Business & Technology
Treasury report warns UK firms over resilience blind spot
HM Treasury has warned that cyber resilience is becoming a more material commercial issue for UK businesses as disruption grows more severe, recovery costs rise and many organisations continue to treat resilience spending as a compliance cost rather than a driver of performance.
Its report, The Value of Resilience, examines cyber resilience in financial services and draws on research from organisations including FreedomPay, Accenture, KPMG, Retail Economics and the Association of British Insurers. The report argues that cyber resilience should be viewed as an organisational capability tied to growth, continuity and trust rather than a narrow technical safeguard.
The report says cyber attacks are becoming more severe and more financially damaging. It cites National Cyber Security Centre data showing that highly significant incidents rose 50% year on year in 2024-25, while the Bank of England’s 2026 H1 Systemic Risk Survey found that 82% of UK banks, insurers and asset managers ranked cyber attacks among the top five risks to the financial system, up 10 percentage points from 2024.
Rising costs
HM Treasury says the financial effects of cyber disruption now extend well beyond remediation and system repair. The report points to evidence that companies suffering major cyber incidents underperform the market by around 5% on average for a year or more, while major incidents are associated with an average 9% decline in shareholder value in the year after the event. It says the most significant costs often emerge when an attack disrupts an important business service rather than a contained technical system.
Ransomware is one of the clearest examples in the report. HM Treasury says the share of global financial institutions reporting ransomware attacks rose from 35% in 2021 to 65% in 2024. Mean global recovery costs for financial firms, excluding ransom payments, reached £2.04 million in 2024, up from £1.76 million a year earlier. Its modelling, drawing on KPMG Cyber Risk Insights data, suggests plausible worst-case annual ransomware losses of more than £230 million for mid-sized financial firms and close to £466 million for large firms.
The report also argues that average loss figures can obscure the real shape of risk. It says many firms may face no material ransomware loss in a given year, but a small number of severe events account for a disproportionate share of financial damage. In a broader sample of operational disruption events across sectors, it says most incidents represented between 0.2% and 4.6% of annual turnover, while the most severe cases reached around 16%.
Confidence gap
One of the report’s central findings is a gap between business leaders’ confidence in current resilience and their expectations of future disruption. Research cited from the Retail Economics and FreedomPay Business Resilience Survey 2026, covering 101 UK senior leaders in consumer-facing retail and hospitality businesses with turnover of £6 million or more, found that 81% believed their organisation’s investment in operational resilience was broadly sufficient. Yet 60% expected the frequency of operational disruptions to increase over the next three years.
The same survey found that 64% of senior decision-makers agreed that resilience investment reduces risk but delivers limited additional business benefits. Nearly half said executives do not fully appreciate the value of resilience spending, and 48% believed executives in their industry think too much is already being spent on resilience. HM Treasury says that mindset risks leaving firms underprepared for a more disruptive operating environment.
Chris Kronenthal, President, FreedomPay, said: “HM Treasury’s Value of Resilience report shines a much-needed spotlight on a critical vulnerability in the UK’s consumer economy. While 81% of senior leaders believe their current operational resilience is sufficient, our data reveals a worrying gap between confidence and risk.
60% of business leaders expect operational disruptions to intensify over the next three years with cyber-attacks and geopolitical instability cited among the leading concerns. Yet, 64% still view resilience spending purely as a defensive tax that offers limited commercial value.
There is no guarantee of certainty in today’s business operations, but operational resilience is a vital goal to intentionally move towards – particularly for consumer-facing businesses that carry more risk. At the heart of achieving this in payment systems and consumer technology is shifting from a cost-centre mindset to enable secure, resilient infrastructure that drives customer trust, brand protection, and competitive advantage.”
Growth case
HM Treasury’s report makes a broader case that resilience supports growth as well as protection. It says organisations with stronger resilience capabilities are better placed to recover from disruption, maintain customer trust and continue digital transformation programmes without service failures undermining delivery. Among firms in the highest resilience quartile, it cites Accenture analysis showing that 60% recorded profit gains following a severe shock, compared with 21% among the least resilient. It also says highly resilient companies grew revenues 6 percentage points faster than peers and achieved profit margins 8 percentage points above the median in their industry over a three-year period.
The report also links resilience to preparedness for AI-related threats. It cites Accenture research showing that only 10% of organisations are prepared to defend against AI-augmented cyber threats, while 77% lack essential data and AI security practices. HM Treasury says that weakness affects more than security posture because it can also limit an organisation’s ability to modernise, deploy AI and sustain digital growth with confidence.
Its conclusion is that cyber resilience should be treated less as a narrow cost line within IT budgets and more as part of how organisations manage risk, protect service continuity and support performance in a more volatile operating environment. The report says the organisations with the strongest outcomes tend to combine foundational controls such as patching and vulnerability management with better detection, response and recovery capabilities, reducing both the likelihood that incidents escalate and the scale of losses when they do.