Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
Marks and Spencer could claim for losses of as much as £100mn from its cyber insurers in the wake of a sustained hack where some customer data was stolen.
The UK retailer’s cyber policy allows it to claim up to £100mn, according to people familiar with the situation.
Allianz is the first insurer on the hook for M&S’s losses, the people added, and is expected to pay at least the initial £10mn. Cyber specialist Beazley is also among the insurers exposed to losses at the FTSE 100 retailer, according to the people familiar with the situation.
M&S admitted for the first time on Tuesday that some personal customer data was stolen as part of the cyber attack that has left the retailer unable to accept online orders for almost three weeks. The retailer told customers this “could include contact details, date of birth and online order history” but it “does not include usable card or payment details” or account passwords.
It was working with law enforcement and government agencies, the FTSE 100 group added.
The company will report its full-year results next week and is expected to update the market on the consequences of the hack.
It may have lost revenues to date totalling more than £60mn, based on extrapolation of its average daily online sales. The attack on its systems also left M&S struggling to keep shelves stocked in some food stores, which has probably reduced sales further.
The retailer’s share price has fallen about 16 per cent since it disclosed the attack on April 22, wiping £1.3bn off its market capitalisation.
M&S, Beazley and Allianz all declined to comment.
The Co-op and Harrods have also been hit by recent cyber attacks. The Co-op said on Wednesday that it had entered a “recovery phase” and was taking steps to bring its systems back online gradually. Stock availability, which has been hit by the IT disruption, would improve in its stores and online from this weekend, it said.
M&S’s cyber insurance cover, arranged by London-headquartered WTW, was expected to pay out in full, a senior market participant said. He predicted this would be the case even if the breach were ultimately linked to a vulnerability with a third-party vendor to M&S. WTW declined to comment.
The policy would cover both first-party losses, such as lost sales and incident response costs, as well as third-party losses, such as legal liabilities related to the data breach, the person added.
M&S’s annual insurance premium, at present under £5mn, could as much as double when the policy is renewed if the retailer does not demonstrate to insurers that it has improved its risk management practices, the person said.
After surging during the pandemic, cyber insurance premiums generally had come down in recent months. Insurers had begun to offer more generous coverage and more attractive terms, including response times falling from 12 to eight hours before coverage kicks in.
But UK retailers could face steeper prices for cyber cover following the recent attacks.
A large payout for M&S could act as a “proof of concept” for cyber insurance, one London-based insurance expert said, encouraging more small and medium-sized businesses to buy cover.
Cyber attacks have cost UK businesses roughly £44bn in lost revenue over the past five years, according to a November report from broker Howden. Just over half of UK businesses faced at least one incident over that period, it said.
https://www.ft.com/content/723b6195-1ce7-4b5f-94f5-729e9152c578
