In April 2025, British retail giant Marks & Spencer (M&S) became the latest high-profile victim of a sophisticated cyberattack—one that severely disrupted operations, compromised customer data, and served as a stark reminder of the urgent need for strong cybersecurity and comprehensive cyber insurance.
A Sophisticated Breach with Widespread Impact
The attack, attributed to the hacker collective Scattered Spider, began quietly over the Easter weekend. Exploiting social engineering techniques, the hackers gained access through a third-party contractor—bypassing M&S’s direct digital defenses. Once inside, they unleashed advanced ransomware that crippled automated stock systems and forced M&S to revert to manual operations.
The financial fallout has been significant. M&S projects a £300 million ($400 million) hit to its operating profit for the fiscal year. While payment data remained secure, personal customer information—including names, email addresses, and birth dates was compromised. The disruption isn’t short-lived. Operations are expected to be affected well into July.
Cyber Insurance: A Critical Safety Net
In the wake of the attack, M&S has turned to its cyber insurance policy to cushion the financial blow. The company estimates that insurance, led by Allianz with additional support from Beazley plc and others—along with internal cost-saving measures, will offset about half of the expected loss.
This situation highlights the growing importance of cyber insurance in the face of evolving digital threats. Notably, similar attacks on Harrods and the Co-Op revealed a concerning oversight: neither had ransomware coverage. The contrast is telling—insurance can make a substantial difference in a business’s ability to recover from a major cyber incident.
Key Takeaways for Business Leaders
- The M&S breach offers a critical learning opportunity for companies of all sizes. Here are four key lessons:
- Third-Party Risk is Real: A breach through a contractor is a stark reminder that your cybersecurity is only as strong as your weakest partner.
- Human Error is a Gateway: Social engineering tactics target people, not systems. Regular staff training is essential.
- Preparedness Reduces Impact: A well-practiced incident response plan can make all the difference in minimizing operational disruption.
- Insurance Is Non-Negotiable: Cyber insurance isn’t just a safety net - it’s a fundamental component of modern risk management.
The Bigger Picture: Cybersecurity as a Strategic Imperative
What happened to M&S is not an isolated incident - it’s part of a broader, growing threat landscape. As cyberattacks become more frequent and more sophisticated, businesses must rethink their approach to risk.
Cybersecurity isn’t just an IT issue - it’s a board-level priority. Likewise, cyber insurance is no longer a “nice to have”, it’s a vital tool to protect operational continuity, customer trust, and long-term brand reputation.
The failures of other retailers to adopt appropriate cyber insurance highlight a worrying trend: a lack of understanding or, worse, a resistance to evolve with the times. In today’s digital-first economy, that’s a risk no business can afford.
Final Thought
The M&S cyberattack is a cautionary tale, but also a call to action. Businesses must invest in security, educate their people, and ensure they have both preventative and responsive tools in place. Because when not, if a cyber incident occurs, preparedness will define whether a business weathers the storm or becomes its next casualty.
If you’d like to discuss cyber, with our insurance experts, please get in touch.
Russell Sessions
russell@vibl.co.uk
07725 854 230