relies on increasing the cyber and economic security defences. 

Digital technologies are engines for creativity and innovation for our economy. Powered by their interconnectivity, they have transformed every part of our lives. In 2020, there were around 50 billion connected devices in the world. This is projected to rise to 500 billion by 2030.[footnote 2] However, there has been an increasing threat from malicious actors seeking to exploit vulnerabilities in our systems, weaponising and undermining those same digital technologies that our economy and way of life relies on. As the world becoming more complex and unpredictable, there are also a growing number of aggressors with the means, intent and capability to do the UK harm.  

The scale of the problem is undeniable. As the experts on helping organisations respond to and recover from cyber security incidents, the National Cyber Security Centre (NCSC) managed 204 significant or highly significant cyber incidents in the year leading up to September 2025.[footnote 3] These are the incidents defined as having a serious impact on essential services, public safety, or economic stability. The NCSC managed, on average, one of these significant incidents every two days.[footnote 4] Last year alone, 43% of UK businesses reported experiencing a cyber security breach or attack[footnote 5] – equivalent to over 600,000 organisations. The recent high-profile cyber attacks severely disrupted Marks and Spencer and the Co-op, causing major disruption to those businesses and the people who rely on them. A year before, a ransomware attack on a key supplier to ​a number of N​HS organisations led to the disruption of over 10,000 appointments and thousands of procedures.[footnote 6]  

The impact of disruptions caused by cyber attacks are becoming ever more present in people’s everyday lives, as well as significantly affecting organisations’ ability to operate with confidence. Independent research commissioned by the Department for Science, Innovation and Technology (DSIT), in collaboration with relevant government departments, the devolved administrations, and their partners, has sought to quantify the magnitude of the potential risk to the economy from cyber attacks.  

Supported by DSIT, the Integrated Security Fund, and the R&D Science and Analysis Programme at the Department for Culture, Media and Sport, the research was developed and produced according to the research team’s hypotheses and methods. Any primary research, subsequent findings or recommendations do not represent UK Government views or policy. 

This collection of research quantifies vulnerabilities across different parts of the economy, while a consistent upward trend in the cost and frequency of cyber incidents is evident. For instance, KPMG estimate that the average cost of a significant cyber attack (classed as a successful attack with a cost of at least £500) for an individual business in the UK (averaged across all firm sizes and sectors) is almost £195,000. When scaled to an annual UK cost, this amounts to £14.7 billion. Separately, Alma Economics report that cyber attacks attempting intellectual property and knowledge assets theft cost the UK between £1 billion to £8.5 billion in 2024. While individual estimates vary, and recognising the limitations of the research, the consistent theme across the reports is that the cyber risk is pervasive and significant. The findings will help guide current cross-sector resilience measures and support the refresh of the National Cyber Strategy. 

Government measures to improve cyber security

The government is clear that decisive action is required to tackle the increasing cyber threat, to protect the public and the economy, and maximise the opportunities to the UK from our domestic cyber sector.   

The government’s planned National Cyber Strategy refresh will articulate a vision – and agreed collective action in partnership with businesses, devolved governments, regulators, law enforcement and the public – to head off the proliferating cyber threat, strengthen the UK’s cyber security and resilience, and maximise growth opportunities from the UK cyber sector. It will also demonstrate that the UK remains a global leader on cyber - taking a proactive, strategic, and collaborative approach to securing national interests in an increasingly complex digital world. 

Ahead of this, action is already being taken to strengthen the cyber security and resilience of the UK, including the following: 

  1. New laws to protect the UK public and businesses:

The Cyber Security and Resilience (Network and Information Systems) Bill will increase UK defences against cyber attacks for the services that the public and businesses rely on every day, including water, energy, healthcare, transport and digital services. The Network and Information Systems Regulations 2018 have fallen out of date and are insufficient to tackle the threats we face. The Cyber Security and Resilience Bill will update the regulations to more effectively safeguard the cyber resilience of essential and digital services. It will deliver a fundamental step change in the UK’s national security – making essential and digital services more secure in the face of cyber criminals and state actors who want to disrupt our way of life. The reforms will underpin greater economic stability, helping grow the economy for working people, reduce business cost and disruption, and support investment. 

