British retailer M&S reportedly set to claim £100 million from insurers after cyberattack

Marks & Spencer (M&S) may reportedly file an insurance claim of up to £100 million ($133 million) as a result of last month’s cyberattack — a testament to the dramatic disruption an incident can have.

The company, a constituent of the FTSE 100 Index, first announced it was managing a cyber incident following the Easter weekend in April. Its app and online shopping are still unavailable, customers have been warned their data may have been compromised, and shelves at stores are sporadically empty due to stocking challenges.

As first reported by the Financial Times newspaper, the attack driving the insurance claim may have cost M&S more than £60 million (about $79.7 million) to date based just on the loss of its daily online sales. The company’s insurance policy reportedly allows it to claim up to £100 million. M&S shares rose more than 2.4% following the news of the potential insurance claim.

“Cyber insurance policies don’t just cover the costs of bringing in incident responders or third-party liabilities, but also the policy holder’s loss of gross profit due to an insured event,” explained Craig Dunn, the head of underwriting at insurance and cybersecurity firm Stoïk.

Gross profits are revenues after subtracting any variable costs that can be avoided if there's a system outage. For example, while most employee costs are covered, the cost of producing clothing or a packet of biscuits is not, as they can still be sold at a later date. According to its annual report for last year, the company had a gross profit of over £4.5 billion (more than $5.9 billion), Dunn said.

Assuming stores are open 357 days a year — excluding the eight bank holidays in the United Kingdom — Dunn estimated daily gross profit at about £12.8 million (more than $17 million).  

“Thus if they sold nothing for an eight day period, they could lose in excess of £100 million [$132.9 million],” he said.

“In this case, since they haven’t suffered a complete outage, let’s assume they’ve had 25% less revenue per day than normal. This would equate to a lost gross profit per day of £3.2 million [$4.25 million].”

M&S first reported problems over the holiday weekend. Although the estimate can’t account for seasonality or the true impact the incident has had on the company’s sales, assuming a 25% drop over the 24 days since Easter Sunday, M&S could have lost more than £76 million ($101 million) in gross profit.

“What is surprising here is typically insurers will want companies of M&S’ size to have tested business continuity plans that cover events like ransomware attacks,” Dunn said.

“It goes without saying that whatever continuity plan M&S may have had does not seem to have worked, which brings into question the robustness of this plan and whether it was tested. If it turns out that insurers did ask them if they had a tested continuity plan that covered their entire organisation, and what they told their insurers was different from reality, this could lead to at least part of the claim being denied.”

M&S and Allianz, one of the company’s insurers, declined to comment. 

The nature of the attack on M&S has not yet been confirmed. It occurred shortly before similar incidents affecting British retail group the Co-op and the luxury store Harrods in London.

All three attacks have been claimed by the DragonForce ransomware group, but such groups are known to make false claims and there has been no independent confirmation of the nature of the attacks.

Britain’s National Cyber Security Centre (NCSC) said it is “not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all.” 

“We are working with the victims and law enforcement colleagues to ascertain that,” they said.

If the incidents are ransomware attacks, both the British and the U.S.governments have been outspoken in their desires that the insurance industry does not fund any extortion payments, although doing so is not illegal.

British officials have hoped to engage with the industry to try and drive better security outcomes, including by reviewing alternatives to paying.

Edward Lewis, the chief executive at cyber consultancy CyExcel, told Recorded Future News that insurance “undoubtedly has a significant role to play in helping organisations prepare for and recover from cyberattacks, but any government policy that focuses only on insurance to drive security outcomes, and not on close regulation of cyber practices in critical organisations, requires a rethink.”

Lewis stressed that “simply having an insurance policy will not prevent attacks” and noted “some ransomware perpetrators have been known to deliberately target well-insured companies in the hope of a greater chance of a payout.”

“This attack — and attacks on others in the retail sector leaving remote conurbations without access to food — and recent attacks on critical health organisations, shines a bright light on the need for government policies to robustly focus on preventative, not reactive, measures,” he said.