Marks & Spencer, the storied British retailer, is bracing for one of the largest cyber insurance claims in the UK to date after disclosing that personal customer information was compromised during a sustained cyberattack that paralysed its digital infrastructure for weeks.
The customer data breach, which the company admitted publicly for the first time on Tuesday, had already left online operations severely disrupted and triggered a steep decline in M&S’s share price. Since revealing the attack on 22 April, the company’s market capitalisation has fallen by approximately £1.3 billion, or 16 per cent.
According to Financial Times sources, M&S is preparing to claim up to £100 million under its cyber insurance policy, a sum that would encompass a wide range of losses — from plummeting online sales to data breach liabilities. Allianz is expected to bear the initial financial responsibility, with a £10 million payment anticipated. Other insurers, including Beazley, are also said to be exposed.
In a message to customers, M&S said the stolen information “could include contact details, date of birth and online order history”, though it stressed that no payment details or account passwords had been compromised. The company is currently cooperating with law enforcement and national cybersecurity agencies.
The full extent of the financial damage remains unclear, but analysts estimate the retailer may have lost more than £60 million in online revenue alone during the disruption, based on average daily e-commerce figures. Additional sales losses have been linked to supply chain interruptions affecting food stock levels in physical stores.
M&S, Allianz, and Beazley all declined to comment to the FT on the ongoing insurance claim.
The cyberattack’s timing could not be more inopportune. The retailer is expected to deliver its annual earnings report next week, and the incident is widely expected to weigh on results. Last year, M&S reported adjusted pre-tax profits of £716 million — a figure now in jeopardy.
As investigators continue to examine the breach, questions have arisen over whether remote access vulnerabilities may have facilitated the attack. During the early days of the crisis, M&S disabled VPN access for home-based employees and sent some agency staff home from a key distribution hub, signalling potential internal containment concerns.
Cybersecurity specialists believe the attackers, suspected to be from the group Scattered Spider, may have exploited weaknesses in decentralised IT environments — a growing concern as hybrid working becomes entrenched.
“In environments with remote endpoints, once an attacker infiltrates, they can spread rapidly if the proper controls aren’t in place,” said Paul Walker, a cybersecurity expert at Forscientia.
The attack reportedly targeted backend systems and may have involved the deployment of ransomware encryptors across virtual servers. Details remain limited, but investigators suggest the incursion may have begun weeks or even months before detection.
Cyber insurance arranged for M&S by broker WTW is expected to respond fully to the loss, including both first-party and third-party liabilities, according to an FT senior market source. Coverage is likely to extend even if the breach originated via a third-party vendor — a frequent point of vulnerability in complex digital supply chains.
However, industry insiders caution that the cost of coverage is likely to rise. M&S currently pays under £5 million annually for its cyber policy, but that premium could double upon renewal unless the company demonstrates stronger risk controls, the same source said.
More broadly, the episode has revived debate over the adequacy of cybersecurity standards across the UK’s retail sector. A November report by broker Howden estimated that cyber incidents have cost UK businesses £44 billion in lost revenue over five years, with more than half reporting at least one breach.
A significant payout to M&S could provide a critical endorsement of cyber insurance as a safety net — and prompt more firms, particularly SMEs, to invest in cover.
Beyond the technical and financial consequences, M&S must now manage the reputational fallout. Though the immediate risk to consumers may be limited, the erosion of trust in a brand long associated with reliability is no small matter.
The retailer has reported the breach to the Information Commissioner’s Office and is working alongside the National Cyber Security Centre. Private firms including Microsoft, CrowdStrike, and Fenix24 are assisting in the recovery process.
The cyberattack on Marks & Spencer has prompted renewed scrutiny of cyber insurance practices across the United Kingdom, as industry data reveals most businesses remain ill-prepared for the financial fallout of such incidents.
According to the government’s Cyber Security Breaches Survey 2024, only 43 percent of UK businesses report having any form of cyber insurance. Within that group, just 8 percent hold dedicated cyber policies. The remainder rely on broader business insurance that may include some cyber elements. Among charities, coverage rates are even lower, with only 5 percent carrying standalone protection. These figures suggest that a significant portion of the UK economy is underinsured in the face of growing and complex cyber threats.
Even among medium and large organisations, which typically have greater resources, the numbers are patchy. Sixty-two percent of medium-sized firms report being insured against cyber risks, compared with 54 percent of large enterprises. Experts caution that larger firms, while often more confident in their internal defences, may still lack adequate coverage for major losses like those now confronting M&S.
The financial impact of an attack can be considerable. The survey reports an average total cost of £10,830 for the most disruptive cyber incident experienced by medium and large businesses in the past year. That figure rises sharply—to £40,400—when incidents involve actual financial or data losses. These numbers pale in comparison to the estimates facing M&S, which is said to have lost over £60 million in online sales alone, with further financial exposure looming through legal liabilities and reputational damage.
Despite this, fewer than a quarter of businesses have a formal incident response plan in place. Among large firms, that number improves to 73 percent, but less than half have developed external communications strategies to manage post-attack fallout. The lack of preparedness, analysts warn, could amplify the disruption and reputational harm that follow a breach.
Compounding the issue is the low uptake of government-backed risk frameworks. Just 3 percent of firms are certified under the Cyber Essentials scheme, a programme designed to improve organisational cyber hygiene and resilience.
With premiums likely to rise in the wake of the M&S incident and recent attacks on retailers including Harrods and the Co-op, cyber coverage may soon become more costly—yet also more essential. As regulators, insurers and companies reckon with an increasingly hostile digital environment, the question is no longer whether firms can afford to buy insurance, but whether they can afford not to.