  1. More support and guidance for businesses, so organisations of all sizes know what good looks like: 

a. We are driving uptake of five basic controls called Cyber Essentials. In the 12 months preceding 30 June 2025, 38,591 Cyber Essentials certificates and 12,477 Cyber Essentials Plus certificates were issued. 92% fewer insurance claims are made by organisations with the Cyber Essentials controls in place.[footnote 7] 

b. The government recently launched a package of support for board members and directors - the Cyber Governance Code of Practice.[footnote 8] The code sets out the critical actions an organisation’s board must take to improve the resilience. To support them in doing this, the Cyber Governance Training[footnote 9] builds their knowledge of cyber security and helps them implement the Code of Practice. 

c. To support Secure-by-Design technology we have issued codes of practice for apps and app stores, software, and artificial intelligence, with enterprise technology soon to come[footnote 10], and are implementing pioneering product security legislation.[footnote 11] 

d. The NCSC’s Share and Defend capability is enabling at-scale protection of the UK public and businesses against cyber attacks. The capability is designed to enable others to block access to malicious websites before they can be used to carry out cyber attacks, or to conduct cyber-enabled fraud.[footnote 12] 

e. The NCSC has a range of guidance available on its website, including the Cyber Assessment Framework which helps critical national infrastructure operators identify and manage cyber risks effectively.[footnote 13]  

3.Protecting our national interests in cyber space, with the UK a leading responsible cyber power within NATO: 

a. The National Cyber Force continues to deliver offensive cyber operations to counter threats from hostile states, terrorists, and serious cyber criminals. Its work is vital to the UK’s ability to act in and through cyberspace to protect national interests. 

b. To enhance coherence across Defence’s digital operations, the government are establishing a new Cyber and Electromagnetic Command (CyberEM Command). This Command will integrate cyber, electromagnetic, and information capabilities, ensuring faster, more coordinated responses to emerging threats. 

4.Maximising the strengths of the UK cyber security sector as a driver of economic growth and innovation – building on recent year on year growth of the £13.2 billion UK cyber sector and boosting the existing 67,300 jobs. 

a. The Industrial Strategy was clear that the government will prioritise the frontier technologies with the greatest growth potential for the UK, that also support UK security and sovereignty. The cyber security sector was identified as a priority.  

b. The government is supporting, promoting and growing the UK cyber security sector, including through pre-seed accelerator programme – Cyber ASAP – which helped innovators raise £41m of investment, and Cyber Runway, a national accelerator programme for cyber startups, scale-ups, and SMEs.[footnote 16] 

c. To support home grown cyber skills, the government has introduced programmes aimed at increasing the quantity and diversity of professionals entering the cyber workforce, including initiatives like TechFirst which aims to bring digital skills and AI learning into the classroom.[footnote 14] 

d. Professional standards are being  developed and promoted to further professional development in the sector.  

5.International collaboration 

a. The government has launched international initiatives, such as the Pall Mall Process to tackle the proliferation and irresponsible use of commercial cyber intrusion capabilities through multi-stakeholder collaboration.[footnote 15] 

b. In May 2025, the security and defence partnership between the European Union and the UK set out that thematic dialogues will be conducted as provided for in and on the basis of provisions in the Trade and Co-operation Agreement, including on cyber issues, given the interconnectedness and interdependence of UK and EU security and prosperity. 

Reducing the frequency and impact of cyber attacks is not just about safeguarding businesses and the public sector, but securing the prosperity and stability of the UK as a whole, and being a responsible leader on cyber globally. Achieving this requires a coordinated effort across government, industry, and other stakeholders to build a resilient economy capable of adapting to the challenges of a digital future. Strengthening the evidence base to guide these efforts is essential.  

Headline findings from independent research reports 

Historically, our understanding of the economic impact of cyber attacks has focused on immediate financial costs to affected organisations, such as businesses. This narrow focus risks underestimating the true cost of cyber attacks to the UK economy. To address this, the government funded independent research to better understand and quantify the wider economic impact of cyber attacks on the UK economy.

