A recent cyberattack on the UK’s Co-operative Group (Co-op) has sent shockwaves through the British retail sector, providing a cautionary tale for US companies about the real-world costs of cyber threats and the importance of robust risk management strategies.
In late April 2025, the Co-op, a major UK retailer with over 2,000 food stores and significant operations in insurance and funeral services, detected an attempted breach of its IT systems. In response, the company proactively shut down parts of its IT infrastructure to contain the threat, temporarily impacting back-office and call center functions. Notably, customer-facing operations, such as retail stores and deliveries, remained unaffected, demonstrating effective containment and business continuity planning.
Despite the swift response, the financial consequences were severe. The Co-op reported that the attack would carve £120 million (about $150 million) from its annual profits, with revenues down by more than £200 million during the period. The incident exposed vulnerabilities in the company’s supply chain and IT-dependent operations, leading to empty shelves and disrupted payments in stores for weeks. The company’s leadership highlighted that, while their balance sheet and rapid employee response helped maintain essential services, the attack underscored the need for ongoing investment in both technology and operational resilience.
A key revelation from the incident was the Co-op’s limited cyber insurance coverage. While the Co-op had insurance for immediate technical response, they lacked comprehensive coverage for business interruption and back-end losses.
“Co-op did not have dedicated cyber-insurance in place;” a spokesman told Insurance Business. “Instead of investing in insurance, they chose to invest in enhanced cyber security which ensured they were able to contain the threat and minimise the impact for our members and customers.”
As a result, most of the financial hit will not be recoverable through insurance. This stands in stark contrast to other UK retailers, such as Marks & Spencer, which expects to recoup a substantial portion of its cyber losses via insurance.
The Co-op’s decision to invest more heavily in cybersecurity controls, rather than in broader insurance coverage, reflects a growing trend among large enterprises. However, the incident has sparked debate among risk managers and insurers about the adequacy of such strategies, especially given the scale of modern cyber threats and the potential for prolonged business disruption.
Alexandra Bretschneider, vice president and cyber practice leader at Johnson, Kendall & Johnson, said the Co-op hack and other recent European cyber attacks served as a lesson about the importance of comprehensive cyber coverage.
“The large events in Europe from this past year – Marks & Spencer, Jaguar, and The Co-Op – serve as reminders to large organizations that cyber-risk may not be best left self-insured, given the potential impact of business interruption on the balance sheet,” Bretschneider told Insurance Business. This further substantiates my belief that the business interruption coverage within a cyber Insurance policy remains one of the most critical parts, and where organizations of all sizes (small and large), are likely under- or uninsured.”
For US businesses, the Co-op’s experience highlights several critical lessons:
Containment and Resilience: Rapid isolation of affected systems and maintaining customer-facing operations can limit reputational and revenue damage.
Comprehensive Risk Management: Cyber insurance should be viewed as a complement to, not a replacement for, strong cybersecurity controls. Policies must be reviewed to ensure they cover not just incident response, but also business interruption and supply chain impacts.
Board-Level Engagement: The incident underscores the need for boards and executives to take an active role in cyber preparedness, ensuring that both technical and financial protections are in place.
As cyber threats continue to evolve, US companies – large and small – should reassess their own preparedness, balancing investments in technology, staff training, and insurance to mitigate the growing risks of cybercrime.
