Recent cyber attacks and hacking incidents targeting a number of UK retailers could mean the sector will have to pay more in cyber insurance cover in the future, experts have said.

Marks & Spencer, Co-op and Harrods are some of the high street giants recently targeted by cyber criminals, leading to disruption to operations, drop in sales and overall loses. M&S has now accepted that certain personal customer data has been stolen during the cyber attacks, including telephone numbers, home addresses, dates of birth and online order history. But the retailer has insisted that no useable payment or card details, or any account passwords were stolen during the recent incident.

Co-op has also written to its member-owners informing them that “cyber criminals were able to access a limited amount of member data.” But the retailer has said it cannot provide further details on the exact nature of the data that was breached.

Harrods said: “Our seasoned IT security team immediately took proactive steps to keep systems safe” after “experiencing attempts to gain unauthorised access to some of our systems.”

Wave of attacks

Experts have now told the FT the recent wave of attacks and breaches in cyber security could mean retailers will face 10% increases in their cyber insurance covers.

Dan Leahy, head of cyber at broker BMS, told the paper, “We expect this will drive underwriters to increase scrutiny on cyber security controls, raise rates and, for some insurers, reconsider whether to write cyber insurance for retail business.”

This is bad news for the industry, who had seen a drop in rates for cyber insurance covers in recent years as providers competed to offer cheaper premiums, the FT has said.

Nick Barker, head of cyber at broker Gallagher, told the FT it was still comparatively affordable to buy cyber insurance cover, and that retailers should act while it’s still a buyer’s market. A renewal of premiums in 2026 could see prices go up considerably, especially for the retailer industry, Barker said.

Losses to both sides

While insurers will have to wait until renewal dates next year before they can increase prices for their coverage, some of them will face hefty payouts to clients straight away after the recent cyber attacks. The likes of Allianz and Beazly are directly exposed to losses after recent attacks on M&S, people familiar with the matter have told the FT.

According to the sources, the total cyber payout for M&S could be as much as up to £100m ($132m), and Allianz could face an initial payout of around £10m ($13m).

The retailer is yet to give a final figure on its own losses from the hacks, but both online and in-store sales were affected during the incident and it will certainly have an impact. According to the FT, total losses for M&s could be up to £600m ($797m). This is on top of a 16% drop in the value of shares, with a total of £1.3 billion ($1.7 billion) wiped off the retailer’s market value already.

M&S chief executive Stuart Machin said the retailer had written to customers and ensured that that the stolen information has not been shared. However, there is still a possibility that the hacked personal customer data could be sold or shared to extort M&S in the future, according to the BBC.

The latest hacking incidents targeting UK retailers coincide with a publication of a report by the country’s National Cyber Security Centre (NCSC) on the scope and nature of cyber threats over the next two years.

The report warns that: “Artificial intelligence (AI) will almost certainly continue to make elements of cyber intrusion operations more effective and efficient, leading to an increase in frequency and intensity of cyber threats.”

And whilst the UK insurance market recovers from the shock, there has been better news as the country’s financial watchdog the FCA published proposals aimed at simplifying commercial insurance rules.

The regulator has said the proposals could reduce costs for businesses and consumers, provide wider access and, at the same time, ensure appropriate protection against financial risk.