The estimates presented in these reports are derived using distinct methodologies and are not intended to be additive. Each report focuses on different sectors and impact types, and while they collectively illustrate the breadth of economic risk, they should not be summed to produce a single GDP impact figure. 

The independent research will allow decision makers to better understand the potential scale of impact when different kinds of organisations or sectors in the UK are attacked. The reports are: 

  1. Economic Modelling of Sector Specific Costings of Cyber Attacks, KPMG, 2025  
  2. Economic Impact of Intellectual Property and Knowledge Assets Theft from Cyber Attacks in the UK, Alma Economics, 2025 
  3. Assessing the Feasibility of Modelling the Link Between Data Breaches and Fraud, Frontier Economics, 2025 
  4. The Economic Impact on Consumers of Cyber Attacks, KPMG, 2025 
  5. The Economic Impact of a Systemic Cyber Incident to the Rail Network, KPMG  2025 

1. Sector specific costings

Economic Modelling of Sector Specific Costings of Cyber Attacks, KPMG, 2025  

Approach 

The KPMG report estimates the cost of cyber attacks to individual businesses, broken down by sector and business size. These estimates are derived from Cyentia’s Information Risk Insights Study which is primarily US-based, and a set of modelling assumptions, with the full analytical approach detailed in the report. It should be noted that the definition of a ‘cyber attack’ and the scope of incidents included in the underlying data may differ from UK interpretations, particularly in terms of reporting standards, legal frameworks, and organisational contexts. The modelling is based on two key variables: the average cost of a significant cyber attack and the likelihood of experiencing one. As the analysis utilises simplified scenarios and generalised inputs to illustrate potential outcomes it is intended to provide indicative, rather than definitive, estimates.  These figures should therefore be interpreted with caution. 

Headlines 

  • The average cost of a significant cyber attack for an individual business in the UK is almost £195,000. This is defined as any successful incident costing at least £500, calculated by averaging across all firm sizes and sectors in the UK - this figure reflects a broad national average and is not specific to any one industry or business type. 

  • Scaling this to an annual UK cost, generates an estimate of £14.7 billion, equivalent to 0.5% of the UK’s GDP.  

  • The highest average costs are estimated to flow from some of the UK’s strongest and most competitive sectors, including the information (£337,000), management (£334,000), entertainment (£331,000), manufacturing (£330,000) and financial (£309,000) sectors. 

2. Cost of IP and knowledge asset theft

Economic Impact of Intellectual Property and Knowledge Assets Theft from Cyber Attacks in the UK, Alma Economics, 2025 

Approach 

The Alma Economics report focuses on the economic impact of intellectual property and knowledge-assets theft resulting from cyber attacks on UK businesses. It does not assess wider societal or public sector effects. The analysis is based on a literature review, expert input, regression modelling, and case studies. The main inputs to the modelling are based on observed incidents of cyber attacks and associated financial data, with a focus on company-level impacts. Because the analysis is stylised, outputs should be considered as indicative only, and assumptions, data sources, and analytical methodologies are set out transparently.

Headlines 

  • Alma Economics estimates that cyber attacks attempting intellectual property and knowledge-assets theft cost the UK between £1 billion to £8.5 billion in 2024. This equates to between 0.04% and 0.30% of GDP per year.​ 

  • Case studies considered in the report showed that in extreme cases, intellectual property theft could pose an existential threat to SMEs, particularly when stolen intellectual property is used to develop rival products, enabling larger firms to compete more aggressively on price or leverage stronger marketing and post-sales support. 

3. Cost of fraud due to data breaches

Approach 

The Frontier Economics report explores the feasibility of modelling the relationship between data breaches of organisations and subsequent victimisation of individuals to fraud. It estimates the number of fraud victims and the associated societal cost from the modelled number of fraud victims generated from data breaches in the UK. Main inputs and assumptions include:  

  1. The reported number of data breaches in the UK based on ICO data - a source that may not fully capture the complete extent of data breaches in the UK.  
  2. An estimated increase in probability of experiencing fraud due to being a prior victim of a data breach - generated using a study conducted by the Australian Institute of Criminology. 
  3. Assumptions driven by evidence on how the probability of experiencing fraud due to a data breach varies, based predominantly on the type of data stolen.  
  4. Information on the cost of fraud in the UK based on published Home Office estimates. 

