With 74% of mid-to-large UK businesses reporting cyber breaches, a new survey by cyber risk solutions provider Resilience and YouGov highlights a worrying gap in understanding cyber risks as financial threats. Despite the clear financial toll of cybercrime, many business leaders lack the tools and insights to manage these risks effectively.

The survey, involving 206 financial and IT decision-makers from UK firms with turnovers exceeding £100m, found that while data breaches dominate concerns (72%), ransomware—a far costlier threat—was only cited by 47% as a key risk. This misalignment could leave businesses vulnerable to mounting financial losses.

Ransomware’s Financial Toll Underestimated

Although data breaches attract greater regulatory scrutiny under GDPR, ransomware drives the largest financial losses. According to Resilience, ransomware accounted for more than 80% of client losses in 2023-24.

“Businesses cannot afford to overlook ransomware,” said Vishaal ‘V8’ Hariprasad, CEO of Resilience. “By failing to quantify these risks financially, leaders are left underprepared to make informed decisions on cyber investment and insurance.”

This disconnect is further exacerbated by inadequate financial risk management practices. The survey revealed that only 54% of businesses maintained quantitative risk registries—a critical tool for assessing financial exposure and prioritising mitigation strategies.

Vendor Risks Compound Financial Vulnerability

Third-party vendor breaches present another costly blind spot. While 83% of respondents claimed familiarity with their vendor systems, nearly half (47%) experienced disruptions lasting more than 12 hours due to vendor breaches in the past year.

Vendor outages disproportionately affect smaller firms. Businesses with turnovers under £250m reported more frequent breaches and identified business interruption as a primary concern (72%). Larger firms, with greater resources for risk mitigation, were better insulated; 34% of businesses with turnovers above £1bn reported no vendor-related outages.

Cyber Insurance: Underused and Undervalued

Cyber insurance is another area where financial opportunities are being missed. Despite 93% of surveyed firms holding policies, only 45% believed their coverage effectively reduced losses. Additionally, 30% of insured businesses reported filing no claims, raising questions about awareness and utilisation of insurance benefits.

These findings suggest that businesses are not maximising their return on investment in cyber insurance, leaving money on the table and exposing themselves to unnecessary financial risk.

The Cost of Inaction

The UK Government estimates the average cost of cyber breaches for mid-to-large firms at £10,830 in 2023—a figure that could be significantly higher for firms experiencing ransomware attacks or prolonged outages.

However, with no single mitigation measure viewed as effective by more than 62% of respondents, many firms struggle to address these financial risks comprehensively. Investments in cybersecurity education and quantitative risk management are among the most promising strategies to close this gap.

A Financial Lens on Cyber Risk

“Cyber risk is a financial risk—full stop,” Hariprasad stated. “Businesses must shift their approach to focus on quantifiable impacts and return on investment. By modelling risks, investing in targeted controls, and aligning insurance coverage with potential losses, leaders can make smarter financial decisions that bolster resilience.”

As cyber threats grow increasingly sophisticated, firms must prioritise understanding and managing their financial exposure. A data-driven, financially focused approach will be key to navigating the evolving threat landscape and safeguarding organisational value.