In an era of rising cybersecurity threats, a new report from the cybersecurity firm Panaseer reveals alarming statistics: UK businesses are losing a staggering £10 billion ($12.6 billion) annually due to failures in security controls. This report underscores the growing urgency for companies to address vulnerabilities in their security infrastructure, particularly as cyber risks continue to escalate globally.
The Scale of the Problem
The Panaseer 2025 Security Leaders Report, based on a survey of 400 security decision-makers (SDMs) across the US and UK, found that 61% of UK companies have experienced security breaches in the past year, directly attributed to ineffective policies, governance, and control mechanisms. This highlights the critical importance of robust cybersecurity frameworks and the dire consequences of neglecting them. In many cases, security breaches could have been prevented or mitigated with more rigorous oversight and improved risk management strategies.
The report paints a concerning picture of the state of cybersecurity in the UK, with financial costs being only the tip of the iceberg. The reputational damage, regulatory fines, and operational disruptions resulting from these breaches add to the long-term toll that weak security practices impose on businesses. These findings come at a time when the cybersecurity landscape is becoming more complex, with organizations facing not only increased attack volumes but also increasingly sophisticated and targeted cyberattacks.
Cybersecurity Leaders Under Pressure
Security decision-makers, particularly Chief Information Security Officers (CISOs), are facing immense pressure to secure their organizations from these rising threats. In the wake of highly publicized cyberattacks, such as the SUNBURST SolarWinds breach, the pressure is only intensifying. These high-profile incidents have put cybersecurity at the forefront of corporate and regulatory agendas, with authorities such as the U.S. Securities and Exchange Commission (SEC) now enforcing stricter rules and threatening criminal charges against negligent organizations and executives.
Jonathan Gill, CEO at Panaseer, emphasized the immense challenges SDMs face in balancing the growing complexity of cybersecurity needs with their responsibility for safeguarding the organization’s data. He pointed out that SDMs are effectively caught between the proverbial “sword of Damocles” held by both regulators and boards of directors. These leaders are tasked with the daunting challenge of managing cybersecurity risk in an environment of increasing scrutiny and external pressure.
Despite the critical role SDMs play in maintaining organizational security, they are not the only stakeholders responsible for cybersecurity within an organization. Cybersecurity is a shared responsibility, but SDMs often bear the brunt of accountability. As Gill observed, while boards and regulators hold SDMs to high standards, these leaders often lack the accurate data needed to provide meaningful insights and hold the business accountable for security breaches. Without access to comprehensive, real-time data on security posture, SDMs face difficulty in making informed decisions and presenting a clear picture to senior management.
Data Integrity and Cyber Risk
A major challenge highlighted by the report is the gap in data integrity within organizations. Only 55% of cybersecurity leaders feel that the data they present to senior management is fully accurate, which raises concerns about the reliability of risk assessments. Accurate data is essential for making sound decisions, yet the lack of robust data collection and reporting tools leaves many businesses vulnerable to undetected threats.
The inability to deliver reliable data also puts SDMs in a precarious position when reporting to senior management. If the data they present is inaccurate or incomplete, it could undermine the trust placed in them and lead to misinformed decisions regarding security priorities. The gap between perception and reality regarding an organization’s cybersecurity posture could contribute to failures in preventing security breaches.
Growing Liability and Insurance Considerations
The increasing liability associated with cybersecurity failures is driving a significant number of CISOs and security leaders to seek personal indemnity insurance. The Panaseer report reveals that 72% of CISOs are taking out personal insurance policies to protect themselves against the personal financial repercussions of a cybersecurity failure. Another 20% are actively considering this option, signaling a growing concern over the personal risk these professionals face in an increasingly litigious environment.
Cybersecurity leaders are not only under immense pressure to prevent breaches but are also confronted with the reality of increased personal liability. With the potential for severe legal and financial consequences, the role of CISO is becoming more high-stakes. Many security leaders are grappling with the burden of being held personally accountable for organizational failures, even when they are not the sole contributors to the breach. This heightened liability is prompting some security decision-makers to contemplate leaving the industry altogether. The report indicates that 15% of SDMs are considering exiting the sector due to the escalating risks and responsibilities they face.
