Marks & Spencer (M&S), one of the UK’s largest and most prominent retailers, is preparing to claim up to £100 million under its cyber insurance policy after a major cybersecurity breach disrupted operations and compromised customer data. The incident underscores the rising financial and reputational risks facing businesses and the evolving role of cyber insurance as a critical component of enterprise risk management.
Data Breach Disrupts Sales and Damages Trust
On Tuesday, M&S disclosed for the first time that a cyberattack had resulted in the theft of certain customer information, including contact details, dates of birth, and online order histories. While the company emphasized that no payment or password data was stolen, the attack crippled its online operations for nearly three weeks and disrupted food supply chains across the country.
With M&S’s daily online revenue estimated to be around £3 million, the company may have already lost more than £60 million in sales. The impact on physical store operations—especially inventory shortfalls—likely exacerbated the total revenue shortfall. Since the breach was revealed on April 22, shares in M&S have dropped approximately 16%, translating to a £1.3 billion loss in market capitalization.
The incident comes at a critical time as M&S prepares to release its full-year earnings next week. The market will be watching closely for any updates on financial losses, reputational damage, and strategic responses.
Insurers Face One of UK’s Largest Cyber Claims
M&S holds a cyber insurance policy worth up to £100 million, structured by London-based broker WTW. Allianz is believed to be the primary insurer and is expected to pay an initial tranche of at least £10 million. Cyber specialist Beazley, known for underwriting complex digital risk, is also reported to be among the co-insurers on the policy.
The policy is expected to respond fully, covering:
First-party losses, including business interruption, revenue loss, and incident response costs (e.g., forensic investigations and public relations),
Third-party liabilities, such as regulatory fines, legal defense costs, and claims arising from data privacy breaches.
Sources familiar with the matter say the policy is expected to respond even if the breach is traced back to a third-party vendor—an increasingly common attack vector in modern supply chain-based cyber incidents.
Should M&S draw down the full policy limit, the payout would become one of the largest in UK cyber insurance history, potentially influencing pricing, underwriting standards, and future coverage terms across the market.
Market Implications for Cyber Insurance
The M&S claim arrives during a period of relative calm in cyber underwriting markets. Following a spike in ransomware attacks during the COVID-19 pandemic, premiums surged between 2020 and 2022. Since then, pricing has softened slightly, and insurers have improved terms—shortening coverage triggers (e.g., reducing response delays from 12 to 8 hours) and expanding available limits.
However, this incident, alongside recent attacks on the Co-op and Harrods, could reverse this softening trend for UK retailers. Premiums, which for M&S were reportedly below £5 million annually, could rise sharply at renewal—potentially doubling—if risk controls are not demonstrably improved.
A London-based insurance expert noted that the M&S incident may act as a “proof of concept” for the value of cyber insurance. The anticipated payout could encourage more small and medium-sized enterprises (SMEs) to purchase cyber coverage—especially those with consumer-facing digital operations.
According to a report by brokerage Howden, British businesses have lost an estimated £44 billion in revenue from cyberattacks over the past five years, and over 50% of firms have experienced at least one breach. This data underscores the latent demand for financial risk transfer solutions in the cyber domain.
Operational Recovery and Legal Fallout
While the company has transitioned to the recovery phase, reputational and regulatory risks remain. M&S is working with UK law enforcement and relevant government bodies to identify the source of the breach. Any findings of negligence, poor vendor oversight, or internal failures could expose the company to lawsuits or enforcement actions under the UK General Data Protection Regulation (GDPR).
Moreover, consumer trust remains at risk. Although M&S assured customers that payment data was not compromised, public concern around data privacy and online security could depress digital sales in the short term.
Retail competitors and peers are also under increased scrutiny. The recent cyberattacks on Harrods and the Co-op suggest an elevated threat environment for UK-based consumer businesses, particularly those with complex supply chains and legacy IT infrastructure.
A Defining Moment for Cyber Risk Management
The M&S cyberattack marks a pivotal moment in the UK retail and insurance landscapes. For insurers, the scale of the potential payout will serve as a stress test for policy language, breach response protocols, and reinsurance coverage. For M&S, the incident will be a litmus test for how well cyber resilience strategies can translate into recovery and long-term shareholder value preservation.
More broadly, the case reinforces that cyber insurance is no longer optional—it is foundational to business continuity in an age of escalating digital threats.
Related topics:
