Cyber Monitoring Centre pegs M&S, Co-op economic losses at up to 440 million pounds

By Rebecca Delaney

June 23 - (The Insurer) - The recent cyberattacks on retailers Marks & Spencer and Co-op Group are expected to result in total economic losses of up to 440 million pounds ($589 million), the UK Cyber Monitoring Centre (CMC) has estimated.

The estimate marks the CMC's first live public assessment of a cyberattack affecting UK organisations since it formally launched in February.

The CMC was created to deliver a consistent, objective framework to assess the severity of major cyber events in the UK by categorising incidents on a simple classification scale from one (least severe) to five (most severe).

The cyberattacks on M&S and Co-op have been classed as a category two systemic event, based on the "substantial" financial impact and economic knock-on effects across third-party suppliers, franchisees and supporting services.

"Given that one threat actor claimed responsibility for both M&S and Co-op, the close timing, and the similar tactics, techniques, and procedures, CMC has assessed the incidents as a single combined cyber event," said the CMC.

"It has not included an incident affecting UK retailer Harrods at a similar time, or other retailers also reported to have been impacted in April and May, given the low level of information about the cause and impact."

The CMC has estimated that total economic losses from the event will range between 270 million pounds and 440 million pounds.

The estimate is primarily driven by business interruption (including lost sales), as well as data loss, costs for incident response and IT restoration, and legal and notification costs.

The CMC said that M&S's inability to facilitate online sales is estimated to have generated losses of just over 1.3 million pounds per day. It added that this is less than the total loss in turnover as it takes into account reductions in orders, stock that can be resold later and not having to pay other variable costs.

Fable Data showed a reduction in average daily spend of 22% during the period in which online shopping was unavailable, with in-store sales down almost 15%. For Co-op, Fable Data indicated an average decrease in daily spend of 11%.

The CMC's measure of financial impact does not include any liability payments or fines that may arise following the immediate 30-day period after the event.

"The impact from this event is 'narrow and deep', having significant implications for two companies, and knock-on effects for suppliers, partners, and service providers. This contrasts with a 'shallow and broad' event like last year’s CrowdStrike event, where a large number of businesses across the economy were affected but the impact to any one company was far smaller," the CMC explained.

The CMC concluded that the event underlines the importance of ensuring financial stability and flexibility to survive large-scale operational disruption, with retailers recommended to run stress tests and make ensure they have capital available or adequate insurance protection for recovery.