UK retail attacks are ‘wake-up call’ for insurers to tackle low SME take-up

By Rebecca Delaney

July 11 - (The Insurer) - Cyber insurers must seize the opportunity to improve take-up among UK small and medium enterprises (SMEs) after the 'wake-up call' from recent cyberattacks on major retailers, industry commentators told The Insurer.

UK retailer Marks & Spencer disclosed a cyber incident on April 22, followed by a Co-op Group apology on May 2 after it disclosed that hackers had accessed a “significant number” of members’ contact data.

A further statement from M&S on May 13 also disclosed that some personal customer data had been compromised.

Andy Holmes, group capacity director at CFC, told Cyber Risk Insurer that the cyberattacks underline the need to pivot the market away from communicating cyber insurance as a niche, specialist product.

“Until now, the cyber market has very much seen themselves as a niche market, but more importantly, talked as if they're a niche market,” he said.

“When I hear insurance people talking about cyber, they're still using the language not just of the insurance market but of the cyber market. They can't translate enough when they're talking to the wider market about their product. It is incumbent on the cyber market to unwind their specialisms and talk in generalisms.”

This is particularly relevant for SMEs, with market penetration of SME commercial customers estimated at around just 10% in the UK.

“While the cyber insurance market premium grew a hell of a lot during the hard market, that masked that the underlying customer numbers, the underlying penetration of the product into the population of SME buyers, did not increase,” said Holmes.

Overly technical language and limited take-up among SMEs prevents cyber insurers from adequately fulfilling their societal purpose to protect organisations across all sizes, sectors and geographies from modern forms of crime, Holmes argued.

“If we talk in generalist terms, not only will more revenue come into the insurance market, but we will actually be fulfilling the public service of protecting UK SMEs that we really should be as an industry,” said Holmes.

“At some point, if these attacks become prevalent, there will be a government backstop. That, frankly, will be an indicator of failure on behalf of the cyber insurance market. To me, that should be a wake-up call for the cyber insurance market. We have a window of opportunity to get this product to the mass market, or the government will step in.”

Another point of concern that has arisen from the retail cyberattacks is potential underinsurance in the large corporate segment, particularly for business interruption (BI). M&S cancelled online orders for 46 days, with click-and-collect services remaining temporarily paused.

On May 21, an M&S update estimated the cyberattack’s impact on group operating profit at around 300 million pounds for 2025/26, which it said “will be reduced through management of costs, insurance and other trading actions”.

Speaking to a parliamentary committee on Tuesday, M&S chairman Archie Norman said the company expects it will take up to 18 months to receive insurance recoveries.

“If we've seen anything from recent attacks, it's how the scale can mount up in such a short space of time,” Holmes said.

He continued that as the cyber market has softened and reached an equilibrium of pricing adequacy, more limit is now available.

“I do think it's incumbent on cyber insurers and brokers to use some of the more recent examples to model the potential BI implications better, and get some of these larger companies buying appropriate limits for the exposures they face,” he said.

“I don't think it shines a great light on the insurance market that we can leave an entity maybe only buying one-third of the insurance it should when we're talking hundreds of millions of dollars.”

Chaucer’s head of cyber Piers Tuggey affirmed that widespread coverage of the retail attacks serves as a validation of cyber insurance as a product.

“Being in the market, we don't think validation and utility of the product is necessary, but I think it's a good opportunity to try and challenge any perceptions that remain outside of the cyber insurance market around whether or not cyber insurance is a useful risk transfer tool,” he said.

“There's no doubt that cyber is a technical line. It's a good question as to why that message isn’t landing, or what it is about cyber insurance as a product that people are resistant to. It's the relevance of the core product that still perhaps requires education and socialisation.”

Tuggey suggested that underpenetration in the SME segment is partially driven by perceptions of cyber insurance as a nondiscretionary purchase, although he argued that the nature of the service-led product is the most valuable element for SMEs.

Services for pre-incident, monitoring, response and recovery are a broad differentiator between primary carriers, but not on a wholesale basis, he said. Coverage is currently “pretty broad”, with the recent attacks unlikely to have much impact on these dynamics.

“Will there be a constituency of large corporate companies operating in the retail space in the UK that might now be looking at the amount of insurance cover that they buy?” Tuggey mused.

“In light of seeing rather unfortunate experiences of one of their peers and questioning their thinking, it may well be that leads to no change, and there may be some instances where there's a wholesale review of how they think about the amount of insurance that they buy.”

Tuggey continued that there is currently no observed reduction in claims frequency or severity, at the same time that pricing is coming off as increasing demand does not outstrip supply.

“It is a competitive market and we're subject to the same economic influences as any other line of business when it comes to supply and demand. But sometimes it is difficult to try and square that circle of increased (claims) frequency and severity with reducing rates,” he concluded.