Unlock the Editor’s Digest for free
Roula Khalaf, Editor of the FT, selects her favourite stories in this weekly newsletter.
UK retailers are likely to face steeper rises for their cyber insurance after damaging attacks on Marks and Spencer, Harrods and the Co-op, adding further pain to a sector that is already seeing premiums rise.
Retailers could face 10 per cent rate increases following the recent hacking incidents, said Dan Leahy, head of cyber at broker BMS.
“We expect this will drive underwriters to increase scrutiny on cyber security controls, raise rates and, for some insurers, reconsider whether to write cyber insurance for retail business,” Leahy said.
Cyber insurance prices had fallen by as much as 20 per cent in 2023 and 15 per cent in 2024, according to Nick Barker, head of cyber at broker Gallagher, as insurers competed for business.
But a series of ransomware attacks and data breaches have shaken the market and have begun to send rates higher in sectors including retail, healthcare, education and transportation. Brokers said rates in retail were expected to rise further when policies are renewed in 2026.
“We would encourage all of our clients who don’t currently buy cyber insurance, to buy while it’s still a ‘buyers market’,” Gallagher warned clients in a note this week on the incidents.
UK retailers typically pay about £20,000 per £1mn of insurance cover, according to one broker, although the final sums differ considerably based on the size and the needs of the company.
M&S’s business-interruption insurance claim could range into the tens of millions of pounds, according to senior brokers, as the company may have lost revenues totalling more than £40mn, based on extrapolation of its normal daily online sales average. Cyber security experts have said it could take the company months to fully restore its operations.
M&S declined to comment. The retailer is working with government and law enforcement agencies.
The company disclosed last month that its systems had been compromised, and it has been unable to accept online orders for almost two weeks while it tries to restore its operations.
Co-op acknowledged on Friday that cyber criminals had been able to access and extract names and contact details for a significant number of customers, after it initially said it had fended off the attacks. Both chains have also been working to fill empty shelves in some stores.
Retailers’ large volumes of consumer data, legacy computer software and help-desk operators fielding calls from customers have made them vulnerable to attacks.
Tesco said in its annual report, published on Thursday, that “the importance of cyber security remains paramount” and it regularly tests its cyber security defences using independent third-party agencies.
Some of its senior leaders took part in a series of crisis simulations, including cyber attacks, it added. These are typically kept secret until a few days before to make them as realistic as possible. One such exercise, run by PwC in 2023, involved a ransomware attack, targeting “business-critical systems, including our tills not being operational”.
Ransom payments could potentially be recouped from insurers, according to Helen Nuttall, UK head of cyber incident management for broker Marsh, as well as the costs of bringing in crisis managers such as ransomware negotiators, credit monitoring experts, and public relations specialists.
M&S has not said whether it will pay a ransom, a practice that is controversial but not banned. However, threat actors demanding ransom could be connected to sanctions-hit entities, complicating the decision over whether to pay, and any eventual insurance claim.
Earlier this week, the UK’s cyber security agency warned retailers to be alert to cyber criminals impersonating IT help desks.
Nuttall said such hackers, often English-speaking and based in the UK and the US, were known for conducting “highly sophisticated social engineering campaigns”.
https://www.ft.com/content/190803d9-e646-4a58-8cd2-9a627cf40bb1