Findings should be treated as indicative and illustration of an early approach to understanding the problem. The report sets out the limited nature of evidence and data and recommends further research and data improvement to enhance the robustness of the model. 

Headlines 

  • Frontier Economics estimates that 437,000 people became victims of fraud due to data breaches that took place in 2023. This is approximately 11% of all the estimated victims of fraud in the 2023 Crime Survey for England and Wales. 

  • Initial modelling suggests that fraud episodes linked to organisational data breaches are likely to account for around 8% of the annual cost of fraud in the UK, around £755 million per year. 

4. Impact on consumers

The Economic Impact on Consumers of Cyber Attacks, KPMG, 2025 

Approach  

The KPMG report estimates the potential impacts on consumers from cyber attacks that disrupt access to goods and services across five sectors: financial services, healthcare, creative industries and arts, real estate and renting, and manufacturing.  

These estimates are based on hypothetical scenarios designed to illustrate possible outcomes, rather than to predict actual events. The analysis draws on a combination of limited and variable data sources, including survey responses, secondary data, and case studies. Where direct evidence was unavailable, the modelling relies on assumptions and proxies, which are detailed throughout the report. These include, for example, estimates of the number of consumers affected, the duration of service disruption, and the value consumers place on access to specific services. As such, the outputs should be interpreted as indicative rather than definitive, and always considered in the context of the underlying assumptions and data constraints. 

Headlines 

The estimated impacts on consumers from cyber attacks that result in the loss of access to goods and services from the following sectors: 

  1. Financial services 

a. Online banking: A cyber attack resulting in a three day loss of access to online banking services is estimated to cost between £5.5 million and £231 million, with an estimated frequency of once every four years.[footnote 17] 

b. Motor vehicle insurance: A cyber attack resulting in eleven days of disruption to a motor vehicle insurance provider is estimated to cost between £0.01 million and £0.69 million, with an estimated frequency of once every five years.[footnote 18] 

2.Healthcare 

a. Major hospitals: A cyber attack affecting a major hospital is estimated to cost £11.14 million, with an estimated frequency of three times per year.[footnote 19] 

b. GP practices: A cyber attack affecting a GP practice is estimated to cost £0.02 million, with an estimated frequency of thirty-seven times per year.[footnote 20]  

3.Creative industries and arts 

a. Online ticketing: A cyber attack resulting in a one day loss of access to online ticketing services is estimated to cost between £0.6 million to £161 million, with an estimated frequency of once every 4 to 5 years.[footnote 21] 

b. Online video streaming services: A cyber attack resulting in a one day loss of access to video streaming services is estimated to cost between £2.8 million and £197 million, with an estimated frequency of once every eight years.[footnote 22] 

c. Cultural institutions: A cyber attack resulting in eleven days of disruption to museums and galleries is estimated to cost £0.27 million, with an estimated frequency of once every three years.[footnote 23] 

d. Libraries: A cyber attack resulting in eleven days of disruption to library services is estimated to cost £0.02 million, with an estimated frequency of once every seven months.[footnote 24] 

4.Real estate and renting 

a. Property purchases: A cyber attack resulting in a loss of access to property transaction systems for three months is estimated to cost between £0.14 million to £0.24 million, with an estimated frequency of once every seven months.[footnote 25] 

5.Manufacturing 

a. Pharmaceutical manufacturing: A methodology for the estimation of consumer impacts that could be used in the future is described in this report. 

