M&S attack proves public-private cyber risk pool is required

While the UK has seen a surge in ransomware strikes on critical infrastructure plus data breaches impacting millions in the last few years, it has been the problems faced by Marks & Spencer in recent months that truly brought home the perils posed by cyber criminals.

The M&S attack resulted in millions lost for the retailer plus mounting concern in my household about whether there will be sufficient supply of grey school trousers for my son’s ever lengthening legs this summer.

While past attacks and headlines about the National Library, NHS, etc, swiftly came and went, the saga with M&S has dragged on and on, with the impact clear for all to see.

M&S was hit by a cyber attack over the Easter weekend in April, which initially affected just its click-and-collect and contactless payments.

The incident has made clear how for smaller organisations, a successful attack can lead to insolvency

A few days later M&S put a banner on its website apologising that online ordering was not available.

It is only this week that shoppers were finally told they can go online to buy some clothing for home delivery in England, Scotland and Wales.

M&S stated on Tuesday (10 June) more fashion, beauty and homeware products will be available in the coming days, with click-and-collect plus delivery services due to return to Northern Ireland “in the coming weeks”.

The return of online shopping is a major milestone for the retailer.

M&S has estimated the cyber attack will hit profits by around £300m – roughly a third of its usual annual profit – with the losses only partly covered by an insurance pay-out.

Both Allianz and Beazley are reported to be M&S’s cyber insurers.

The fall-out of M&S has shown attacks now span SMEs, public services and supply chains, with the financial and reputational impact being immense.

The incident has made clear how for smaller organisations, a successful attack can lead to insolvency, and for one of the largest British retail clothing and food companies like M&S, with one of the biggest named insurers in the world, it can still cost millions in response, recovery and lost trust.

M&S has laid bare how the cyber insurance markets is under severe strain.

Unlike traditional insurance models based on years of past actuarial data, cyber risk is quick to change and hard to quantify.

Historical loss data is not necessarily a clear indicator of future claims pay-outs, plus cyber incidents can result in widespread, systemic losses.

While a fire or flood can result in a big bill to repair or replace a building plus contents, a single cyber event can hit multiple organisations that farm, manufacture, sell and distribute via a single retailer simultaneously.

As a result, many insurers limit coverage, and some major providers have pulled back and even exited the market altogether.

Ultimately, the hesitance of carriers and reinsurers reflects a broader market failure to address a systemic cyber risk that is different in scale and predictability from any other form of commercial insurance.

Step up

Rather than rattle their sabre at motor insurers, questioning why car insurance premiums went up and demanding cheaper cover, it is time for the Labour government to recognise cyber risk is not merely a commercial concern; it is a matter of national resilience.

Attacks on healthcare, transport, finance, and energy sectors can destabilise essential services, erode public trust, and impact national security.

Attacks on the likes of Marks & Spencer, Co-op, etc, can result in food rotting in fields, failing to make it to the shelves in time, pushing up food prices and ticking off voters keen to fill their tummies.

This reality calls for the kind of coordinated, government-supported response that Zurich and Marsh McLennan pointed out was needed late last year.

Much like Pool Re, the terrorism insurance scheme, and Flood Re, it is time to decide if cyber risk need a public-private partnership model to remain insurable at scale.

Cyber Re would allow insurers to provide more comprehensive coverage without bearing the full burden of systemic losses.

Cyber Re would allow insurers to write broader policies with confidence that systemic losses would be partially covered by a national fund.

This type of initiative would reduce volatility in the insurance sector, keeping premiums manageable and availability consistent, plus allow more inclusive policies to be created for SMEs and critical sectors.

Cyber Re would also encourage collaboration between insurers, government agencies, and incident responders.

In addition to financial support, the government should also incentivise the uptake of cyber insurance through regulation and procurement by mandating certain security standards as a condition for coverage.

Cyber Re is required sooner rather than later as the UK cannot afford to treat cyber resilience as a siloed issue.

As digital interdependence grows, the potential for cascading failures across industries rises.

Cyber insurance is a critical component of managing this risk, but it cannot succeed without structural support. The market alone cannot bear the weight of national cyber resilience.

The Labour government must step up both to support insurers and to ensure that critical sectors remain operational in the face of digital threats.

A public-private partnership model is not just a solution; it is a necessity as my son’s legs are growing, and he needs new school trousers as soon as possible from M&S or his ankles will be getting sunburnt.