By Rebecca Delaney, Michael Loney

May 23 - (The Insurer) - Recent cyberattacks on UK retailers will likely lead to rate increases for the sector at the July renewals, with Marks and Spencer’s insurers expected to take a full loss on its 100 million pound ($133.6 million) tower.

M&S disclosed a cyber incident on April 22, with the knock-on effects leading the UK retailer to cancel online orders and suspend recruitment as employees were ordered to work on personal devices.

A further statement from the retailer on May 13 disclosed that some personal customer data had been compromised, including contact details, dates of birth and online order histories. It added that there was no evidence that the data had been shared, or that data relating to payment details or account passwords had been accessed.

Willis has confirmed to this publication that it placed M&S’s 100 million pound cyber insurance policy but declined to provide any further detail.

It is expected that the M&S cyberattack will result in a full tower loss because of the lengthy nature of the event.

Allianz leads the tower, with participation from CFC, Beazley and Willis' CyXS facility.

Allianz Commercial declined to comment on potential client relationships or exposures. CFC and Beazley declined to comment.

M&S on May 21 provided an update in which it estimated the cyberattack’s impact on group operating profit at around 300 million pounds for 2025/26, which it said “will be reduced through management of costs, insurance and other trading actions”.

The M&S attack was followed by Co-op Group issuing an apology on May 2 after it disclosed that hackers had accessed a "significant number" of members' contact data. The previous day, luxury brand Harrods restricted on-site internet access after an attempt to infiltrate its systems.

10% TO 20% INCREASES EXPECTED FOR UK RETAILERS

Monica Tigleanu, cyber strategy director at BMS, told Cyber Risk Insurer that the incidents are likely to lead to rate increases for the UK retail sector, particularly if portfolio losses are higher than expected.

"Rate increases are to be expected now for the retail sector and capacity management in respect of accumulation by insured, industry sector and geography," she said.

"We should expect anywhere from 10% to 20% depending on the quality of the risk management in place for the retailer."

Tigleanu said the incidents highlight the need for companies to expand cyber exposure analysis to operational risks.

She added that while there may be scrutiny on wordings, sophisticated buyers will consider an increase in premium to be a better trade-off than less coverage.

"Given the competitive landscape in the cyber market, restrictive coverage is not going to educate the client about their exposure or improve the reputation of the cyber market, therefore insurers should focus on better understanding the risk and pricing rather than limiting coverage," she said.

Companies with larger balance sheets, such as those affected in the recent events, will be increasingly expected to carry out business impact analysis and risk quantification exercises to understand the incident scenarios in which they can still operate.

However, Tigleanu noted that, to date, the focus of exposure analysis for cyber has been on privacy risk, rather than the operational risk that encompasses business interruption (BI) losses.

"As an industry, we should continue to challenge organisations to improve their cyber risk management and recognise it as a business risk. We are not spending enough time on exposure analysis to help businesses understand their worst-case scenarios for BI losses, what constitutes a realistic scenario, and how to determine an appropriate sum insured – just as the property market does," she said.

This is compounded by the fact that BI is still seen as an optional coverage for retail companies, Tigleanu said, which demonstrates a lack of understanding around exposure and what elements of their exposure can be insurable in the traditional insurance market versus via parametric solutions.

For companies that do have BI cover, the standard waiting period is usually 12 to 24 hours, which would have been well eroded for some of the recent events, Kelly Nuttall, head of cyber incident management at Marsh, told Cyber Risk Insurer.

"We've seen M&S come out publicly to say that they are suffering from significant BI losses on a daily basis and that is ongoing. I would expect a cyber insurance policy to be picking up those losses," said Nuttall in mid-May.

Ransomware incidents will typically trigger the incident response element of a cyber insurance policy, which provides cover for first-party costs from an insurance vendor panel, such as legal advisers, digital forensics, PR and crisis communications experts, and ransomware negotiators.

EVER-EVOLVING CYBER THREAT LANDSCAPE

Beyond the potential impact on the insurance market, the recent cyberattacks on UK retailers highlight the rapidly changing cyber threat landscape.

The attack on M&S has been linked to the Scattered Spider hacking collective, which gained notoriety in 2023 after it claimed responsibility for ransomware attacks on casino operators Caesars Entertainment and MGM Resorts.

"What makes them interesting and notable is that they have English-speaking operatives, typically residing in the U.S. and UK. That enables them to conduct really highly sophisticated social media-led phishing campaigns," said Nuttall.

A report by BleepingComputer said that the cyberattacks on M&S and Co-op Group were instigated by hackers impersonating employees to contact IT help desks to reset passwords.

"It means they can reset credentials but also get around multifactor authentication, which is obviously one of the core cybersecurity controls that it is recommended are in place. It certainly is a sophisticated and coordinated campaign," Nuttall said.

Si West, director of customer engagement at Resilience, added that the attack on M&S underscores a growing trend of sophisticated socially engineered intrusions targeting well-known brands.

"What makes this incident particularly concerning is the group’s use of advanced tactics like SIM swapping and MFA bypass – techniques once considered niche but now increasingly mainstream among cyber threat actors," he said.

"From a risk management standpoint, this attack is a stark reminder that technical defences alone are insufficient. Organisations must embed cybersecurity resilience into their broader enterprise risk frameworks."

Howden in November last year estimated that 52% of UK businesses, representing 1.3 million private sector companies, had suffered at least one cyberattack in the past five years, equating to 44 billion pounds of lost revenue.

The broker suggested that businesses can reduce cyberattack costs by up to 75% by implementing simple cybersecurity basics more widely.

Howden also said that the insurance industry and government have a vital role to play in boosting cybersecurity uptake, by helping companies address common barriers around cyber investment.