5. Impact on the rail network

The Economic Impact of a Systemic Cyber Incident to the Rail Network, KPMG  

Approach 

The KPMG report estimates the economic cost of a systemic cyber attack on Great Britain’s rail network. The study is based on a specific and hypothetical cyber incident scenario which was developed by KPMG in consultation with relevant departments. It is important to emphasise that the scenario is hypothetical and should not be regarded as a prediction of future events. Whilst KPMG, based on open-source analysis and a literature review, assessed the likelihood of this scenario as “low”, the potential economic impact of this scenario should not be underestimated. 

The study considers both direct financial impacts and indirect economic impacts resulting from the systemic cyber incident examined. The modelling draws from existing literature and data public data sources, in addition to data provided by Department for Transport and Network Rail. An assumption-driven approach has been taken with the modelling, outputs should therefore be considered as indicative only.  

Headlines 

It is estimated that a hypothetical systemic cyber incident to the rail network could result in a total economic cost of approximately £1.8 billion for a week’s period of disruption. The hypothetical incident could result in a direct financial cost to Network Rail in the region of £123m, a cost to passengers of delays of £281.3 million and a potential impact on gross value added (GVA) of up to £1.397 billion. The estimated GVA impact represents approximately 2.8% of the UK’s total GDP per week and 0.05% of annual GDP.

  1.  www.ibm.com/thought-leadership/institute-business-value/report/2025-threat-intelligence-index 

  2.  https://www.gov.uk/government/speeches/cyber-is-a-poster-child-for-growth - quoting Cisco research. 

  3.  www.ncsc.gov.uk/collection/ncsc-annual-review-2025 

  4.   www.ncsc.gov.uk/collection/ncsc-annual-review-2025 

  5.  www.gov.uk/government/statistics/cyber-security-breaches-survey-2025 

  6.  www.england.nhs.uk/london/2024/09/26/update-on-cyber-incident-clinical-impact-in-south-east-london-thursday-26-september-2024/ 

  7. The Cyber Essentials Management Information is published quarterly, with the latest figures covering April to June 2025. Also www.ncsc.gov.uk/cyberessentials 

  8.  Cyber Governance Code of Practice - GOV.UK 

  9.  Cyber Governance Training - NCSC.GOV.UK 

  10. Cyber security codes of practice - GOV.UK 

  11.  Regulations: consumer connectable product security - GOV.UK 

  12.  Share and Defend capability - NCSC.GOV.UK 

  13.  Cyber Assessment Framework - NCSC.GOV.UK 

  14. Cyber ASAP programme and Cyber Runway programme

  15.  PM launches national skills drive to unlock opportunities for young people in tech - GOV.UK 

  16.  The Pall Mall Process declaration: tackling proliferation and irresponsible use of commercial cyber intrusion capabilities - GOV.UK 

  17. This is based on the rate of successful ransomware attacks estimated from the Cyber Security Breaches Survey (DSIT, 2019 to 2024) at 2.45% per large company per year. 

  18. This is based on the rate of successful ransomware attacks estimated from the Cyber Security Breaches Survey (DSIT, 2019 to 2024) at 2.45% per large company per year. 

  19. This is based on the observed frequency of cyber attacks in major hospital over the 2024 calendar year. 

  20. This is based on the rate of successful ransomware attacks estimated from the Cyber Security Breaches Survey (DSIT, 2019 to 2024) at 0.475% per year for the charities and education section. 

  21. This is based on the rate of successful ransomware attacks estimated from the Cyber Security Breaches Survey (DSIT, 2019 to 2024) at 2.45% per large company per year. 

  22. This is based on the rate of successful ransomware attacks estimated from the Cyber Security Breaches Survey (DSIT, 2019 to 2024) at 2.45% per large company per year. 

  23. This is based on the rate of successful ransomware attacks estimated from the Cyber Security Breaches Survey (DSIT, 2019 to 2024) at 0.475% per year for the charities and education section. 

  24. This is based on the rate of successful ransomware attacks estimated from the Cyber Security Breaches Survey (DSIT, 2019 to 2024) at 0.475% per year for the charities and education section. 

  25. This is based on the rate of successful ransomware attacks estimated from the Cyber Security Breaches Survey (DSIT, 2019 to 2024) at 2.45% per large company per year. 

Back to top