From Marks & Spencer (M&S), to the Co-op, to Harrods, there has been a recent spate of cyberattacks targeting top retailers across the UK. But while the quick succession of the incidents may have caught headlines, retailers being a target is far from new.
“Retailers are one of the industries, alongside healthcare, who were the earliest victims of cyberattacks and as a result one of the earliest adopters of cyber insurance following large scale data breach and privacy events in the early 2000s,” explained Lindsey Nelson (pictured), head of cyber development at CFC.
Speaking on why retailers are at risk, Nelson noted: “Their exposure has always lied primarily in the fact that, particularly for larger corporations, they hold vast amounts of customer payment data, engage with multiple third party dependencies in the supply chain, and are naturally high profile targets given their brand profiles and amount of customers and impacted stakeholders.”
Like with most forms of cyberattacks, the threat actors are constantly evolving, which can be difficult for insurance to keep pace with.
“Threat actors are able to successfully infiltrate password databases and crack passwords to use legitimate credentials to obtain access across enterprise systems,” Nelson said. “From there, it becomes incredibly easy for the threat actors to deploy ransomware – often done as RaaS (ransomware as a service) which requires far less sophistication and increases the scale and speed of attacks.”
Nelson added that what’s currently happening is somewhat different to other cyberattacks.
“What’s new here is there is a clear targeted focus to UK retail, which is being escalated at speed likely as a result of their instability internally and looming threat of being exposed externally that’s prompted several attacks in quick succession,” she said.
The direct and indirect costs of cyberattacks are significant. GOV.UK’s 2024 survey estimates: “The single most disruptive breach from the last 12 months cost each business, of any size, an average of approximately £1,205. For medium and large businesses, this was approximately £10,830.”
Beyond operational disruption, the M&S breach has caused substantial losses, with reports of “3am meetings and 40 million pounds a week in lost sales.”
With the vulnerability of retailers to cyberattacks, Nelson believes there are critical coverage options that brokers should look to include:
The recent wave of UK retail attacks has often involved social engineering. According to Nelson: “Social engineering tactics are common among threat actors as a means of obtaining legitimate credentials to log into enterprise systems where they can linger doing due diligence on operational impact of the organisation, determine the impact to influence the demand on the ransom, if any, and eventually deploy the ransomware attack, usually with data exfiltration and the potential for double extortion in releasing it.”
To reduce these risks, Nelson recommends: “Employee training on psychological triggers, regular phishing simulations and tests, and deploying multi-factor authentication for remote access."
Additional mitigation strategies include:
Retailers also face hidden exposures through third-party vendors. Nelson warned. “Despite investment into their own cybersecurity, it’s evident that third party vendors ultimately can introduce vulnerabilities into their ecosystem through their own software and services,” she said. “Equally, supply chain attacks create a downstream effect onto multiple businesses all utilising the same dependency.”
Many organisations are unaware of how their cyber policies address these risks. Nelson emphasised: “One of the biggest lessons learned was many organisations were unaware that cyber insurance policies don’t just cover their own risks, but that of their third party dependencies and whether it involved a malicious third party or was simply a systems failure event.”
According to Security Scorecard’s findings, retail and hospitality sectors led in third-party breach rates in 2024, with “52.4% of breaches linked to third-party access.”
Nelson believes brokers play a vital role in helping clients confront the rising tide of cyber threats. Key areas to assess include:
Nelson emphasised the urgency of proactive client conversations: “If you’re not already talking to your clients about cyber insurance, undoubtedly your competitors will be right now.”
Regular reviews are also critical. Nelson stressed regular updates to cyber risk strategies, “at least annually”, or in response to “major organisational changes or emerging vulnerabilities”, to stay ahead of the evolving threat landscape.
Brokers may also wish to consider:
