M&S cyber-attack: why no retailer can afford to ignore cyber insurance & business continuity

The recent ransomware attack on Marks & Spencer (M&S) has sent shockwaves through the UK retail sector. As one of the country’s oldest and most trusted retailers, M&S found itself forced to halt online orders, grapple with empty shelves, and suspend recruitment-all while facing millions in lost sales and a bruised reputation. The incident is a stark reminder: cyber threats are not just a problem for big business. Every retailer, regardless of size, is at risk.

What’s happening at M&S?

The incident began to impact M&S systems around the Easter weekend (April 19–22, 2025), with the company publicly acknowledging the breach on April 21. The attack has been identified as a ransomware event, where malicious software encrypted critical company data and systems, effectively locking M&S out until a ransom is paid. The hacking group "Scattered Spider," believed to be composed of teenagers and young adults from the UK and US, has been widely linked to the breach. Reports suggest the attackers may have gained access as early as February, stealing sensitive Active Directory data (NTDS.dit file) containing user credentials, which enabled them to move laterally within M&S’s systems before deploying ransomware. 

What’s the operational impact?

• Online orders for clothing, beauty, and home products were suspended for at least five days and remain disrupted, with the M&S website and app unable to process new orders.
  
  
• Contactless payments and Click & Collect services were affected, causing inconvenience for customers.
  
  
• Some physical stores have experienced empty shelves and “pockets of limited availability” due to disruptions in stock deliveries and logistics.
  
  
• Hundreds of agency workers at main distribution centres were told to stay home, and remote staff were locked out of internal systems as a security measure.
  
  
• Recruitment and onboarding of new workers have been paused, and job listings were temporarily removed from the M&S website.
  
  
  

What's the financial and reputational impact so far?

• The company’s share price dropped by 6.5–7.2%, wiping out over half a billion pounds in market value.
  
  
• Daily revenue losses from suspended online sales were estimated at around £3.8 million, with total market capitalization dropping by more than £500 million.
  
  
• The crisis has raised concerns about customer loyalty and long-term reputational harm, especially if sensitive customer data is found to have been compromised.

Why smaller retailers should take note

If a giant like M&S can be brought to its knees by a cyberattack, smaller retailers-often with fewer resources and less robust security-are even more vulnerable.

Senior figures and IT experts will be under an enormous amount of pressure to work around the clock to restore functionality. Not only will there be efforts needed to bring it back online but there will be further testing required and areas will naturally be needed to be reinstated, patched and potentially upgraded, whilst trying to ensure that the business still continues to trade.

Cybercriminals will also be monitoring the successes of getting the company back to business. But rebuilding infrastructure and preventing further damage takes time and the last thing M&S need is a further attack as soon as it is restored.

Question marks could also be raised as to if the board and senior figures have been negligent in their approach to cyber risk. The drop in share value isn’t covered under a standard cyber policy but if an investor or shareholder can provide negligence from the board, then D&O and cyber liability both play a crucial role in risk management and business continuity.

Why cyber insurance plays a crucial role in business continuity

Cyber insurance provides a comprehensive suite of coverages including preventative services to directly address operational impact before it happens and providing retailers coverage for worst case scenarios including:

Incident response & crisis management

If a cyber event occurs (such as ransomware, data breach, or business interruption):

• Incident response costs: including costs to access a 24/7 incident response line, engage with claims managers, receive threat intelligence, and obtain remote support to manage the incident
  
  
• Legal & regulatory costs: Covers legal advice, drafting and sending breach notifications, regulatory notifications, and defending regulatory actions
  
  
• IT security & forensics: Pays for external IT consultants to investigate, contain, and remediate the attack, including malware removal and forensic analysis
  
  
• Crisis communications: Covers hiring crisis communication consultants, media relations, and reputational management
  
  
• Privacy breach management: Covers notification costs, credit monitoring for affected individuals, call centre setup, and translation services
  
  
• Third party breach costs: If you are contractually required to indemnify third parties, their notification and support costs are covered
  
  
• Post-breach remediation: Pays for risk assessments, gap analysis, policy development, and staff training to prevent recurrence.
  
  

Ransomware & extortion

• Ransom payments & negotiation costs: The policy covers ransom payments (including costs to obtain cryptocurrency), negotiation expenses, and costs to respond to extortion demands arising from ransomware or threats to release data or disrupt operations.
  
  

System damage & business interruption

• System rectification: Covers costs to rebuild data, restore systems, and hire specialists to recover from the attack
  
  
• Hardware replacement: Pays for replacing hardware rendered unusable by the attack, if more cost-effective than repair
  
  
• Income loss & increased costs: Covers lost income and extra costs of working due to business interruption (e.g., website downtime, suspended online sales, additional staffing) if downtime exceeds the policy’s time franchise
  
  
• Emergency operational continuity: Covers extra costs to source products/services elsewhere, hire temporary staff, or employ consultants to keep the business running during the incident
  
  
• Voluntary/regulatory shutdown: Covers losses if systems are taken offline voluntarily or by regulatory order to contain the incident
  
  
• Consequential reputational harm: Covers income loss from loss of customers due to reputational damage following the event
  
  
• Dependent business interruption: Covers losses from outages at supply chain partners if caused by a cyber event.
  
  

Liability & regulatory fines

• Network security & privacy liability: Covers legal liabilities for failing to prevent malware transmission, data breaches, or unauthorized access (Insuring Clause 5, Sections A and B)
  
  
• Management liability: Covers claims against board members or executives arising from the event (Section C)
  
  
• Regulatory fines & PCI penalties: Pays regulatory fines/penalties and card scheme assessments, where legally insurable.
  
  

Other relevant coverages

• Cyber crime: Covers losses from funds transfer fraud, invoice manipulation, vendor fraud, and theft of funds or identity
  
  
• Media liability: Covers defamation or IP claims arising from media content.
  
  

Claims process & limits

• Notification: Prompt notification to the insurer is required, and some policies now cover costs incurred in the first 72 hours may even before formal consent but are subject to conditions
  
  
• Limits & deductibles: Policy limits apply per claim/event and some insurers may have nil deductible for the initial incident response
  
  
• Exclusions: Notable exclusions include known events prior to policy inception, willful acts, war/cyberwar, and uninsurable fines.
  
  

How Clear Insurance Management can help retailers

At Clear Insurance Management, we understand the unique challenges facing retailers. Our services include:

• Access to a panel of Cyber security specialists to provide in-depth cyber security risk assessments at discounted rates
  
  
• Cyber attack simulation: We’ll help you identify vulnerabilities in your systems with real-world attack scenarios-so you can fix weaknesses before criminals exploit them
  
  
• Policy review: Our specialists will assess your current insurance program to identify any gaps, ensuring you have the comprehensive cover you need if the worst happens
  
  
• Tailored solutions: We work with retailers of all sizes to provide cyber liability insurance and business continuity planning that fits your business-not a one-size-fits-all approach
  
  
• Market access and relationships with over 40 cyber specialist markets.

Final thought

The M&S cyberattack is a wake-up call for the entire retail sector. Don’t wait for a crisis to test your defenses. Invest in cyber insurance, develop a robust business continuity plan, and let Clear Insurance Management help you safeguard your business for the future.

Contact us today for a cyber attack simulation and a free policy review-because in today’s digital world, resilience is your best defence.

Data sources