M&S Will Claim £100m From Its Cyber Insurers

Uploaded on 2025-05-15 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Financial

Marks & Spencer (M&S) is getting ready to make one of the largest cyber insurance claims in the UK after explaining that personal customer information was compromised during a massive cyber attack at Easter 2025 which has taken down its digital infrastructure for weeks.

M&S admitted for the first time on Tuesday 13th May 2025 that some customers' personal data was stolen as part of the ransom attack, that has left the retailer unable to accept online orders.

The retailer has told customers this could include contact details, date of birth and online order history but it does not include usable card or payment details or account passwords.

M&S is due report its full-year results soon and will give an update the market on the effects of the ransom attack. So far, the retailer’s share price has fallen around 16 per cent since it disclosed the attack on April 22, which has knocked £1.3bn off its market capitalisation.

Allianz is the principal insurer liable for M&S’s losses and is expected to pay at least the initial £10million while cyber insurance specialist Beazley is also amongst the insurers exposed to losses.

The Co-op and Harrods have also been hit by recent cyber attacks and the Co-op has said that is is still in recovery after taking action to bring its systems back online. These attacks are attributed to a collective of english speaking hackers known as Scattered Spider, who speialise in the use of social engineering techniques. One such method used by Scattered Spider is an exploit named ‘MFA fatigue’ and explains why they are a uniquely dangerous group.

In an MFA fatigue attack, an attacker floods a user with MFA authentication requests until they finally authorise either out of confusion or exasperation. At that point, the attacker can then bypass even the strongest defences.

In expert comment, Rex Booth, who is CISO at SailPoint said “Scattered Spider is a loosely affiliated group of cyber criminals based primarily in English speaking countries. They’re responsible for numerous high-profile attacks, including the MGM/Caesars compromise in 2023 which netted them a $15million ransom payment.

“They’re uniquely dangerous because much of the West is accustomed to this image of cyber criminals from Eastern Europe and Asia. Because most of Scattered Spider are native English speakers, they’re able to execute social engineering attacks without raising concerns as readily. It makes them very effective at exploiting the human side of cybersecurity." Booth concludes.

Concerning M&S' insurance claim Adam Casey, Director of Cybersecurity & CISO at Qodea commented “While a big cyber payout might not trigger an immediate hike in premiums across the board, it’ll likely contribute to an upward trend. This disruptive attack - and any resulting payout - will be a major data point used by insurers in future underwritings..."

As non-payment of ransoms becomes a more common policy as well, insurers are going to see bigger costs from breach recovery and business interruption. All this will combine to push premiums up.

“Cyber insurance is a good safety net, but it isn’t a panacea replacing the need for solid cyber defences. Insurance absorbs some of the financial shock from lost sales, but what it can’t restore is the erosion of customer trust, reputational damage and damage from regulatory fines that can come from a significant attack."

This underscores the critical importance of comprehensive risk assessments, Business Impact Analyses (BIAs), properly tested Business Continuity and Disaster Recovery (BCDR) and Incident Response plans.

“A claim of this scale will attract intense scrutiny from insurers. Claims handlers are going to focus on whether every required security control was active, how end-of-life systems were managed, and the level of cyber training given to staff. Any hint of non-compliance or negligence could slash the payout, or see it denied altogether.

“These recent retail attacks are a clear sign that cyber risks are intensifying, and organisations still have weaknesses in their armour. Cyber insurers will be stricter with their cover, and organisations need to make themselves as insurable as possible. Cybersecurity measures like penetration testing, 24/7 threat monitoring and incident response measures, combined with adherence to frameworks like the NCSC Cyber Assessment Frameworks are great ways to make this happen.” Casey concludes.

Cyber attacks have cost UK businesses an estimated £44m in lost revenue over the past five years with over 50% of UK firms experiencing at least one attack during that period.

Imagge: Ideogram

You Might Also Read:

The Growing Ransomware Crisis:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.