The UK’s retail sector was recently shaken by cyber attacks on major brands, including a historic London department store and one of the country’s most iconic high street brands.
Harrods reported an attempted hacking attack earlier this month, days after Co-op said threat actors stole large amounts of customer and staff data from its systems. A separate breach stunned Marks & Spencer (M&S), shuttering the retail giant’s online operations and slashing billions from its market capitalization.
The trio of attacks has reverberations beyond the UK, according to Ian Summerfield, head of cyber at global specialist carrier Pen Underwriting.
Speaking to Insurance Business, Summerfield said this event is serving as a wake-up call for cyber insurers, brokers, and clients alike. With high-profile cyber incidents hitting huge brands, insurers face renewed pressure to tighten supply chain assessments and close coverage gaps.
In a recent business update, M&S revealed the attack would cost it approximately £300 million (AU$630 million) in lost operating profit for the fiscal year ending March 2026. The retailer’s automated stock systems were taken offline, forcing it to revert to pen-and-paper methods to manage the flow of goods across more than 500 stores and its vast online network.
One month on, key online services remain non-operational, and the impact on customer experience and brand reputation has been profound. For insurers like Pen Underwriting, the attack underscores the scale and complexity of modern cyber risk.
“Incidents like that (which cause) tens of millions of pounds in losses, definitely make underwriters reassess their exposure, pricing adequacy, and coverage,” Summerfield said.
While Summerfield believes the event is unlikely to trigger a wholesale market shift, it is changing how retail-sector risks are evaluated.
Yet, there is no doubt the attack has reinforced the value of cyber insurance, even among financially robust companies. Beyond a headline-grabbing event, such attacks reinforce the urgent need for better cyber protection, smarter underwriting, and stronger partnerships between insurers, brokers, and businesses.
“Cyber incidents can completely stall operations, whether that’s manufacturing, distribution, or retail,” said Summerfield. “Like with the recent M&S event, it’s about not being able to restock shelves or serve customers. That’s the biggest fear.”
While ransomware attacks often dominate headlines, according to Pen’s data, it's not the most common claim type. Fund transfer and business email compromise still make up a bulk of its claims.
The specialist firm has responded by launching Pen Protect, a cyber risk management platform that equips cyber policyholders with an enhanced, integrated suite of risk management tools and specialist services.
“Ninety per cent of the claims we see stem from human error, not sophisticated tech. It could be someone clicking a link or falling for a phishing call,” Summerfield said. “Pen Protect focuses on changing behavior, getting people to pause, ask a colleague, or think twice. It’s bite-sized, practical training aimed at reducing that risk.”
Meanwhile, large-scale supply chain events like the 2020 SolarWinds Orion attack and the 2023 MoveIT Transfer hack have also prompted insurers to scrutinize third-party exposure more closely, according to Summerfield.
These breaches affected thousands of organizations, from government agencies to Fortune 500 companies, and exposed gaps in third-party vendor cyber hygiene.
“A few years ago, we wouldn’t necessarily know how many clients used a vendor like CrowdStrike,” Summerfield said. “Now insurers want to understand that aggregate exposure.”
For SMEs, the stakes are even higher. A £1 million ransomware demand is “existential” for a business under £10 million in revenue, said Summerfield. This is compounded by an evolving threat landscape. Attackers are increasingly using automation and artificial intelligence to scale operations, making even the smallest firms vulnerable.
And despite years of awareness campaigns, many SMEs are still convinced they’re not targets.
“We’ve been having the education conversation since 2013,” Summerfield said. “It’s a numbers game, and threat actors are casting a wide net. Even a four-person plumbing company can be a target.”
Pen Underwriting currently conducts around 50% of its cyber business with US-domiciled organizations, where market maturity is highest. The UK lags, while continental Europe is “in the single digits” when it comes to cyber insurance penetration, according to Summerfield. That presents both a challenge and an opportunity. “There’s a lot of room for growth,” he said.
Brokers have an important role in closing the cyber protection gap, too. Pen frequently partners with brokers to provide education and meet clients face-to-face, particularly for SMEs who are new to cyber coverage.
For Summerfield, the time for reactive thinking about cyber risk is over. Whether it’s a billion-pound retailer like M&S or a local bakery, every business is vulnerable.
“These attacks are a numbers game,” he said. “Threat actors are just trying to find the right ‘key.’ And if it works, even a small firm can be crippled. These incidents don’t make the news like M&S does, but they’re happening every day.”
