Cybersecurity Breaches in UK Retail: Implications for Insurance and Risk Management

Recent Attacks Drive Up Cyber Insurance Costs and Reassess Risk

The recent cyberattacks on UK retail giants Marks & Spencer (M&S), Harrods, and the Co-op have revealed alarming vulnerabilities in the sector’s digital infrastructure. These events have triggered a reassessment of cyber risk across the industry and are expected to drive cyber insurance premiums up by approximately 10%, according to BMS’s head of cyber, Dan Leahy. This shift follows two years of softening in the cyber insurance market, where premiums fell as much as 20% in 2023 and 15% in early 2024 due to increased competition among underwriters.

Retailers now face greater scrutiny from insurers, some of whom may limit exposure to the sector altogether. This is a pivotal moment for cyber underwriting, with insurers recalibrating their risk models in the face of increasingly frequent and costly breaches.

High-Profile Incidents, High Costs

M&S has suffered significant operational disruption, with online orders halted for nearly two weeks. Estimates suggest lost revenues of over £40 million, with a potential business interruption claim in the tens of millions. The Co-op has also confirmed the exfiltration of customer data, having previously believed the attack was repelled.

Both incidents exemplify the broader risk to retailers, whose large volumes of consumer data, reliance on legacy systems, and customer support interfaces make them prime targets for threat actors. These breaches follow a pattern seen globally, where ransomware and social engineering are the most prevalent vectors.

Tesco, in contrast, has reported robust cyber resilience protocols in its latest annual report, including third-party penetration testing and crisis simulations involving ransomware scenarios. This kind of preparedness is likely to become the new baseline for securing affordable cyber cover in future renewals.

MY OUTLOOK: Structural Cyber Risk Now a Core Valuation Input

From my perspective, this marks a structural turning point for cyber risk as a key valuation and underwriting input—not just a compliance issue. The reputational and operational consequences of these attacks directly impact EBITDA forecasts, customer retention, and even equity risk premia, particularly for omnichannel retail platforms where digital is a material share of total revenue.

For investors and deal teams, this reinforces the necessity of comprehensive due diligence on cybersecurity governance, disaster recovery protocols, and insurer coverage caps before deploying capital. Whether in private equity buyouts or public equity screening, digital operational risk must now be factored into the discount rate.

From an underwriting point of view, insurers are likely to demand stress-tested security frameworks, clear data segregation policies, and board-level cyber risk accountability as conditions for writing future policies. Retailers that cannot demonstrate this level of sophistication will find themselves excluded from cost-effective coverage and, potentially, capital markets access.

This is a moment of reckoning—digital fragility is no longer hypothetical. It is priced risk.

Conclusion: The Convergence of Cyber Resilience and Financial Sustainability

Cyber insurance has become a strategic necessity for UK retailers, not just a safeguard. As the sector becomes increasingly digitised, the convergence of cybersecurity and financial sustainability will be non-negotiable. Boards and investors alike must elevate cybersecurity governance to the forefront of strategic planning.

Retailers must move beyond reactive models to a proactive risk culture, incorporating cyber resilience into everything from procurement to M&A. Those who do will not only secure better insurance terms but also gain a competitive advantage in trust and operational continuity.