Stay informed with free updates
Simply sign up to the Retail sector myFT Digest — delivered directly to your inbox.
Marks and Spencer could claim for losses of as much as £100mn from its cyber insurers in the wake of a sustained hack that stole some customer data.
The UK retailer’s cyber policy allows it to claim up to £100mn, according to people familiar with the situation.
Allianz is the first insurer on the hook for M&S’s losses, the people added, and is expected to pay at least the initial £10mn. Cyber specialist Beazley is also among the insurers exposed to losses at the FTSE 100 retailer, according to the people familiar with the situation.
M&S admitted for the first time on Tuesday that some personal customer data was stolen as part of the cyber attack that has left the retailer unable to accept online orders for almost three weeks. The retailer told customers this “could include contact details, date of birth and online order history” but it “does not include usable card or payment details” or account passwords.
It was working with law enforcement and government agencies, the FTSE 100 group added.
The retailer will report its full-year results next week and is expected to update the market on the consequences of the hack.
The company may have lost revenues to date totalling more than £60mn, based on extrapolation of its average daily online sales. The attack on its systems also left M&S struggling to keep shelves stocked in some food stores, which has likely reduced sales further.
The retailer’s share price has fallen about 16 per cent since it disclosed the attack on April 22, wiping £1.3bn off its market capitalisation.
M&S, Beazley and Allianz all declined to comment.
M&S’s cyber insurance cover, arranged by London-headquartered WTW, was expected to pay out in full, a senior market participant said. He predicted this would be the case even if the breach were ultimately linked to a vulnerability with a third-party vendor to M&S. WTW declined to comment.
The policy would cover both first-party losses, such as lost sales and incident response costs, as well as third-party losses, such as legal liabilities related to the data breach, the person added.
M&S’s annual insurance premium, currently under £5mn, could as much as double when the policy is renewed, if the retailer does not demonstrate to insurers that it has improved its risk management practices, the person said.
After surging during the pandemic, cyber insurance premiums generally had come down in recent months. Insurers had begun to offer more generous coverage and more attractive terms, including response times falling from 12 to eight hours before coverage kicks in.
But UK retailers could face steeper prices for cyber cover following recent attacks, with online criminals also targeting Harrods and the Co-op.
A large payout for M&S could act as a “proof of concept” for cyber insurance, one London-based insurance expert said, encouraging more small and medium-sized businesses to buy cover.
Cyber attacks have cost UK businesses roughly £44bn in lost revenue over the past five years, according to a November report from broker Howden. Just over half of UK businesses faced at least one incident over that period, it said.
