“Weaving spiders, come not here,” a fairy admonishes arachnids in Shakespeare’s A Midsummer Night’s Dream. Unfortunately for retail cyber security, one 21st-century, technological “spider” hasn’t heeded the Bard’s warning.
Marks & Spencer (M&S) is a giant in Great Britain’s retail sector. It operates in more than 32 international markets and boasts a revenue of £13.8 billion (nearly $18.6 million in U.S. currency).
But this spring, M&S announced it will lose an estimated £300 million in profit (more than $404 million in U.S. dollars) after a cyber attack, allegedly carried out by hacker group Scattered Spider, caused disruption to its online services. It also resulted in the theft of consumers’ personal information.
And this incident isn’t the only recent cyber attack in the U.K. to cause alarm.
Experts suspect Scattered Spider—which perpetrated the 2023 MGM International and Caesars Entertainment cyber attacks—also hacked London-based luxury retailer Harrods. Whether the attackers breached Harrods’ systems or stole data is unclear, but Harrods did restrict access to some platforms in response.
Meanwhile, The Co-operative Group (Co-op) suffered a data breach in which Scattered Spider disrupted systems and compromised consumers’ and employees’ information. Co-op quickly responded by pulling its own systems’ plugs, limiting the attack’s effects. But the interruption still led to bare shelves and frustrated customers.
Retail cyber attacks like these in the U.K. should cause retailers everywhere to reevaluate their cyber security posture. Criminals such as Scattered Spider are spinning larger and more sophisticated webs, the strands of which stretch across boundaries and borders.
Why Retail Cyber Attacks Pose a Major Threat
Whether they operate physical stores, online stores, or both, no retail organization is immune to cyber risk.
Cyber criminals see retailers—correctly—as prime targets because of the large amounts of customer data collected during transactions, including credit card details. They use ransomware, phishing attacks, social engineering tactics, and other measures to get this information away from retailers and onto the dark web, where they can “retail” it for their own financial gain.
As the recent lapses in U.K. retailer cyber security demonstrate, such incidents can have severe consequences, including:
Operational Disruption
Cyber attacks bring the seamless flow of transactions on which retailers depend to a standstill. Unauthorized access to systems may lead to point-of-sale systems malfunctioning. Impacts can ripple across the organization, affecting everything from inventory management to customer service.
Major retailers like M&S are particularly vulnerable due to their extensive network of stores and online platforms. The recent cyber attack forced it “to resort to pen and paper to move billions of pounds of fresh food, drinks, and clothing after it switched off its automated stock systems,” Reuters reported.
Loss of Customer Trust
When attacks occur, retail businesses can lose consumer trust. Customers expect companies to protect their personal information. Losing credit card details and other sensitive customer data in a cyber incident can lead to reputational damage that takes years to repair.
In the wake of the cyber attack against Co-op, customers in remote Scottish islands where Co-op stores are the primary source of food expressed frustration to the BBC.
Construction manager Donald Gillies said, “Something has gone wrong in the IT system, and like everything else in society, it’s all computer-driven and no one can make a bloomin’ decision to send food over. Get the people fed.” Co-op will likely be working hard to restore the trust of consumers like Gillies for some time.
Financial Repercussions
Cyber attacks can carry a huge price tag. In 2024, the average cost of a data breach reached $4.88 million, per IBM—a 10% increase over 2023, and the highest total yet seen.
M&S not only lost about one-third of its annual profit but also suffered a drop in market value upward of £700 million (U.S. $930 million) after the cyber attack. As of this writing, neither Harrods nor Co-op have publicly stated how much their breaches will cost them.
What makes data breaches and other cyber incidents so costly?
- Dealing with ransomware attacks can result in hefty payouts to regain access to vital systems.
- Experiencing downtimes can result in lost revenue.
- Hiring forensic IT investigators to determine an incident’s scope and scale can be expensive.
- Repairing damaged systems, recovering lost data, and updating cyber security measures all cost money and time.
- Reestablishing consumer trust through mandated notifications, PR efforts, and such measures as providing credit monitoring all add to an incident’s final price.
The Difference Cyber Insurance for Retail Can Make
Strong retailer cyber security involves doing several things to mitigate and manage risk. Proactive measures include adhering to such security standards as GDPR and PCI DSS, as well as implementing network segmentation. Using a multilayered defense system is key, as is continuous, real-time monitoring for threats.
Carrying robust Cyber Liability Insurance is also essential.
Retail Cyber Insurance protects businesses from the expenses and financial losses associated with a cyber attack—protection that general liability policies don’t offer.
A strong Cyber policy can cover the costs of:
- Ransomware payments
- Business interruption
- Data recovery and system restoration
- Notification and credit monitoring for affected customers
- Legal fees, regulatory fines, and judgments
- Claims related to breaches caused by third-party vendors
- Security assessments and regular training sessions in cyber security for employees
M&S understood the importance of Cyber Insurance and was carrying a policy when Scattered Spider struck, according to Insurance Insider. Reportedly, however, neither Harrods nor Co-op were. They could end up responsible for whatever losses they incur.
Simply telling cyber criminals to “come not here” won’t cut it. The retail sector will continue to receive unwanted attention from hackers. Your clients in the retail industry need Cyber Insurance so they can keep operating effectively and securely in the face of cyber threats.
To help your clients in the retail sector better appreciate their need for Cyber Insurance, show them our Cyber U video, “Why Retailers Need Cyber.”
Then, register for access to ProWriters’ powerful, proprietary Digital IQ Comparative Rate Platform.
Digital IQ makes researching, quoting, and selling Cyber Insurance, as well as other specialized management liability lines (D&O, E&O, and EPL Insurance) faster and easier than it’s ever been.
With Digital IQ, you can build your book of business more efficiently and effectively, serving all your clients, in any sector, with precisely the policies they need and deserve.
