Marks & Spencer is still navigating the aftermath of the devastating cyberattack that has disrupted its operations for months, exposing both the retailer’s vulnerabilities and the increasingly critical role of cyber insurance in modern corporate risk management.
The incursion, which began with a sophisticated act of impersonation involving one of M&S’s external partners, was not detected until two days after the breach occurred on April 17. By then, substantial damage had been inflicted on the retailer’s IT systems, culminating in depleted store shelves, crippled online functions, and an operational headache estimated to cost the business up to £300 million in profit.
Appearing before Parliament’s Business and Trade Committee on Tuesday, M&S chairman Archie Norman characterised the attack as a sobering and instructive experience for the British retail giant. He refused to confirm whether a ransom had been paid, citing legal sensitivities and the ongoing involvement of the National Crime Agency. “It’s a question of judgement,” he told MPs. “Once systems are compromised, you're rebuilding regardless.”
Norman made clear that the firm had opted not to engage directly with the criminal actors – believed to be the work of a hybrid threat involving the Scattered Spider and DragonForce groups, both linked to prior ransomware campaigns. While law enforcement authorities in the UK and the FBI in the United States have been brought in, full recovery remains months away.
General counsel Nick Folland issued a stark warning to other enterprises: “Ensure your business can operate manually. We had to – literally – return to pen and paper in parts of the business.”
In a further disclosure, Norman confirmed M&S had doubled its cybersecurity expenditure and tripled headcount in that function to 80 personnel. Importantly for the insurance community, he noted that M&S had increased its cyber coverage last year – an investment now set to be tested by one of the largest claims of its kind in the UK retail sector. Marks & Spencer's primary cyber insurer is Allianz, which acts as the lead underwriter on their cyber insurance policy. Allianz is expected to cover at least the initial £10 million of the claim following the major cyberattack.
The total claim from M&S could reach the policy limit of £100 million, covering both direct business losses and third-party liabilities resulting from the breach
“We anticipate a meaningful recovery,” Norman said, although he acknowledged it may take up to 18 months before the value of the claim is known.
The breach at M&S joins a cluster of high-profile incidents this year that have shaken the corporate world, including attacks on the Co-op Group and Harrods.
The incident comes amid growing pressure on the insurance industry to reassess the pricing and scope of cyber cover. Premium volumes in the global cyber insurance market are forecast to hit $16.3 billion in 2025, according to Munich Re, with projections exceeding $30 billion by 2030 as the frequency and cost of attacks continue to rise.
Beazley’s head of international cyber risk, Sydonie Williams, said that events like the M&S breach often catalyse fresh demand. “After high-profile attacks, boards start asking the right questions,” she said.
Bloomberg Intelligence estimates a 67% increase in gross written premiums across Beazley’s cyber division over the next five years, suggesting strong growth despite tightening policy wordings and increasing scrutiny of claims.
The attack has also reinvigorated debate about the preparedness of large organisations. Despite heightened awareness, fewer than half the firms in the FTSE 100 reportedly hold cyber policies, and penetration among smaller companies is even lower.
As ransomware syndicates become more industrialised – offering tools and branding on a franchise model – the barriers to entry for cybercriminals are falling, even as defences are slow to catch up. Analysts warn that the line between state and criminal activity is increasingly blurred.
For M&S, the road to digital recovery may be long, but the lessons – particularly for insurers and corporate risk officers – are immediate and far-reaching.
