Decoding the world of cybersecurity

Treasury report prices financial cyber disruption

HM Treasury research places cyber among the financial system’s leading risks and models extreme annual ransomware losses of hundreds of millions of pounds for larger organisations.

Treasury report prices financial cyber disruption
Summary
  • Eighty-two per cent of surveyed UK banks, insurers, and asset managers place cyber among the financial system’s five leading risks.
  • Modelled extreme annual ransomware losses reach £232 million for a mid-sized organisation and £466 million for a large one.
  • Third-party concentration, cloud dependence, leadership capability, and recovery performance influence losses alongside preventive controls.

Cyberattacks are considered one of the five leading risks to the UK financial system by 82% of surveyed banks, insurers, and asset managers, according to research published by HM Treasury.

The proportion has increased by ten percentage points since 2024, while the report says the number of highly significant cyber incidents in financial services rose by 50% during 2024–25. Almost half of reported incidents met the National Cyber Security Centre’s threshold for national significance.

The Treasury’s Value of Resilience report brings together modelling and existing research to examine the economic effects of cyber disruption and the role of resilience investment in limiting losses.

KPMG Cyber Risk Insights modelling cited in the report estimates that annual ransomware losses at the 99th percentile could reach approximately £35 million for an organisation with revenue below £1 billion, £232 million for one with revenue between £1 billion and £10 billion, and £466 million for one with revenue between £10 billion and £100 billion.

Those figures represent modelled extreme-loss scenarios rather than average observed costs. They illustrate the tail risk created when business interruption, recovery expenditure, fraud, customer effects, and other financial consequences combine.

The report also cites global Accenture research in which only 10% of organisations considered themselves prepared for AI-augmented cyber threats, while 77% lacked essential data and AI security practices. Those findings are global and should not be represented as figures for the UK financial sector alone.

Resilience moves into financial planning

Cyber investment is often justified through maturity scores, regulatory requirements, or incidents that did not occur. The Treasury report instead places resilience within financial planning by examining continuity, customer confidence, growth, and the cost of disruption.

Risk committees allocate capital across operational and strategic priorities, which makes a control programme described only through technical compliance difficult to compare with investments in service capacity, product development, or market expansion.

Loss models cannot predict the cost of a specific future incident, and extreme estimates depend on assumptions about frequency, duration, and business impact. They can, however, expose concentration: a payment service with no rapid fallback, a cloud platform supporting several products, a supplier whose failure affects multiple legal entities, or a recovery process that has not been tested at scale.

The report notes that dependence on cloud providers and other digital suppliers can increase the scale and complexity of disruption. Financial institutions may maintain strong internal controls while relying on a comparatively small group of providers for processing, identity, communications, customer services, or access to markets.

DORA has placed similar questions about technology concentration and third parties into the European regulatory framework. UK institutions operate under a separate regime, but suppliers and financial groups working across both markets benefit from consistent evidence on service mapping, testing, recovery, and provider oversight.

Recovery capability changes the loss

Preventive controls reduce the likelihood of compromise, while the eventual cost is also shaped by detection, containment, restoration, reconciliation, and communication. A short interruption to a tested service carries a different consequence from a prolonged outage in which transaction integrity remains uncertain.

Financial systems cannot be considered recovered until organisations know that balances, payments, customer records, and regulatory information are complete and reliable. Restoring servers without reconciling transactions can return an application while leaving the underlying business process untrusted.

Leadership decisions also affect the outcome. Isolating systems, suspending payments, invoking manual operations, notifying authorities, and communicating with customers may need to happen before technical teams can provide complete certainty.

The report links resilience to the adoption of cloud services and artificial intelligence, because transformation depends on confidence that disruption can be contained and recovered. Controls designed after deployment are less effective than resilience requirements built into architecture and supplier selection.

The report’s value lies in connecting technical controls, third-party dependencies, recovery capability, and economic exposure. Its modelling can be challenged and adapted, while the underlying service and dependency analysis provides a basis for decisions about investment and operational risk.

×