UK cyberattacks may prompt double-digit rate increases for retail sector: Tigleanu

By Rebecca Delaney

May 12 - (The Insurer) - Recent cyberattacks on UK retailers may lead to rate increases for the sector at the July renewals, with the incidents highlighting the need for companies to expand cyber exposure analysis to operational risks, said BMS' Monica Tigleanu.

Marks and Spencer (M&S) disclosed a cyber incident on April 22, with the knock-on effects leading the UK retailer to cancel online orders and suspend recruitment as employees were ordered to work on personal devices.

The Co-op Group issued an apology on May 2 after it disclosed that hackers had accessed a "significant number" of members' contact data. The previous day, luxury brand Harrods restricted on-site internet access after an attempt to infiltrate its systems.

Tigleanu, cyber strategy director at BMS, told Cyber Risk Insurer that the incidents are likely to lead to rate increases for the retail sector, particularly if portfolio losses are higher than expected.

"Rate increases are to be expected now for the retail sector and capacity management in respect of accumulation by insured, industry sector and geography," she said.

"We should expect anywhere from 10% to 20% depending on the quality of the risk management in place for the retailer."

Tigleanu added that while there may be scrutiny on wordings, sophisticated buyers will consider an increase in premium to be a better trade-off than retracted coverage.

"Given the competitive landscape in the cyber market, restrictive coverage is not going to educate the client about their exposure or improve the reputation of the cyber market, therefore insurers should focus on better understanding the risk and pricing rather than limiting coverage," she said.

Companies with larger balance sheets – such as those affected in the recent events – will be increasingly expected to carry out business impact analysis and risk quantification exercises to understand the incident scenarios in which they can still operate.

However, Tigleanu noted that, to date, the focus of exposure analysis for cyber has been on privacy risk, rather than the operational risk that encompasses business interruption (BI) losses.

"As an industry, we should continue to challenge organisations to improve their cyber risk management and recognise it as a business risk. We are not spending enough time on exposure analysis to help businesses understand their worst-case scenarios for BI losses, what constitutes a realistic scenario, and how to determine an appropriate sum insured – just as the property market does."

This is compounded by the fact that BI is still seen as an optional coverage for retail companies, Tigleanu said, which demonstrates a lack of understanding around exposure and what elements of their exposure can be insurable in the traditional insurance market versus via parametric solutions.

For companies that do have BI cover, the standard waiting period is usually 12 to 24 hours – which would have been well eroded for some of the recent events, Kelly Nuttall, head of cyber incident management at Marsh, told Cyber Risk Insurer.

"We've seen M&S come out publicly to say that they are suffering from significant BI losses on a daily basis and that is ongoing. I would expect a cyber insurance policy to be picking up those losses," said Nuttall.

Ransomware incidents will typically trigger the incident response element of a cyber insurance policy, which provides cover for first-party costs from an insurance vendor panel, such as legal advisers, digital forensics, PR and crisis communications experts, and ransomware negotiators.

"Ransomware negotiators are often one of the core vendors that will be brought in off the back of these sort of events to support the client to investigate which threat actor they are dealing with, whether it's a legitimate threat, whether the data that has allegedly been stolen is legitimate or not, and whether it would be a feasible option to make a ransom payment or not," Nuttall continued.

"There's an awful lot of work that would be going on in the background to support a client during that first 48 to 72 hour window and beyond in terms of incident response that we would expect the cyber insurance to provide coverage for."

EVER-EVOLVING CYBER THREAT LANDSCAPE

Beyond the potential impact on the insurance market, the recent cyberattacks on UK retailers highlight the rapidly changing cyber threat landscape.

The attack on M&S has been linked to the Scattered Spider hacking collective, which gained notoriety in 2023 after it claimed responsibility for ransomware attacks on casino operators Caesars Entertainment and MGM Resorts.

"What makes them interesting and notable is that they have English-speaking operatives, typically residing in the U.S. and UK. That enables them to conduct really highly sophisticated social media-led phishing campaigns," said Nuttall.

A report by BleepingComputer said that the cyberattacks on M&S and Co-op Group were instigated by hackers impersonating employees to contact IT help desks to reset passwords.

"It means they can reset credentials but also get around multi-factor authentication (MFA), which is obviously one of the core cybersecurity controls that it recommended are in place. It certainly is a sophisticated and coordinated campaign," Nuttall said.

Si West, director of customer engagement at Resilience, added that the attack on M&S underscores a growing trend of sophisticated socially engineered intrusions targeting well-known brands.

"What makes this incident particularly concerning is the group’s use of advanced tactics like SIM swapping and MFA bypass – techniques once considered niche but now increasingly mainstream among cyber threat actors," he said.

"From a risk management standpoint, this attack is a stark reminder that technical defences alone are insufficient. Organisations must embed cybersecurity resilience into their broader enterprise risk frameworks."