According to the UK Government’s Cyber Security Breaches Survey 2025, 43% of businesses experienced a breach or attack in the last 12 months.

The cost of these attacks can be staggering for organisations of all sizes and sectors, with even high-profile institutions being hit hard in recent years. Marks & Spencer, for example, faced an attack in April 2025 that cost the retailer an estimated £300 million.

When an attack hits, the immediate priority is containment and recovery. Insolvency considerations rarely feature in those first critical hours, but the commercial, legal and financial decisions taken in the aftermath of a cyber event carry significant consequences.

For businesses in data-intensive sectors, the exposure is particularly acute. Engaging restructuring and insolvency advisers alongside IT and legal counsel at the earliest opportunity preserves the widest range of options.

The immediate strategic priorities

Understanding the nature of the incident, whether ransomware, data theft or system corruption, shapes every subsequent decision, from stakeholder communications to which advisers need to be engaged immediately.

Restoring operations quickly is an obvious priority, but IT recovery costs can be significant. Committing substantial cash to recovery efforts without a parallel financial assessment can create new problems at precisely the moment creditors and clients need reassurance.

Stakeholder communications require particular care. Premature or poorly framed disclosures can accelerate reputational damage and trigger contractual consequences before the business has stabilised. Identifying which revenue streams can be maintained or restored quickly is also important but often overlooked. With the focus on recovery, businesses can miss opportunities to protect and pursue the income that remains available to them.

The right advisory team matters enormously. While IT forensics establishes what happened and secures the environment, legal counsel manages liability and regulatory exposure. An insolvency practitioner will also ensure immediate decisions do not inadvertently worsen the position of creditors or directors further down the line.

Regulatory and insurance considerations

A cyber incident triggers regulatory obligations that run alongside the operational response. Businesses handling personal data must notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of a breach likely to risk individuals’ rights and freedoms. Missing this window can compound an already difficult situation with regulatory sanction.

Understanding the business’s data protection role determines the scope of those obligations. Data controllers carry the primary compliance burden under the Data Protection Act 2018 and UK GDPR, and data processors have distinct but significant duties of their own. Many businesses, particularly in professional services, will operate as both simultaneously.

Sector-specific regulators add a further layer. For example, Charities must consider the Charity Commission’s expectations around governance and risk management. Legal and financial services firms may face questions from their respective regulators about the adequacy of controls and client data protection.

Cyber insurance can provide critical support covering aspects such as incident response costs, legal fees, regulatory fines and business interruption losses. However, policy terms vary considerably. Insurers will scrutinise the business’s response closely, and inadequate cover, policy exclusions or failure to follow agreed protocols can all affect the validity of a claim.

When recovery isn’t possible: the insolvency route

Where a cyber attack has caused irreversible operational or financial damage, an insolvency procedure such as Administration may be the most appropriate outcome. In some cases, it is simply the most effective way to protect creditors and preserve what remaining business value exists.

Data protection obligations do not disappear when a business enters insolvency following a cyber attack. The administrator must manage any outstanding ICO notifications, handle third-party claims arising from the breach and ensure personal data is dealt with securely.

If the breach affected clients or suppliers, their claims may sit alongside existing creditors, which could complicate distributions and extend the timeline. Identifying these liabilities early, before formal insolvency proceedings begin, is always preferable.

Prevention is still the best strategy

Preventative action is always the most effective defence against cyber attacks. Implementing the right technical tools for your business, human and process measures, along with the right cyber insurance can measurably reduce both the likelihood of a successful attack and the cost of recovery if one occurs. For many businesses, these safeguards are a prerequisite for operating in regulated sectors or meeting contractual obligations.

Strong governance frameworks are equally important, particularly in regulated sectors. Boards and senior leadership teams that have clearly assigned cyber risk ownership, tested their incident response plans and reviewed their supply chain exposures are better placed to respond effectively and demonstrate to regulators, insurers and creditors that the business was being managed responsibly.

Opus works closely with the ICO, Charity Commission and other regulatory bodies at every stage, from initial crisis response through to Administration where necessary. Our experience across cyber-affected restructuring and insolvency cases means we understand both the technical and financial dimensions of these situations, and how to navigate them in a way that protects the business and all its stakeholders.

If you are seeking professional advice for your business, we are here to help. We can arrange for you to speak to one of our Partners, who can discuss options with you. We have offices nationwide and by contacting us on 0203 995 6380, you will be able to get immediate assistance from our Partner-led team.