The Need for Stronger Governance and Risk Management
As businesses continue to invest in cybersecurity, it is clear that effective governance and risk management are crucial in mitigating the financial and operational impact of breaches. Panaseer’s findings underscore the need for companies to enhance their security controls and ensure that cybersecurity leaders have the data and resources they need to make informed decisions.
Boards and executives must take a more active role in supporting their security teams, ensuring that there is sufficient oversight and investment in cybersecurity programs. In addition, organizations need to prioritize data accuracy and integrity to enable cybersecurity leaders to present reliable insights. Without these changes, the £10 billion annual cost of security failures will continue to rise, with devastating consequences for UK businesses.
The Panaseer report is a wake-up call for UK businesses to re-evaluate their cybersecurity strategies, strengthen their security controls, and better support the professionals responsible for safeguarding their digital assets. By prioritizing these efforts, businesses can reduce their vulnerability to attacks and avoid the financial and reputational damage that comes with security failures.
The report emphasizes that the failure to effectively manage security risks represents a significant financial burden for businesses, yet it also highlights the human cost for cybersecurity leaders who are shouldering the growing responsibility of safeguarding organizations in an increasingly dangerous digital world.
References
- Panaseer 2025 Security Leaders Report: This is the primary source of the data referenced in the article, offering insights into the state of cybersecurity practices, the challenges faced by security decision-makers (SDMs), and the financial costs of security control failures in the UK and US. Panaseer’s research surveyed 400 SDMs across these two countries, providing a comprehensive look at cybersecurity governance and risk management.
- Source: Panaseer 2025 Security Leaders Report (https://www.panaseer.com)
- Cybersecurity and Liability: The article references the growing trend of cybersecurity leaders seeking personal indemnity insurance due to the increasing personal liability associated with cybersecurity failures. This is becoming more common as CISOs and SDMs face significant legal and financial risks in the wake of high-profile breaches.
- Source: Cybersecurity Trends: Personal Liability Insurance for CISO Roles by McKinsey & Company. Available on McKinsey’s website (https://www.mckinsey.com)
- The SUNBURST SolarWinds Breach: This breach is often cited as one of the most significant cybersecurity incidents in recent years, which has heightened regulatory scrutiny and amplified the pressure on security decision-makers. The incident affected thousands of organizations globally, including U.S. government agencies, and led to increased regulatory measures and personal accountability for CISOs.
- Source: The SolarWinds Cyberattack: What We Know – Article by The New York Times (https://www.nytimes.com)
- SEC and Cybersecurity Regulations: As mentioned in the report, the U.S. Securities and Exchange Commission (SEC) has been enforcing stricter cybersecurity rules in the wake of major breaches. The SEC’s focus on holding companies and executives accountable for cybersecurity lapses has set a precedent for global regulatory frameworks, influencing policies in the UK as well.
- Source: SEC’s Cybersecurity and Risk Management Guidelines – U.S. Securities and Exchange Commission (https://www.sec.gov)
- Data Integrity in Cybersecurity: The report mentions that only 55% of cybersecurity leaders feel confident that the data they present is fully accurate. This points to the critical issue of data integrity in cybersecurity decision-making, where flawed or incomplete data can lead to poor risk assessments and missed threats.
- Source: Cybersecurity Data Integrity and Risk Management by Gartner (https://www.gartner.com)
- Impact of Cybersecurity Failures on Businesses: The article highlights the £10 billion annual cost to UK businesses resulting from security control failures. This figure reflects the financial burden businesses face due to breaches, including legal fees, regulatory fines, loss of customer trust, and recovery costs.
- Source: Cost of Cybercrime Study by Accenture and the Ponemon Institute (https://www.accenture.com/us-en/insights/security/cost-cybercrime)
